Final ESSAY
A M e s s a g e t o D y n | 1
Running head: IoT
A Message to Dyn: Take Ownership of Customer Security
George Mason University
A M e s s a g e t o D y n | 2
Problem:
Security and users have long been at odds with each other because of how little
contribution users are willing to make to secure their own devices. This may sound like a
problem, but relying on consumers to worry about fixing vulnerabilities renders it unsolved and
products unsecure. Internet of Things (IoT) devices have become a means of attacking entire
systems through denial of service (DoS) attacks, or attacks that overwhelm a system so much
that it becomes unavailable for its intended users. Attackers are able to use every day users’ IoT
devices to perform the denial of service because IoT devices do not have strong default security
settings. Dyn, a DNS (Domain Name System) service provider for many online companies, was
targeted under this type of attack on October 21st, 2016, leaving its infrastructure useless for its
customers including Twitter, Amazon, and Netflix.
Background:
The Internet of Things emerged in the late 1990s/early 2000s as a futuristic possibility,
but has become more popular over the years. Around the same time was the formation of the
internet service provider company named Dyn, founded in 2001 from a student-run project at the
Worcester Polytechnic Institute. Although Dyn does not actually sell IoT devices, IoT vendors’
lack of secure practices are concerning to Dyn because a Distributed Denial of Service (DDoS)
attack can shut down the websites of their customers as well as their own ("Worcester
Polytechnic Institute School of Business" n.d.).
Solution:
A M e s s a g e t o D y n | 3
If Dyn was given control over network activity through traffic monitoring and
communicating findings of malware and standardizing secure IoT production by voluntarily
participating in compliance, companies using Dyn’s services could be assured of security.
My Plan:
Sub-claim:
As the internet service provider for many companies, Dyn may be able to prevent attacks
on those companies by controlling network traffic before it gets to their systems. In a whitepaper
that discusses network monitoring for security, Zobel explains that implementing a network
monitoring system is important and effective in that it would alert the administrator quickly
enough about a flaw to fix, with the network monitoring software being able to send the data it
monitors remotely (2013). He goes further: “The fact is that firewalls and virus scanners are not
always sufficient on their own to guarantee all-around security for the network” (Zobel, 2013).
This monitoring system would be extremely useful for Dyn to be able to block or filter out
malicious traffic from getting through their customers’ systems. For companies less willing to
give up control, simply gaining more visibility into those networks would allow Dyn to send the
security data to their clients. Customers would then be relieved of the responsibility put on
network administrators to worry about firewall configuration around network traffic. In the eyes
of the customers, who are Dyn’s main source of revenue, this amount of help will be appreciated
and improve customer relations.
Sub-claim:
Effective communication is another way for Dyn to maintain strong relationships with
each of its customers. Businesses that have largely user-based websites like Twitter or Netflix
A M e s s a g e t o D y n | 4
are concerned with both security and privacy. Not only should Dyn have more insight into their
network activity, but it should also notify those companies about the state of their network.
According to Zobel, network monitoring software can provide comprehensive reports about the
network that Information Technology can use (2013), which implies that administrators need to
know about activity on their networks. Exposing which IoT devices are receiving malicious
traffic, for example, is a way this can save some vulnerable areas. At this point, the corporate or
individual user can take either the disposal or recovery measures to fix the security issue before
an attack occurs. This is how Dyn should operate in relation to their customers: giving them data
that they can analyze and work to improve results. Providing a solution to address this through
these steps will ensure that the relationships between Dyn and its customers do not dwindle.
Sub-claim:
Dyn can also protect itself from fallout with its customers by working with the
government to comply with security standards. Although compliance is known to be a headache,
it should not be viewed that way in the context of corporate success. An example of this is shown
in a typical organization’s email policy: emailing communication tools and policies (which are
not being utilized at 86% of companies) help prevent breaches from compromising personal or
financial information (Poremba, 2008). The idea here and in security more broadly is that having
standards and policies in place and enforcing them will prevent security incidents or events.
However, most companies are not acting on this. The lack of policies and standards can largely
be blamed on management failing to make those decisions from the very top for employees to
follow.
Compliance should be viewed as an enabler that will allow the company’s infrastructure
to withstand future challenges. An example of implementing this is to withhold internet service
A M e s s a g e t o D y n | 5
to any devices that do not have strong password encryption until the user or manufacturer fixes
that problem. NIST, a well-known organization for the standardization of security practices,
suggests that government should and can be a huge benefit to companies that need this change
and funding (Spring, 2016). Instead of rejecting government assistance, Dyn should take
advantage of the standards that government produces and set the tone for holding other
companies accountable. The government’s willingness to contribute to research for companies
should be reflected in the attitude of Dyn towards working more closely with its client base.
