Critical infrastructure remains insecure

Organisations can no longer afford to leave their systems unprotected from increasingly advanced cyber threats.

The threat to our critical national infrastructure (CNI) system is at an unprecedented high with reported cyber-attacks from a number of factions, suspected infiltrations from nation states, and the NCSC warning that these systems remain a high-profile target and exceptionally vulnerable.

Earlier this month, researchers found that just four lines of code implanted in a device on a factory floor could identify and list networks, trigger controllers and stop processes and production lines. In fact, responding to Corero’s Freedom of Information requests, 70% of critical infrastructure institutions – ranging from police forces to NHS trusts, energy suppliers and water authorities – confirmed they’d experienced service outages in their IT systems within the last two years.

Service outages and cyber-attacks against critical infrastructure have the potential to inflict significant, real-life, disruption by preventing access to essential services such as power, transport and the emergency services. Recognizing the damaging impact they can inflict, malicious actors have started crafting malware specifically to target these systems and many believe the next attack is just around the corner.

With the heightened threat, and possibility of significant fines under the new Networks and Information Systems (NIS) directive which came into effect in early May, it’s crucial that organizations implement security measures before damage is done.

Industrial control systems at risk

In recent months, we have seen a greater number of sophisticated cyber threats against all parts of critical infrastructure. Indeed, last October a DDoS attack on the Swedish Railway took out their train ordering system for two days, causing travel chaos.  Similarly, last May’s Wannacry ransomware attack caused many NHS systems to be unavailable (e.g. access to patients’ medical records) causing operations to be cancelled. There is no doubt that a successful attack on the more vulnerable management systems can cause widespread disruption. Moreover, such attacks can result in network downtime, which in turn can have a serious economic impact as it can affect production, impact output, cause physical damage and even put people’s lives in danger.

In a separate Corero study last year, we found that most UK critical infrastructure organizations (51%) are potentially vulnerable, due to failure to detect or mitigate short-duration surgical DDoS attacks on their networks and deploy technology which can detect or mitigate such attacks. Modern DDoS attacks represent a serious security and availability challenge for infrastructure operators, because even a short amount of downtime or latency can significantly impact the delivery of essential services. Indeed, DDoS attacks can disrupt the availability of critical services we use as part of our everyday life, while potentially allowing attackers to plant weaponized malware. Critical infrastructure operators, including energy, transport, communications and emergency services should not be leaving DDoS attack protection to chance.

Attackers are taking advantage of the escalating number of industrial IoT devices, which underscore the growing risk of very large botnet-based DDoS attacks. These devices are transforming industrial sectors by reducing costs and providing better visibility of networks, processes and security. However, despite their benefits, these devices suffer from basic security vulnerabilities and it is precisely this lack of security that makes them such an attractive target for hackers.

NIS Directive introduces changes to critical infrastructure security

Protecting critical infrastructure from cyber-attacks has become a top government priority. The EU’s NIS Directive, adopted into UK law as the NIS Regulation, aims to raise levels of security and resilience of network and information systems. Indeed, now that the legislation is implemented into UK law, critical infrastructure outages will have to be reported to regulators, who have the power to impose financial penalties of up to £17 million to providers of infrastructure services that fail to protect against cyber-attacks on their networks. Consequently, operators of essential services and industrial control systems need to up their game to be resilient to today’s cyber-threats. However, rather than being seen as just more red-tape, or a financial telling off for non-compliance, the regulation should be seen as a golden opportunity to improve the UK’s cyber-security posture.

Best practices

Despite the huge fines and multiple warnings, 11% of the critical infrastructure organizations that responded to Corero’s 2018 study admitted that they do not always ensure that patches for critical vulnerabilities are routinely implemented within 14 days, as recommended within the Government’s 10 Steps to Cyber Security guidance. Paradoxically, almost all the organizations that responded to the request (98%) are following government advice about network security, by adhering to the Network Security section of the 2012 guidance.

To reduce the risk of a catastrophic outcome that risks public safety, organizations need to ensure their industrial control systems are secure.

Organizations need to take a serious look at their own operating model and ensure that robust protection against cyberthreats are in place. It is not acceptable that service and data loss should be excused, under any circumstances, when the technology and services to provide proper protection is available today.

