Your IoT Is Probably Not A-OK

A few weeks ago, major retailers stopped selling toys from the company CloudPets after more than 2 million recorded messages were leaked in a major security breach. Internet of things (IoT) security breaches are as prevalent as they’re varied. From medical devices and traffic lights to automobiles and toys, each hitherto unconnected device that now joins the big bad world wide web brings additional security mysteries to the fore. And with over 20 billion connected devices projected to be in use by 2020, these are mysteries we must unravel.

There are plenty of reasons for the current gaps in IoT security including a lack of regulation, market failures and stakeholder indifference, although none of these are insurmountable. Even considering these challenges, there are concrete steps that we can take to avoid future IoT mishaps and eventual attacks by an animatronic locust swarm.

IoT Security Challenges

Square Pegs In Round Holes

It’s difficult for organizations to achieve competence in multiple fields. Whenever product companies make an IoT-enabled device, they struggle to reconcile their expertise in their original industry with their unfamiliarity in internet connectivity and security. This results in manufacturers having outdated (if at all) OS and patching features on their products, being lax with password protection and changes and having no regular software update mechanisms to communicate to their customers.

Moreover, many physical products have complex supply chains with outsourced production, cost-saving exercises and clearly defined team structures. It’s an expensive and — from the companies’ point of view — unnecessary undertaking to weave device security into the process when there’s no requirement for it.

And there’s no requirement because of…

Lack Of Regulation

There have been welcome strides in IoT security regulation in recent years. While the IoT Cybersecurity Improvement Act of 2017 is a good start, the industry still lacks a unifying, robust piece of legislation that puts the onus on vendors to comply with requirements or face consequences. And it’s understandable why that’s the case: with IoT still an evolving field, most innovation is carried out by startups that would be hamstrung by having to comply with labyrinthine regulations from the get-go.

Additionally, since IoT sits at the intersection of technology and a bevy of other industries, it’s a challenge to enact legislation that intersects across these industries and doesn’t impose unfair restrictions but also doesn’t leave requirements too lax to make any difference.

Attack By Proxy

In 2016, major websites experienced outages because of a large DDoS (Distributed Denial of Service) attack. This happened because their domain name provider, Dyn, was forced offline by a botnet that included traditional computing devices as well as IoT devices like webcams and digital video recorders. This incident set a dangerous precedent for how innocuous devices could be “recruited” by attackers and used for malicious purposes without the device owners ever knowing about it.

The range of dangers posed by IoT hacks is so great because of their interconnected and dual nature. Because the devices serve an “offline” purpose (like a TV or fridge) but are also connected to the internet, they can be compromised without affecting their original purpose, making the compromise harder to spot. And because they’re interconnected, one loose stone can quickly lead to an avalanche.

What Can We Do?

Network Segmentation

It’s vital to protect and secure the networks connecting IoT devices to the wilderness of the internet. Because IoT network security is a greater challenge owing to the multitude of protocols, standards and device capabilities at play, its implementation is often incomplete and thus draws the eyes of attackers. A combination of traditional endpoint security features like antivirus software as well as firewalls/IPS features will go a long way toward deterring the use of IoT devices as attack entry points.

Stakeholder Proactivity

Consumers have been trained to care about the security of their computing devices (relatively), but it’s easy for them to forget updating the OS on their toaster, to everyone’s detriment. IoT device users should be proactive in changing passwords from their default (and changing them afterward as well), checking that patches and updates are regularly installed and report unusual activities to the relevant authorities immediately.

For their part, IoT device manufacturers should comply with the IoT Cybersecurity Improvement Act by regularly patching software on their devices, providing users the option to change default passwords and communicating with their users about other security best practices as and when they come to light.

Authentication And Encryption

IoT communication often doesn’t have a human in the loop with machine-to-machine “conversations” taking place in the back-end. In this scenario, it becomes vital for the data to be strongly encrypted (along with full key life cycle management) while in transit between devices. Even if the devices themselves are secure, a stray credential key on the public domain can be sniffed out by attackers and become the keyhole they need to jimmy the door.

Automate For Fast Response

Following the “hope for the best, prepare for the worst” adage, enterprises need to be prepared for an IoT breach to occur. Key tools needed here would be a SIEM/detection platform that identifies any anomalies that occur with IoT device behavior, and a security orchestration platform that weaves together data and actions from multiple products to automate incident response.

