What a DDoS Attack on Spotify Can Teach Us About Cybersecurity Hardening

By Joseph Gittens on October 27, 2016 | |
Security Industry Association (SIA)

Last Friday my Spotify stopped working.

If you’re like me, the workday goes by a little easier with some headphones in, listening to Drake or Sturgill or Taylor Swift—whatever gets you ready for your weekend—but on this Friday my Spotify wasn’t working.

It wasn’t until earlier this week that we learned that the reason why my Spotify and millions of other user’s online activity was interrupted was because of the Mirai botnet. Botnets have become an increasingly prevalent cyberweapon, one that uses malware to enslave network-connected devices to form a massive malicious network that begins to flood website servers with terabytes of garbage traffic, crippling them under the strain.

This is known as a distributed denial of service (DDoS) attack. What makes the Mirai botnet unique is that instead of relying on computers, the malware targets devices on the Internet of Things (IoT), such as the network cameras, digital video recorders, control panels and automation devices that represent a fast-growing product segment of many SIA members.

In fact, Chinese electronics manufacturer Hangzhou Xiongmai Technology said that security vulnerabilities involving weak passwords in DVRs and cameras associated with the company were partly to blame for the attack that disrupted dozens of major internet sites in the United States last Friday.

Earlier this year, the SIA Cybersecurity Board released a “Beginners Guide to Product and System Hardening,” a collection of basic safeguards to help protect security systems against failure from cyberattack. I have cherry-picked some of the extremely simple recommendations provided in the guide that if considered could theoretically have thwarted a botnet attack of this nature:

  • Disable default passwords.
  • Require strong passwords before configuration.
  • Filter IP addresses.
  • Ensure security networks are enterprise grade.
    Audit the number of network connections to target anomalies.
  • The Guide offers many of these simple, cyberhygiene tips for manufacturers and integrators of security equipment—tips that go a long way in mitigating attacks on low-hanging fruit, such as exploiting hardcoded passwords.

Last week, my Spotify stopped working—but what if my lights stopped working? Or our electronic banking system stopped working?

Most interruptions were to entertainment, social media and digital news outlets, so the attack in some ways serves as a relatively harmless shot across the bow. The SIA Cybersecurity Advisory Board and IoT subcommittees will continue to provide industry specific recommendations and guidance to mitigate the chance that our member’s equipment isn’t part of the next destructive Botnet of Things.