We’ve reached a new low. News appearing in today’s Wall Street Journal (March 21, 2017) that the surveillance system in a laundromat in Carbondale, Colorado, was infected with a strain of a malicious software called Mirai. For those who cannot recall, Carbondale, Colorado sits about 30 miles west of Aspen, or 170 miles west of Denver. I consider that pretty remote.
Mirai, which is Japanese for “the future”, is a malware that can be used as part of a botnet in large scale network attacks. Essentially, the article describes that devices such as webcams, DVRs, thermostats and other internet connected devices (a.k.a., internet of things) which are hitting the market maintain minimal safeguards. Layer on top of this lax security protocols of the user and you have a weak device. In this case, the article conjectures a pretty simple cause…the laundromat owner forgets her password and asks for a reset. The reset password provided by the device manufacture is something pretty simple like 123456, however the laundromat owner never reset the simple password to something more elaborate (e.g., a minimum of 8 characters, upper and lower case letters, numbers, and symbols…something like K&eL& for Candyland, and that doesn’t include numbers). Who’s got time for that? Right?
While the ultimate victim of the laundromat’s virus wasn’t mentioned, the article describes that a customer of Comcast in New Mexico was infected with a Mirai botnet that was attacking three wireless operators in Liberia. Go figure.
Instead of a laundromat, who’s responsible for this when it occurs on a larger scale? Like a $100 million company. Or a $1.0 billion company. In either case, there would probably be a line of people to whom you could say “you should have done more.”
Beyond being a mandate, things like business interruption and cybersecurity insurance, SOC 1 and SOC 2 reports, Payment Card Industry (PCI) reports, and other compliance efforts for such matters will become even more serious business. Are you doing more?