Platforms that can connect to on-premise security tools, as well as IoT devices through APIs, can make it easier for security teams to recognize the root cause of the attack and execute actions on the IoT devices directly.

Source: https://www.forbes.com/sites/forbestechcouncil/2018/07/16/your-iot-is-probably-not-a-ok/#3268d52d763d

Critical infrastructure remains insecure

Organisations can no longer afford to leave their systems unprotected from increasingly advanced cyber threats.

The threat to our critical national infrastructure (CNI) system is at an unprecedented high with reported cyber-attacks from a number of factions, suspected infiltrations from nation states, and the NCSC warning that these systems remain a high-profile target and exceptionally vulnerable.

Earlier this month, researchers found that just four lines of code implanted in a device on a factory floor could identify and list networks, trigger controllers and stop processes and production lines. In fact, responding to Corero’s Freedom of Information requests, 70% of critical infrastructure institutions – ranging from police forces to NHS trusts, energy suppliers and water authorities – confirmed they’d experienced service outages in their IT systems within the last two years.

Service outages and cyber-attacks against critical infrastructure have the potential to inflict significant, real-life, disruption by preventing access to essential services such as power, transport and the emergency services. Recognizing the damaging impact they can inflict, malicious actors have started crafting malware specifically to target these systems and many believe the next attack is just around the corner.

With the heightened threat, and possibility of significant fines under the new Networks and Information Systems (NIS) directive which came into effect in early May, it’s crucial that organizations implement security measures before damage is done.

Industrial control systems at risk

In recent months, we have seen a greater number of sophisticated cyber threats against all parts of critical infrastructure. Indeed, last October a DDoS attack on the Swedish Railway took out their train ordering system for two days, causing travel chaos.  Similarly, last May’s Wannacry ransomware attack caused many NHS systems to be unavailable (e.g. access to patients’ medical records) causing operations to be cancelled. There is no doubt that a successful attack on the more vulnerable management systems can cause widespread disruption. Moreover, such attacks can result in network downtime, which in turn can have a serious economic impact as it can affect production, impact output, cause physical damage and even put people’s lives in danger.

In a separate Corero study last year, we found that most UK critical infrastructure organizations (51%) are potentially vulnerable, due to failure to detect or mitigate short-duration surgical DDoS attacks on their networks and deploy technology which can detect or mitigate such attacks. Modern DDoS attacks represent a serious security and availability challenge for infrastructure operators, because even a short amount of downtime or latency can significantly impact the delivery of essential services. Indeed, DDoS attacks can disrupt the availability of critical services we use as part of our everyday life, while potentially allowing attackers to plant weaponized malware. Critical infrastructure operators, including energy, transport, communications and emergency services should not be leaving DDoS attack protection to chance.

Attackers are taking advantage of the escalating number of industrial IoT devices, which underscore the growing risk of very large botnet-based DDoS attacks. These devices are transforming industrial sectors by reducing costs and providing better visibility of networks, processes and security. However, despite their benefits, these devices suffer from basic security vulnerabilities and it is precisely this lack of security that makes them such an attractive target for hackers.

NIS Directive introduces changes to critical infrastructure security

Protecting critical infrastructure from cyber-attacks has become a top government priority. The EU’s NIS Directive, adopted into UK law as the NIS Regulation, aims to raise levels of security and resilience of network and information systems. Indeed, now that the legislation is implemented into UK law, critical infrastructure outages will have to be reported to regulators, who have the power to impose financial penalties of up to £17 million to providers of infrastructure services that fail to protect against cyber-attacks on their networks. Consequently, operators of essential services and industrial control systems need to up their game to be resilient to today’s cyber-threats. However, rather than being seen as just more red-tape, or a financial telling off for non-compliance, the regulation should be seen as a golden opportunity to improve the UK’s cyber-security posture.

Best practices

Despite the huge fines and multiple warnings, 11% of the critical infrastructure organizations that responded to Corero’s 2018 study admitted that they do not always ensure that patches for critical vulnerabilities are routinely implemented within 14 days, as recommended within the Government’s 10 Steps to Cyber Security guidance. Paradoxically, almost all the organizations that responded to the request (98%) are following government advice about network security, by adhering to the Network Security section of the 2012 guidance.