One of the biggest challenges that organisations running critical infrastructure systems now have, is that they are increasingly connecting those networks to the broader IT infrastructure, for reasons of operational efficiency and effectiveness.  The potential for hackers being able to access these devices from the outside and potentially change settings or, launch DDoS attacks to block local changes taking effect, could be very damaging indeed, depending on the systems being targeted. Organisations vulnerable to such attacks need to ensure they are putting the right protection in place, including real-time automatic DDoS protection, as even small attacks getting through, for even a short period of time, could have serious implications.

In addition, to avoid smart devices being enslaved into DDoS botnets, organizations need to pay close attention to the network settings for those devices and, where possible, protect them from access to the Internet and to other devices.

Organizations can include IoT devices alongside regular IT asset inventories and adopt basic security measures like changing default credentials and rotating a selection of strong Wi-Fi network passwords regularly.

Businesses can certainly protect their networks from DDoS attacks fueled by IoT-driven botnets by deploying an always-on, automated solution at the network edge, which can detect unusual network activity and eliminate threats from entering a network, in real-time.

Source: https://www.itproportal.com/features/critical-infrastructure-remains-insecure/

Cloud Security For The Healthcare Industry: A No-Brainer

The healthcare industry has become one of the likeliest to suffer cyber-attacks, and there’s little wonder why. Having the financial and personal information of scores of patients makes it a very appetizing target for attackers.

Just over a year ago, the WannaCry ransomware attack wreaked havoc on the UK National Health Service (NHS), ultimately disrupting a third of its facilities and causing a rash of canceled appointments and operations.

As healthcare organizations face the prospect of increasing attack, their security teams look to cybersecurity experts with comprehensive, tested products to protect the sensitive information they hold. ALYN Woldenberg Family Hospital, Israel’s only pediatric rehabilitation facility, is no exception.

With a database of more than 70,000 patients and a website hosted in four languages and across three different domains; ALYN Hospital’s IT team was concerned that their content management system (CMS) could be vulnerable. The team didn’t feel their cybersecurity vendor was updating the security on their CMS as often as they should, leading them to go looking for a new vendor.

Initially checking out on-premise WAF systems, ALYN’s team kept coming up against the cost of securing their sites and; because of strict government regulations, they were initially hesitant to move to a cloud-based system. Ultimately, however, they decided that the Imperva Incapsula cloud-based WAF was just the thing.

“We looked at community reviews and talked with colleagues at other hospitals and got the impression that Incapsula is one of the best in terms of cost-benefit ratio, which is important to us, in addition to robustness, ease-of-use, and integration, which was very smooth. It all proved to be correct, for which I am very glad,” said Uri Inbar, Director of IT for ALYN Hospital.

Setting up the system took less than a day and ALYN Hospital still manages its servers in-house, with a staff member who is now dedicated to security. Imperva Incapsula has been low maintenance from the start, so, while customer support was with them every step of the way at the beginning; they haven’t needed any for the last few years because the system has been running smoothly on its own.

“It gives us peace of mind to know that someone has dedicated themselves to the subject and keeps us updated. It’s one less worry to take care of.”

Since making the switch, ALYN Hospital has seen some significant improvements:

  • Increased visibility for monitoring security threats: The Imperva Incapsula dashboard is easy to use and provides information that helps ALYN Hospital keep its systems secure. And for their special projects, they can even see which countries are generating the most traffic.
  • Good cost-benefit ratio: One of the most important aspects of any new security system for ALYN, the costs were reasonable, especially given the security benefits they received from the Incapsula system.
  • Faster content delivery: While no formal studies were done, the IT staff has heard from some users that their CDN is delivering content faster than before.

Source: https://securityboulevard.com/2018/07/cloud-security-for-the-healthcare-industry-a-no-brainer/

Protonmail Hit By Yet Another DDoS Attack

Attack comes as scale, scope and sophistication of DDoS attacks rises sharply

Popular encrypted email provider Protonmail was this morning hit by the latest in a long-running serious of malicious attacks on its infrastructure.

The privacy-focussed Geneva-based email provider, which has some 500,000 users, has faced numerous DDoS attacks since being founded.

As one of the only email providers which owns and manages all of its servers and network components such as routers and switches, it is in a unique position – particularly since the company is its own internet service provider.

