By Tim McCreight
The recent attacks on the Domain Name Service (DNS) hosted by Dynamic Network Services Inc. (Dyn) demonstrates a principle of risk management that we sometimes neglect to factor during our internal risk assessments — the impacts we may face from business partners or technology providers that cannot service our needs.
By Tim McCreight
By now, we have read how the attack against the Dyn DNS was launched from, among other vectors, Internet connected devices that had poor or negligible security, and how the impact was felt by some very high profile organizations like Netflix, LinkedIn and Tripadvisor. The service outages faced by customers of these organizations have been reported in the media, and concerns range from why this attack affected their service, to preventing this type of incident occurring in the future.
I had a chance to review many of the reports on the event, and understand the concerns many have regarding the issues arising from the “Internet of Things”, and the potential threats these devices pose to Internet connected services. Looking past the technical components of these events, I began to realize some of the lessons we can all take from these incidents.
Over my career, I conducted a number of threat and risk assessments against physical and logical assets. I’ve highlighted how some of these assessments were conducted in previous columns, and focused on the benefits of including business leaders and key stakeholders, to develop a more holistic view of risks facing an organization. Many of these assessments focused solely on the organization, and how it can react to events by developing internal controls to mitigate risks.
Recent events, however, highlight the need to extend our assessment beyond our own organization, and truly begin to understand the complexities of how our organization interacts with other organizations to provide a service, sell a product, or address a need. This realization goes beyond the cyber domain, and reaches into the physical world as well.
As security professionals, we must start looking at how our organization uses other services like the Internet, or the rail system, or national trucking companies, to provide our services. Assessing risks must take into account myriad new tangents, ranging from the impacts we could suffer if our Internet Service Provider was unable to manage a concerted attack, to the impacts our company would face if the rail system were unavailable or impacted by a labour action.
Many of us plan for these events as part of our Disaster Recovery Program, or Incident Response Plan. I believe we need to bring these components closer to our operational models, and begin assessing these risks alongside our current methodology. Over the past few years, we’ve seen the interdependency of internal systems to the Internet, and our reliance on vendors and their ability to deliver products, increase to the point where failures from external entities has an immediate impact. Companies like Netflix felt the recent attack immediately, when clients attempting to legitimately access the service were rejected because the Netflix environment was bombarded by automated requests from compromised devices.
What also struck me was our acceptance of other companies and their security posture. Our organizations rely on other organizations more now than any point in history. In many cases we simply accept that these supporting players have their risks under control, and will continue to be a critical component to our success. The lessons we’ve learned from this recent event should force us as security professionals to recalibrate our risk assessment process, and begin some potentially difficult discussions between our organizations, and those we rely upon for success.
Tim McCreight is director, advisory services at Above Security (www.abovesecurity.com).