To reduce the risk of a catastrophic outcome that risks public safety, organizations need to ensure their industrial control systems are secure.

Organizations need to take a serious look at their own operating model and ensure that robust protection against cyberthreats are in place. It is not acceptable that service and data loss should be excused, under any circumstances, when the technology and services to provide proper protection is available today.

One of the biggest challenges that organisations running critical infrastructure systems now have, is that they are increasingly connecting those networks to the broader IT infrastructure, for reasons of operational efficiency and effectiveness.  The potential for hackers being able to access these devices from the outside and potentially change settings or, launch DDoS attacks to block local changes taking effect, could be very damaging indeed, depending on the systems being targeted. Organisations vulnerable to such attacks need to ensure they are putting the right protection in place, including real-time automatic DDoS protection, as even small attacks getting through, for even a short period of time, could have serious implications.

In addition, to avoid smart devices being enslaved into DDoS botnets, organizations need to pay close attention to the network settings for those devices and, where possible, protect them from access to the Internet and to other devices.

Organizations can include IoT devices alongside regular IT asset inventories and adopt basic security measures like changing default credentials and rotating a selection of strong Wi-Fi network passwords regularly.

Businesses can certainly protect their networks from DDoS attacks fueled by IoT-driven botnets by deploying an always-on, automated solution at the network edge, which can detect unusual network activity and eliminate threats from entering a network, in real-time.

Source: https://www.itproportal.com/features/critical-infrastructure-remains-insecure/

Cloud Security For The Healthcare Industry: A No-Brainer

The healthcare industry has become one of the likeliest to suffer cyber-attacks, and there’s little wonder why. Having the financial and personal information of scores of patients makes it a very appetizing target for attackers.

Just over a year ago, the WannaCry ransomware attack wreaked havoc on the UK National Health Service (NHS), ultimately disrupting a third of its facilities and causing a rash of canceled appointments and operations.

As healthcare organizations face the prospect of increasing attack, their security teams look to cybersecurity experts with comprehensive, tested products to protect the sensitive information they hold. ALYN Woldenberg Family Hospital, Israel’s only pediatric rehabilitation facility, is no exception.

With a database of more than 70,000 patients and a website hosted in four languages and across three different domains; ALYN Hospital’s IT team was concerned that their content management system (CMS) could be vulnerable. The team didn’t feel their cybersecurity vendor was updating the security on their CMS as often as they should, leading them to go looking for a new vendor.

Initially checking out on-premise WAF systems, ALYN’s team kept coming up against the cost of securing their sites and; because of strict government regulations, they were initially hesitant to move to a cloud-based system. Ultimately, however, they decided that the Imperva Incapsula cloud-based WAF was just the thing.

“We looked at community reviews and talked with colleagues at other hospitals and got the impression that Incapsula is one of the best in terms of cost-benefit ratio, which is important to us, in addition to robustness, ease-of-use, and integration, which was very smooth. It all proved to be correct, for which I am very glad,” said Uri Inbar, Director of IT for ALYN Hospital.

Setting up the system took less than a day and ALYN Hospital still manages its servers in-house, with a staff member who is now dedicated to security. Imperva Incapsula has been low maintenance from the start, so, while customer support was with them every step of the way at the beginning; they haven’t needed any for the last few years because the system has been running smoothly on its own.

“It gives us peace of mind to know that someone has dedicated themselves to the subject and keeps us updated. It’s one less worry to take care of.”

Since making the switch, ALYN Hospital has seen some significant improvements:

  • Increased visibility for monitoring security threats: The Imperva Incapsula dashboard is easy to use and provides information that helps ALYN Hospital keep its systems secure. And for their special projects, they can even see which countries are generating the most traffic.
  • Good cost-benefit ratio: One of the most important aspects of any new security system for ALYN, the costs were reasonable, especially given the security benefits they received from the Incapsula system.
  • Faster content delivery: While no formal studies were done, the IT staff has heard from some users that their CDN is delivering content faster than before.

Source: https://securityboulevard.com/2018/07/cloud-security-for-the-healthcare-industry-a-no-brainer/

Concern Mounts for SS7, Diameter Vulnerability

The same security flaws that cursed the older SS7 standard and were used with 3G, 2G and earlier are prevalent in the Diameter protocol used with today’s 4G (LTE) telephony and data transfer standard, according to researchers at Positive Technologies and the European Union Agency For Network and Information Security (ENISA).