 

 

 

 

 

 

 

In 2015 its servers were hit with a 50Gbps wall of “junk data” that threatened to torpedo the company.

After initially paying a ransom following an attack that took its main data centre offline, the company faced a further week-long assault from another adversary that targeted 15 different ISP nodes simultaneously, then attacked all the ISPs going into the datacentre using a wide range of sophisticated tactics.

No ransom nor responsibility claim was made.

The company, born from work done at CERN, has since partnered with DDoS protection specialists, Israel-headquartered Radware, and uses BGP redirection and GRE tunnels to defend itself. Today’s attack slowed email delivery and its VPN for several hours, but did not result in the loss of any emails, Protonmail said.

“Our network was hit by a DDoS attack that was unlike the more ‘generic’ DDoS attacks that we deal with on a daily basis. As a result, our upstream DDoS protection service (Radware) needed more time than usual to perform mitigation,” a ProtonMail spokesperson wrote in an email. ”

“Radware is making adjustments to their DDoS protection systems to better mitigate against this type of attack in the future. While we don’t yet have our own measurement of the attack size, we have traced the attack back to a group that claims to have ties to Russia, and the attack is said to have been 500 Gbps, which would be among the largest DDoS’s on record,” the spokesperson wrote.

Carl Herberger, Vice President for Security Solutions at Radware, earlier noted: “Corporations need to understand the severity of the Advanced Persistent DoS attacks, such as SMTP DoS, and review their security measures”.

“APDoS is akin to the way bomber aircraft would jam radar systems many years ago – the type of attack is so varied and frequent that it becomes near impossible to detect them all, and more importantly difficult to mitigate them without impacting your legitimate web traffic.”

DDoS Attacks Continue to Rise

The attack comes after a new report from Akamai revealed that there was a 16 percent increase in the number of DDoS attacks recorded since last year, with the largest DDoS attack of the year setting a new record at 1.35 Tbps by using a memcached reflector attack.

Akamai said in its State of the Internet report: “To understand the scale of such an attack, it helps to compare it to the intercontinental undersea cables in use today. The TAT-14 cable, one of many between the US and Europe, is capable of carrying 3.2 Tbps of traffic, while the Japan-Guam-Australia cable, currently under construction, will be capable of 36 Tbps. Neither of these hugely important cables would have been completely swamped by February’s attack, but an attack of that magnitude would have made a significant impact on intercontinental traffic, if targeted correctly.”

The company’s researchers also identified a four percent increase in reflection-based DDoS attacks since last year and a 38 percent increase in application-layer attacks such as SQL injection or cross-site scripting.

Source: https://www.cbronline.com/news/protonmail-ddos

Hospitality industry under siege from botnets

The hospitality industry, including hotels, airlines and cruise lines, is the biggest target for cyber criminal botnet attacks that abuse credentials and overwhelm online systems, a report reveals

Cyber security defenders face increasing threats from bot-based credential abuse targeting the hospitality industry, a report shows.

Bot-based attacks are also being used for advanced distributed denial of service (DDoS) attacks, according to the Summer 2018 state of the internet/security: web attack report by Akamai Technologies.
The report is based on attack data from across Akamai’s global infrastructure and represents the research of a diverse set of teams throughout the company.

Analysis of current cyber attack trends for the six months from November 2017 to April 2018 reveals the importance of maintaining agility not only by security teams, but also by developers, network operators and service providers in order to mitigate new threats, the report said.

The use of bots to abuse stolen credentials continues to be a major risk for internet-driven businesses, but Akamai’s data revealed that the hospitality industry experiences many more credential abuse attacks than other sectors.

Akamai researchers analysed nearly 112 billion bot requests and 3.9 billion malicious login attempts that targeted sites in this industry. Nearly 40% of the traffic seen across hotel and travel sites is classified as “impersonators of known browsers”, which is a common technique used by cyber fraudsters.

Geographic analysis of attack traffic origination revealed that Russia, China and Indonesia were major sources of credential abuse for the travel industry during the period covered by the report, directing about half of their credential abuse activity at hotels, cruise lines, airlines, and travel sites. Attack traffic origination against the hospitality and travel industry from China and Russia combined was three times the number of attacks originating in the US.