Counterargument:
Risk 1:
There will be significant costs to implement standards and a company policy that is
intended to have actual effect on current methodologies. These processes typically take years to
write, re-write, and enforce on company-wide operations. In an article about policy management,
Best says that the effort to introduce company policies into large corporations can be difficult;
however, Best suggests a policy management system that can help automate the process that
most businesses go through manually (2013). Anyone in a management role knows the long,
seemingly endless process of procuring and implementing a new system. Not only does this
make these projects unappealing to management and stakeholders, employees will find it
cumbersome to participate in as well.
Risk 2:
An ironic risk to giving the internet service provider, Dyn, more control over its
customers’ network, is the potential loss of privacy. To remedy this problem, an article stated
that the Federal Communications Commission (FCC) voted in October to regulate how much
A M e s s a g e t o D y n | 6
control internet service providers have over their customers’ personal information (Cox, 2016).
Because of this serious concern about spreading data that may belong to users, lending that
control over to Dyn as an ISP can present some dangers that may repel many companies from
doing so.
Rebuttals:
While that is understandable, it is simply focusing on the issue at hand, which is
immediate privacy. It is easy to fix the problem at hand that is staring you right in the face. Also,
an employee or manager might be backed by upper leadership to focus their energy on these
problems since they are so obvious. However, instead of solely focusing on these issues, which
are really just symptoms of a policy need, standardization will bring about long term benefits by
dealing with the systemic issue of these threats.
As for policy management, when dealing with business risk, security analysts may be
familiar with quantitative and qualitative risk assessment and analysis. Both types result in a
decision to choose from among four strategies of handling risk: Accept, Avoid, Transfer, or
Mitigate. With a quantitative analysis, you would take into account the probability that a risk
will occur and the impact or loss in dollars in a given year. For example, impact would include
factors such as damaged reputation, so there is no need to worry about different types of impact.
First, you address the problem that standardization would solve. Then, you calculate the impact
of not having policy management. Which scenario is a bigger threat to your company? If it is the
cost of policy bankrupting the business, then accept the risk. If it is the threat of, say, loss in
money in the case of a lawsuit by a disgruntled ex-employee who is familiar with the lack of
policy, then take measures to mitigate the risk. Companies like Dyn should realize that not
A M e s s a g e t o D y n | 7
having policies in place will most likely result in the bigger loss, so they should lead the way in
the direction towards standardization.
Conclusion:
Not only do these threats concern Dyn and its customer base because of business risk, but
they are also flaws that should concern everyone’s security. IoT hacking affects users and
enterprises alike, in a way that government ought to be worried. Government organizations and
internet service providers like Dyn should be on the same page as technology companies. This
can only be possible with proper communication among all three parties so that personnel and
the field as a whole can see the point in these security efforts. Furthermore, the onus is on the
company dealing with user data, like Twitter or LinkedIn, to respond to government policy
efforts by actually complying. Above any disagreements that people in this field have, there
should be a willingness to work together to be more successful in the long run. Providing a
solution that addresses an overall security problem is key, with the idea that the aforementioned
solutions have a theme of proactively, not reactively, dealing with security vulnerabilities. While
security-minded people understand that these concerns should be raised at the beginning of the
production lifecycle, others in computer science or IT may not have this same perspective,
probably because they have not had the same security exposure. The next step in the future of the
technology world lies in the belief and support in dispersing security education throughout IT
and CS fields.
A M e s s a g e t o D y n | 8
Works Cited
Best, M. (2013). Why Policy Management Matters. Software World, 44(5), 4-5.
Cox, K. (2016, October 27). FCC Adopts New Privacy Rule Limiting What ISPs Can Do With
Your Personal Data. Retrieved November 30, 2016, from
https://consumerist.com/2016/10/27/fcc-adopts-new-privacy-rule-limiting-what-isps-can-
do-with-your-personal-data/
Poremba, S.S. (2008). RISKY Business: MANAGING the EMAIL SECURITY RISK. Econtent,
31(7), 40-44.
Spring, M. B. (2016). The Future of Standardization: Are We Destined to Repeat History?.
Computer (00189162), 49(1), 99-101.
"Worcester Polytechnic Institute School of Business" (n.d.). Retrieved December 8, 2016, from
https://www.wpi.edu/academics/business
Zobel, D. (2013). Network Monitoring as an Essential Component of IT Security. Database &
Network Journal, 43(5), 7-10.