Network security is built on trust between operators and IPX providers, and the Diameter protocol that replaced SS7 was supposed to be an improved network signaling protocol. But when 4G operators misconfigure the Diameter protocol, the same types of vulnerabilities still exist.

“As society continues to leverage mobile data capabilities more and more heavily, from individual users performing more tasks directly on their smartphones, to IoT devices which use it when regular network connections are not available (or not possible), service providers need to take the security of this important communications channel more seriously,” said Sean Newman, director of product management for Corero Network Security.

Given that the Diameter protocols are slated to be used in 5G, reports of critical security capabilities not being enabled in the Diameter protocol used for 4G mobile networks are worrisome. Of particular concern is the potential that misconfigurations that lead to the vulnerability could result in distributed denial of service (DDoS) attacks for critical infrastructure relying on mobile access. An attacker would not need to harness any large-scale distributed attack capabilities.

“The latest generation of denial of service protection solutions are critical for any organization that relies on always-on internet availability, but this can only be effective if service providers are ensuring the connectivity itself is always-on,” Newman said.

Concerns over the threats from smartphones have even been presented to Congress with pleas that they should act immediately to protect the nation from cybersecurity threats in SS7 and Diameter.

“SS7 and Diameter were designed without adequate authentication safeguards. As a result, attackers can mimic legitimate roaming activity to intercept calls and text messages, and can imitate requests from a carrier to locate a mobile device. Unlike cell-site simulator attacks, SS7 and Diameter attacks do not require any physical proximity to a victim,” wrote Jonathan Mayer, assistant professor of computer science and public affairs, Princeton University, in his testimony before the Committee on Science, Space, and Technology of 27 June.

Source: https://www.infosecurity-magazine.com/news/concern-mounts-for-ss7-diameter/

Bigger, Faster, Stronger: 2 Reports Detail the Evolving State of DDoS

DDoS attacks continue to plague the Internet, getting bigger and more dangerous. And now, the kids are involved

DDoS attacks don’t arrive on little cat feet; they announce their presence with the subtlety of a shovel to the face. Two just-released reports show that these loud DDoS attacks are getting louder, larger, and more numerous with the passage of time.

Verisign released its Q1 2018 DDoS Trends Report and Akamai published its State of the Internet/Security Summer 2018 report and neither was filled with good news if your job is defending a company or network against DDoS attacks. Together, the two reports paint a detailed and disturbing picture of the way DDoS attacks are evolving to be both more common and more dangerous.

Both reports noted the largest DDoS attack in the period, a 170 Gbps, 65 Mpps (million packets per second) operation notable for two things: its target and its originator.

The target was not a single organization or individual. It was, instead, an entire /24 subnet on the Internet. The size of the attack and the broad target meant that scores of websites and services around the world felt the effects.

Akamai’s report notes that the threat actor was also notable, given that it was a 12-year-old who originated the attack mechanism on YouTube and coordinated the attack through Steam (an online game-playing platform) and IRC.

When adolescents can use YouTube to launch a globe-spanning attack, it marks the dawn of a new definition of “script kiddies.”

“I believe [kids are] growing up faster because they’re exposed to it,” says Lisa Beegle, senior manager of information security at Akamai, when asked about the age of this attack developer. “They also have a greater amount of time they can commit to it.” She continues, “Was this kid as smart as an adult threat actor? No, but there was still a level of sophistication as to the target.”

That target was hit with a reflection and massive amplification attach using memcached — an attack that saw a returned payload directed at the victim subnet that was 51,000 times the size of the spoofed request sent by the attacker.

While memcached has been in existence for 15 years, this attack seems to be the first major assault using the function in a malicious manner. Since it is a distributed memory object caching system, memcached becomes a very effective tool in the DDoS attacker’s arsenal.

While new attacks are available, the Verisign report notes that UDP floods remain the favorite DDoS mechanism, accounting for roughly half of all attacks seen in the quarter. TCP attacks were the next most common, involved in approximately one-quarter of the attacks. In many cases, though, both types (and others) could be involved, since 58% of attacks involved multiple attack types in a single event.