“These countries have historically been large centres for cyber attacks, but the attractiveness of the hospitality industry appears to have made it a significant target for hackers to carry out bot-driven fraud,” said Martin McKeay, senior security advocate at Akamai and senior editor of the report.

While simple volumetric DDoS attacks continued to be the most common method used to attack organisations globally, the report said other techniques have continued to appear. Akamai researchers identified and tracked advanced techniques that show the influence of intelligent, adaptive enemies who change tactics to overcome the defences in their way.

One of the attacks mentioned in the report came from a group that coordinated its attacks over group chats on Steam digital distribution platform and IRC (internet relay chat). Rather than using a botnet of devices infected with malware to follow hacker commands, these attacks were carried out by a group of human volunteers.

Another notable attack overwhelmed the target’s DNS (domain name system) server with bursts lasting several minutes instead of using a sustained attack against the target directly. This added to the difficulty of mitigating the attack because of the sensitivity of DNS servers, which allows outside computers to find them on the internet. The burst system also increased difficulty for defenders by tiring them out over a long period of time.

“Both of these attack types illustrate how attackers are always adapting to new defences to carry out their nefarious activities,” said McKeay. “These attacks, coupled with the record-breaking 1.35Tbps memcached attacks from earlier this year, should serve as a not-so-gentle reminder that the security community can never grow complacent.”

Other key findings of the report include a 16% increase in the number of DDoS attacks recorded since 2017. Researchers identified a 4% increase in reflection-based DDoS attacks since 2017 and a 38% rise in application-layer attacks such as SQL injection or cross-site scripting.

The report also noted that in April 2018, the Dutch National High Tech Crime Unit took down a malicious DDoS-for-hire website with 136,000 users.

Source: https://www.computerweekly.com/news/252443696/Hospitality-industry-under-siege-from-botnets

The Lesson of the GitHub DDoS Attack: Why Your Web Host Matters

Surviving a cyberattack isn’t like weathering a Cat 5 hurricane or coming through a 7.0 earthquake unscathed. Granting that natural disasters too often have horrendous consequences, there’s also a “right place, right time” element to making it through. Cyber-disasters – which can be every bit as calamitous in their own way as acts of nature – don’t typically bend to the element of chance. If you come out the other side intact, it’s probably no accident. It is, instead, the result of specific choices, tools, policies and practices that can be codified and emulated – and that need to be reinforced.

Consider the recent case of GitHub, the target of the largest DDoS attack ever recorded. GitHub’s experience is instructive, and perhaps the biggest takeaway can be expressed in four simple words: Your web host matters.

That’s especially crucial where security is concerned. Cloud security isn’t like filling out a job application; it’s not a matter of checking boxes and moving on. Piecemeal approaches to security simply don’t work. Patching a hole or fixing a bug, and then putting it “behind” you – that’s hardly the stuff of which effective security policies are made. Because security is a moving target, scattershot repairs ignore the hundreds or even thousands of points of vulnerability that a policy of continuing monitoring can help mitigate.

Any cloud provider worth its salt brings to the task a phalanx of time-tested tools, procedures and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/anti-malware deployment, multiple firewalls, intrusion prevention and round-the-clock monitoring. So while data is considerably safer in the cloud than beached on equipment under someone’s desk, there is no substitute for active vigilance – accent on active, since vigilance is both a mindset and a verb. About that mindset: sound security planning requires assessing threats, choosing tools to meet those threats, implementing those tools, assessing the effectiveness of the tools implemented – and repeating this process on an ongoing basis.

Among the elements of a basic cybersecurity routine: setting password expirations, obtaining certificates, avoiding the use of public networks, meeting with staff about security, and so on. Perfection in countering cyberattacks is as elusive here as it is in any other endeavor. Even so, that can’t be an argument for complacence or anything less than maximum due diligence, backed up by the most capable technology at each organization’s disposal.

In this of events is a counterintuitive lesson about who and what is most vulnerable during a hack. The experience of public cloud providers should put to rest the notion that the cloud isn’t safe. GitHub’s experience makes a compelling argument that the cloud is in fact the safest place to be in a cyber hurricane. Internal IT departments, fixated on their own in-house mixology, can be affected big-time – as they were in a number of recent ransomware attacks — raising the very legitimate question of why some roll-your-own organizations devote precious resources, including Bitcoin, to those departments in the belief that the cloud is a snakepit.

