What can MSPs learn from last week's DDoS attack against Dyn, which brought dozens of major websites to crawl? It's simple: Keep users secure by changing default access credentials on networks or infrastructure MSPs manage.
In case you missed it, here's what happened: On Friday, Oct. 21, a Distributed-Denial-of-Service, or DDoS, attack against Dyn's DNS services caused a number of big-name websites to load content very slowly or not at all. The attack was made possible because a large number of "smart" devices -- meaning things like Internet-connected thermostats and cameras -- were taken over by malicious hackers. The hackers then used the devices to send a flood of traffic to Dyn's servers. As the servers grew overwhelmed with bogus requests, they stopped responding to legitimate DNS queries.
In the days following the Dyn attack, the Internet has been awash with warnings about how the Internet of Things, or IoT, poses a huge new security threat because IoT devices could be easily leveraged for repeated DDoS incidents like the one last week. The implication is that IoT device manufacturers have not invested in proper security for their hardware, or even that we should not be connecting so many things to the Internet in the first place.
The Lesson for MSPs
Yet device vendors do not deserve most of the blame. What made the Dyn attack possible was not that devices lacked proper security features, but rather that those devices were secured with default credentials. The attackers apparently took control of the devices using a malware program called Mirai, which defeats security controls by guessing username and password combinations based on those that devices are known to use by default.
Preventing break-ins like these is the job not just of device manufacturers, but also of the companies who install and service their devices. Yes, device manufacturers should avoid placing the same usernames and passwords on devices they manufacture. But service providers should make sure they change the default logins when they set up a device. They should also update login information periodically so that they can prevent brute-force attacks. Those are likelier to succeed if passwords never change and attackers can spend a long time trying all possible passwords until they stumble upon the right one.
This problem is not restricted to IoT devices, by the way. Security vulnerabilities resulting from default login credentials have been a danger on traditional computing devices for many years. For example, Windows XP famously allowed logins under the administrator account with no password unless that setting was changed after installation. Similarly, default access credentials on many devices that use SNMP, a common networking protocol, were one of the gravest security threats to network switches and routers before the introduction of newer versions of SNMP.
If you're an MSP, then, the lesson is simple. Don't count on device manufacturers to make the hardware (or, for that matter, software) that you deploy and manage secure by default. And you shouldn't leave it up to your users to secure themselves, either. Part of the value you provide as an MSP is knowing about and resolving security threats like the one that caused the Dyn outage. This is a lesson that will grow only more important as the IoT continues to expand and IoT devices become a more common part of the infrastructure that MSPs help to manage.