The nature of attacks continues to evolve through the industry. “Last year, we were seeing smaller attacks that were coming in under the radar — they were causing an impact in 30 seconds, before we could see it and respond,” Beegle says. Now, “I’ve seen attacks that were a week long, where [the attacker] changed the dynamics during the attack,” she says. Moving forward, Beegle expects both types of attacks to continue. “I think there will always be the mix, depending on who the target is and who the attacker is,” she says. “We’ve seen some nation-state action and that will always be different than the script kiddies.”

Source: https://www.darkreading.com/attacks-breaches/bigger-faster-stronger-2-reports-detail-the-evolving-state-of-ddos/d/d-id/1332213

Small businesses aren’t properly prepared for cyberattacks

Even though businesses all over the world are increasingly taking online protection seriously – they still aren’t 100 per cent confident they could tackle serious cybersecurity threats.

Polling 600 businesses in the US, UK and Australia, a study by Webroot found that new types of attacks are dominating in 2018 (compared to the year before) but that the cost of a breach is decreasing, as well.

Phishing has taken the number one spot as the most dangerous type of attack, from malware. Ransomware is also up, from fifth to third, mostly thanks to the large success of WannaCry.

With 25 per cent on a global scale, insider threats seem to be least dangerous of the bunch.

When it comes to the UK in particular, ransomware is the biggest threat. SMBs are far less concerned about DDoS attacks in the UK, compared to their US counterparts, too.

The report has also taken a closer look at training and uncovered that even though almost all businesses do conduct training to teach their staff about cybersecurity, this training isn’t continuous. This leads to the next stat, 79 per cent can’t say they are “completely ready to manage IT security and protect against threats.”

“As our study shows, the rise of new attacks is leaving SMBs feeling unprepared,” commented Charlie Tomeo, vice president of worldwide business sales, Webroot.

“One of the most effective strategies to keep your company safe is with a layered cybersecurity strategy that can secure users and their devices at every stage of an attack, across every possible attack vector.”

Source: https://www.itproportal.com/news/small-businesses-arent-prepared-for-cyberattacks/

Protonmail Hit By Yet Another DDoS Attack

Attack comes as scale, scope and sophistication of DDoS attacks rises sharply

Popular encrypted email provider Protonmail was this morning hit by the latest in a long-running serious of malicious attacks on its infrastructure.

The privacy-focussed Geneva-based email provider, which has some 500,000 users, has faced numerous DDoS attacks since being founded.

As one of the only email providers which owns and manages all of its servers and network components such as routers and switches, it is in a unique position – particularly since the company is its own internet service provider.

 

 

 

 

 

 

 

In 2015 its servers were hit with a 50Gbps wall of “junk data” that threatened to torpedo the company.

After initially paying a ransom following an attack that took its main data centre offline, the company faced a further week-long assault from another adversary that targeted 15 different ISP nodes simultaneously, then attacked all the ISPs going into the datacentre using a wide range of sophisticated tactics.

No ransom nor responsibility claim was made.

The company, born from work done at CERN, has since partnered with DDoS protection specialists, Israel-headquartered Radware, and uses BGP redirection and GRE tunnels to defend itself. Today’s attack slowed email delivery and its VPN for several hours, but did not result in the loss of any emails, Protonmail said.

“Our network was hit by a DDoS attack that was unlike the more ‘generic’ DDoS attacks that we deal with on a daily basis. As a result, our upstream DDoS protection service (Radware) needed more time than usual to perform mitigation,” a ProtonMail spokesperson wrote in an email. ”

“Radware is making adjustments to their DDoS protection systems to better mitigate against this type of attack in the future. While we don’t yet have our own measurement of the attack size, we have traced the attack back to a group that claims to have ties to Russia, and the attack is said to have been 500 Gbps, which would be among the largest DDoS’s on record,” the spokesperson wrote.

Carl Herberger, Vice President for Security Solutions at Radware, earlier noted: “Corporations need to understand the severity of the Advanced Persistent DoS attacks, such as SMTP DoS, and review their security measures”.

“APDoS is akin to the way bomber aircraft would jam radar systems many years ago – the type of attack is so varied and frequent that it becomes near impossible to detect them all, and more importantly difficult to mitigate them without impacting your legitimate web traffic.”

DDoS Attacks Continue to Rise

The attack comes after a new report from Akamai revealed that there was a 16 percent increase in the number of DDoS attacks recorded since last year, with the largest DDoS attack of the year setting a new record at 1.35 Tbps by using a memcached reflector attack.