Cloud security isn’t what it used to be – and that’s a profound compliment to the cloud industry’s maturity and sophistication. What once was porous is now substantially better in every way, which isn’t to deny that bad actors have raised their game as well. Some aspects of cloud migration have always been threatening to the old guard. Here and there, vendors and other members of the IT community have fostered misconceptions about security in the cloud – not in an effort to thwart migration but in a bid to control it. Fear fuels both confusion and dependence.

Sadly, while established cloud security protocols should be standard-issue stuff, they aren’t. The conventional wisdom is that one cloud hosting company is the same as another, and that because they’re committed to life off-premises, they all must do the exact same thing, their feature sets are interchangeable, and the underlying architecture is immaterial. The message is, it doesn’t matter what equipment they’re using — it doesn’t matter what choice you make. But in fact, it does. Never mind the analysts; cloud computing is not a commodity business. And never mind the Street; investors and Certain Others fervently want it to be a commodity, but because those Certain Others go by the name of Microsoft and Amazon, fuzzing the story won’t fly. They want to grab business on price and make scads of money on volume (which they are).

The push to reduce and simplify is being driven by a combination of marketing gurus who are unfamiliar with the technology and industry pundits who believe everything can be plotted on a two-dimensional graph. Service providers are trying to deliver products that don’t necessarily fit the mold, so it’s ultimately pointless to squeeze technologies into two or three dimensions. These emerging solutions are much more nuanced than that.

Vendors need to level with users. The devil really is in the details. There are literally hundreds of decisions to make when architecting a solution, and those choices mean that every solution is not a commodity. Digital transformation isn’t going to emerge from some marketing contrivance, but from technologies that make cloud computing more secure, more accessible and more cost-effective.

Source: https://hostingjournalist.com/expert-blogs/the-lesson-of-the-github-ddos-attack-why-your-web-host-matters/

World Cup could lead to surge in cyber threats

With the Group Stage of the 2018 FIFA World Cup now well underway, security companies are warning that cybercriminals are likely to use the interest stirred up by the event to launch cyber attacks.

Network and endpoint security company Sophos noted that cyber attacks often go hand in hand with major sporting events, including the World Cup, as criminals exploit the fevered interest stirred up in incautious sporting fans.

There has already been a long history of World Cup cyber threats, including a virus with a backdoor sent under the pretence of free tickets during Germany 2006, a blackmail of online betting sites with threats of DDoS attacks during South Africa 2010.

A virus deployed during France 1998 also had users gamble on the winner of the Cup, with the wrong choice leading to all data being wiped from a victim’s drive, while in South Korea 2002, a virus posing as a web utility giving up-to-the-minute updates was distributed via email and IM.

Sophos noted that awareness is generally greater this year, with teams including the English Football Association warning players not to use public Wi-Fi in Russia due to fears of hacking.

But the company noted that it is important that organisations and people remain vigilant at all times about the increased threat.

Meanwhile, Akamai Technologies Director of Security Technology Patrick Sullivan noted that the company has historically noticed declines in cyber attacks while games are actually underway — until there’s a clear winner.

“Once games are well in hand, attacks from the losing team’s nation spike well above normal. This often takes the form of attacks designed to take down news stories in the victor’s country that tout a home-team win,” he said.

“Activists also frequently use various forms of cyber attacks during major sporting events to protest the host nation — often targeting sponsors to get their point across. For example, protesters at the recent Brazilian World Cup that were upset with the amount of money spent.”

Source: https://www.technologydecisions.com.au/content/security/news/world-cup-could-lead-to-surge-in-cyber-threats-456219990

How CIA can improve your cyber security

The threat of cyber-attack is increasing every year.

According to the Online Trust Alliance, 2017 was the worst yet in terms attacks on business. Figures indicate that attacks doubled from 82,000 incidents in 2016 to over 159,000 – and that’s just the ones we know about.

Keeping up to date with the latest cyber security threats is an almost impossible task. The time between vulnerability disclosure and attack launch is getting shorter all the time, and it’s easy for a hacker to change a line of code in the program, and then fire off another (ever so slightly different) attack.

Just to prove the point, in 2016, ransomware peaked at 40,000 attacks a day, with over 400,000 variations found. Imagine trying to keep on top of all that?