Akamai said in its State of the Internet report: “To understand the scale of such an attack, it helps to compare it to the intercontinental undersea cables in use today. The TAT-14 cable, one of many between the US and Europe, is capable of carrying 3.2 Tbps of traffic, while the Japan-Guam-Australia cable, currently under construction, will be capable of 36 Tbps. Neither of these hugely important cables would have been completely swamped by February’s attack, but an attack of that magnitude would have made a significant impact on intercontinental traffic, if targeted correctly.”

The company’s researchers also identified a four percent increase in reflection-based DDoS attacks since last year and a 38 percent increase in application-layer attacks such as SQL injection or cross-site scripting.

Source: https://www.cbronline.com/news/protonmail-ddos

How to Prevent DDoS Attacks: 6 Tips to Keep Your Website Safe

Falling victim to a distributed denial of service (DDoS) attack can be catastrophic: The average cost to an organization of a successful DDoS attack is about $100,000 for every hour the attack lasts, according to security company Cloudflare.

There are longer term costs too: loss of reputation, brand degradation and lost customers, all leading to lost business. That’s why it is worth investing significant resources to prevent a DDoS attack, or at least minimize the risk of falling victim to one, rather than concentrating on how to stop a DDoS attack once one has been started.

In the first article in this series, we discussed how to stop DDoS attacks. If you’re fortunate enough to have survived an attack – or are simply wise enough to think ahead – we will now address preventing DDoS attacks.

Understanding DDoS attacks

A basic volumetric denial of service (DoS) attack often involves bombarding an IP address with large volumes of traffic. If the IP address points to a Web server, legitimate traffic will be unable to contact it and the website becomes unavailable. Another type of DoS attack is a flood attack, where a group of servers are flooded with requests that need processing by the victim machines. These are often generated in large numbers by scripts running on compromised machines that are part of a botnet, and result in exhausting the victim servers’ resources such as CPU or memory.

A DDoS attack operates on the same principles, except the malicious traffic is generated from multiple sources, although orchestrated from one central point. The fact that the traffic sources are distributed – often throughout the world – makes DDoS attack prevention much harder than preventing DoS attacks originating from a single IP address.

Another reason that preventing DDoS attacks is a challenge is that many of today’s attacks are “amplification” attacks. These involve sending out small data packets to compromised or badly configured servers around the world, which then respond by sending much larger packets to the server under attack. A well-known example of this is a DNS amplification attack, where a 60 byte DNS request may result in a 4,000 byte response being sent to the victim – an amplification factor of around 70 times the original packet size.

More recently, attackers have exploited a server feature called memcache to launch memcached amplification attacks, where a 15 byte request can result in a 750 kb response, a amplification factor of more than 50,000 times the original packet size. The world’s largest ever DDoS attack, launched against Github in earlier this year, was a memcached amplification attack that peaked at 1.35 Tbps of data hitting Github’s servers.

The benefit to malicious actors of amplification attacks is that they need only a limited amount of bandwidth at their disposal to launch far larger attacks on their victims than they could do by attacking the victims directly.

Six steps to prevent DDoS attacks

1. Buy more bandwidth

Of all the ways to prevent DDoS attacks, the most basic step you can take to make your infrastructure “DDoS resistant” is to ensure that you have enough bandwidth to handle spikes in traffic that may be caused by malicious activity.

In the past it was possible to avoid DDoS attacks by ensuring that you had more bandwidth at your disposal than any attacker was likely to have. But with the rise of amplification attacks, this is no longer practical. Instead, buying more bandwidth now raises the bar which attackers have to overcome before they can launch a successful DDoS attack, but by itself, purchasing more bandwidth is not a DDoS attack solution.

2. Build redundancy into your infrastructure

To make it as hard as possible for an attacker to successfully launch a DDoS attack against your servers, make sure you spread them across multiple data centers with a good load balancing system to distribute traffic between them. If possible, these data centers should be in different countries, or at least in different regions of the same country.

For this strategy to be truly effective, it’s necessary to ensure that the data centers are connected to different networks and that there are no obvious network bottlenecks or single points of failure on these networks.

Distributing your severs geographically and topographically will make it hard for an attacker to successfully attack more than a portion of your servers, leaving other servers unaffected and capable of taking on at least some of the extra traffic that the affected servers would normally handle.

3. Configure your network hardware against DDoS attacks

There are a number of simple hardware configuration changes you can take to help prevent a DDoS attack.

For example, configuring your firewall or router to drop incoming ICMP packets or block DNS responses from outside your network (by blocking UDP port 53) can help prevent certain DNS and ping-based volumetric attacks.

4. Deploy anti-DDoS hardware and software modules

Your servers should be protected by network firewalls and more specialized web application firewalls, and you should probably use load balancers as well. Many hardware vendors now include software protection against DDoS protocol attacks such as SYN flood attacks, for example, by monitoring how many incomplete connections exist and flushing them when the number reaches a configurable threshold value.

Specific software modules can also be added to some web server software to provide some DDoS prevention functionality. For example, Apache 2.2.15 ships with a module called mod_reqtimeout to protect itself against application-layer attacks such as the Slowloris attack, which opens connections to a web server and then holds them open for as long as possible by sending partial requests until the server can accept no more new connections.

5. Deploy a DDoS protection appliance

Many security vendors including NetScout Arbor, Fortinet, Check Point, Cisco and Radware offer appliances that sit in front of network firewalls and are designed to block DDoS attacks before they can take effect.

They do this using a number of techniques, including carrying out traffic behavioral baselining and then blocking abnormal traffic, and blocking traffic based on known attack signatures.

The main weakness of this type of approach of preventing DDoS attacks is that the appliances themselves are limited in the amount of traffic throughput they can handle. While high-end appliances may be able to inspect traffic coming in at a rate of up to 80 Gbps or so, today’s DDoS attacks can easily be an order of magnitude greater than this.

6. Protect your DNS servers

Don’t forget that a malicious actor may be able to bring your web servers offline by DDoSing your DNS servers. For that reason it is important that your DNS servers have redundancy, and placing them in different data centers behind load balancers is also a good idea. A better solution may even be to move to a cloud-based DNS provider that can offer high bandwidth and multiple points-of-presence in data centers around the world. These services are specifically designed with DDoS prevention in mind. For more information, see How to Prevent DNS Attacks.

Source: https://www.esecurityplanet.com/network-security/how-to-prevent-ddos-attacks.html

Hospitality industry under siege from botnets

The hospitality industry, including hotels, airlines and cruise lines, is the biggest target for cyber criminal botnet attacks that abuse credentials and overwhelm online systems, a report reveals

Cyber security defenders face increasing threats from bot-based credential abuse targeting the hospitality industry, a report shows.

Bot-based attacks are also being used for advanced distributed denial of service (DDoS) attacks, according to the Summer 2018 state of the internet/security: web attack report by Akamai Technologies.
The report is based on attack data from across Akamai’s global infrastructure and represents the research of a diverse set of teams throughout the company.

Analysis of current cyber attack trends for the six months from November 2017 to April 2018 reveals the importance of maintaining agility not only by security teams, but also by developers, network operators and service providers in order to mitigate new threats, the report said.

The use of bots to abuse stolen credentials continues to be a major risk for internet-driven businesses, but Akamai’s data revealed that the hospitality industry experiences many more credential abuse attacks than other sectors.

Akamai researchers analysed nearly 112 billion bot requests and 3.9 billion malicious login attempts that targeted sites in this industry. Nearly 40% of the traffic seen across hotel and travel sites is classified as “impersonators of known browsers”, which is a common technique used by cyber fraudsters.

Geographic analysis of attack traffic origination revealed that Russia, China and Indonesia were major sources of credential abuse for the travel industry during the period covered by the report, directing about half of their credential abuse activity at hotels, cruise lines, airlines, and travel sites. Attack traffic origination against the hospitality and travel industry from China and Russia combined was three times the number of attacks originating in the US.

“These countries have historically been large centres for cyber attacks, but the attractiveness of the hospitality industry appears to have made it a significant target for hackers to carry out bot-driven fraud,” said Martin McKeay, senior security advocate at Akamai and senior editor of the report.

While simple volumetric DDoS attacks continued to be the most common method used to attack organisations globally, the report said other techniques have continued to appear. Akamai researchers identified and tracked advanced techniques that show the influence of intelligent, adaptive enemies who change tactics to overcome the defences in their way.

One of the attacks mentioned in the report came from a group that coordinated its attacks over group chats on Steam digital distribution platform and IRC (internet relay chat). Rather than using a botnet of devices infected with malware to follow hacker commands, these attacks were carried out by a group of human volunteers.

Another notable attack overwhelmed the target’s DNS (domain name system) server with bursts lasting several minutes instead of using a sustained attack against the target directly. This added to the difficulty of mitigating the attack because of the sensitivity of DNS servers, which allows outside computers to find them on the internet. The burst system also increased difficulty for defenders by tiring them out over a long period of time.

“Both of these attack types illustrate how attackers are always adapting to new defences to carry out their nefarious activities,” said McKeay. “These attacks, coupled with the record-breaking 1.35Tbps memcached attacks from earlier this year, should serve as a not-so-gentle reminder that the security community can never grow complacent.”

Other key findings of the report include a 16% increase in the number of DDoS attacks recorded since 2017. Researchers identified a 4% increase in reflection-based DDoS attacks since 2017 and a 38% rise in application-layer attacks such as SQL injection or cross-site scripting.

The report also noted that in April 2018, the Dutch National High Tech Crime Unit took down a malicious DDoS-for-hire website with 136,000 users.

Source: https://www.computerweekly.com/news/252443696/Hospitality-industry-under-siege-from-botnets

Cyber security incidents could cost Aussie businesses $29B per year

Fear and doubt of cyber risks has led 66 per cent of Australian businesses to put off digital transformation plans, with security incidents potentially costing organisations $29 billion per year.

In research conducted by Frost & Sullivan and commissioned by Microsoft, local security incidents include losses in revenue, decreased profitability, fines, lawsuits and remediation.

“The fact that two-thirds of Australian organisations are putting off digital transformation efforts is concerning, when you consider that digital transformation is expected to contribute $45 billion to Australia’s economy by 2021,” Microsoft director of corporate legal and external affairs Tom Daemen said.

“To combat this, we need to be instilling a data culture throughout organisations. Data management needs to be prioritised in the boardroom as a strategic focus.

“Not only will this ensure organisations comply with Australian Notifiable Data Breaches Act and European GDPR legislation, but it will empower employees to see data as the strategic asset it is – and push forward with digital transformation initiatives.”

The study, Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World, revealed that a large-sized organisation (over 500 employees) in Australia can incur an economic loss of $35.9 million if a breach occurs.

The economic loss is calculated from direct costs, indirect costs (including customer churn and reputation damage) as well as induced costs (the impact of cyber breach to the broader ecosystem and economy, such as the decrease in consumer and enterprise spending).

A total of 1,300 executives were interviewed for this study in Australia, China, Hong Kong, Indonesia, India, Japan, Korea, Malaysia, New Zealand, Philippines, Singapore, Taiwan and Thailand.

According to findings, more than half of the organisations surveyed in Australia, or 55 per cent, have experienced a cyber security incident in the last five months while one in five companies are not sure if they have had one or not as they have not performed proper forensics or a data breach assessment.

“The number of organisations that have experienced a cyber security incident, although large, is not particularly surprising given the increased rate of cyber security attacks we’re seeing annually,” Daemen said.

“However, the finding that one in five Australian businesses are not performing regular forensics and data breach assessments is surprising given the frequency of attacks and suggests a need for greater awareness and a cultural shift in how we manage and think about data.”

Artificial intelligence (AI) is being adopted by businesses in order to improve their cyber security.

In fact, the study found that 84 per cent of Australian organisations have either adopted or are looking to adopt an AI approach towards boosting cyber security.

Although ransomware and DDoS attacks have dominated headlines in recent times, the study found that online brand impersonation, remote code execution and data corruption are actually the bigger concern as they have the highest impact on business with the slowest recovery time.

According to data collected in 2017, email scams cost Australian businesses losses of $22.1 million last year, according to the combined scams reported to both the ACCC and ACORN.

ACCC’s Scamwatch alone received 5,432 reports scams from Australian businesses in 2017 with 60 per cent being delivered via email and money being sent to scammers via bank transfers 85 per cent of the time – total losses from those scams amount to $4.6 million.

Source: https://www.arnnet.com.au/article/642959/cyber-security-could-cost-aussie-businesses-29b-per-year/