Effective cyber security is knowing what’s important to you and protecting it to the best of your abilities. Think of it in three elements – the CIA triad:

  • Confidentiality
  • Integrity
  • Availability

Confidentiality – who really needs access to the information?

Confidentiality is all about privacy and works on the basis of ‘least privilege’. Only those who require access to specific information should be granted it, and measures need to be put in place to ensure sensitive data is prevented from falling into the wrong hands.

The more critical the information, the stronger the security measures need to be.

Measures that support confidentiality can include data encryption, IDs and passwords, two-factor authentication, biometric verification, air-gapped systems (physically isolating a secure computer network from unsecured networks such as the public internet) or even disconnected devices for the most sensitive of information.

Integrity – how do you ensure the accuracy of your data?

The integrity of your information is essential, and organisations need to take the necessary steps to ensure that it remains accurate throughout its entire life cycle, whether at rest or during transit.

Access privileges and version control are always useful to prevent unwanted changes or deletion of your information. Back-ups should be taken at regular intervals to ensure that any data can be restored.

When it comes to integrity of information in transit, one-way hashes – an algorithm that turns messages or text into a fixed string of digits, making it nearly impossible to derive the original text from the string – can be utilised to ensure that the data has remained unchanged.

Availability – how do you keep your business up and running?

Keeping your business operational is critical and you need to ensure that those who need access to hardware, software, equipment or even information can maintain this access at any time.

Disaster planning is essential for this and organisations need to plan ahead to prevent any loss of availability, should the worst happen.

Examples of disaster planning include preparing to deal with cyber-attacks (such as DDoS), data centre power loss or even potential natural disasters.

Getting the combination right

All three of the CIA elements listed above are required to ensure you remain protected. If one aspect fails, it could provide a way in for hackers to compromise your network and your data.

However, the mix between the three elements is down to the individual company, the project or asset it is being deployed on. Some companies may value confidentiality above all, others may place most value on availability.

Whatever the combination, it’s important that the CIA triad is considered at all times and by doing so you protect your organisation against a range of threats, without having to spend too much time keeping up with the latest threats.

Source: http://www.businesscloud.co.uk/opinion/how-cia-can-improve-your-cyber-security

Cyber Attacks Cost Korean Firms US$72 billion Last Year: Report

Cyber attacks cost Korean companies US$72 billion last year, according to a survey released by Microsoft Korea on June 18.

The Cyber Security Threat Report, produced jointly with Frost & Sullivan, a global consulting firm, assumes that 90 percent of the damage was indirect losses, which included losses from losing customers, tarnished corporate reputations, and job losses. The report referred to this phenomenon as an “iceberg effect” where indirect losses eclipse direct losses.

This report also covered the status of Korean companies’ security awareness. Among the Korean companies which participated in the survey, 29 percent said they did not even know whether or not a cyber attack occurred. In addition, 35 percent of them said they were postponing digitalization because they were concerned about cyber attacks.

Meanwhile, according to semi-annual “Security Intelligence Report” released by Microsoft Korea, three types of cybercrime were used in combination — botnets, phishing, and ransomware.

A botnet is a method of infecting multiple PCs as zombie PCs through the internet to perform distributed denial-of-service attack (DDoS attack), steal data and send spam. Phishing refers to deceiving users and making them make a mistake by disguising a malicious website or e-mail as a secure website or e-mail. Ransomware is a malicious code that encrypts data in your computer and demand money in exchange for a password.

“In the rapidly changing digital world, companies must make cybersecurity a top priority for their organization,” said Kim Gui-ryeon, chief security officer at Microsoft Korea.

Source: http://www.businesskorea.co.kr/news/articleView.html?idxno=23084

Cyber attack warnings highlight need to be prepared

Fresh warnings about the vulnerability of national infrastructure to cyber attacks show the need for securing and monitoring associated control systems connected to the internet.

The commander of Britain’s Joint Forces Command has warned that UK traffic control systems and other critical infrastructure could be targeted by cyber adversaries – but industry experts say this is nothing new and something organisations should be preparing for.

According to Christopher Deverell, these systems could be targeted by countries such as Russia. “There are many potential angles of attack on our systems,” he told the BBC’s Today programme.

Other vulnerable control systems that are connected to the internet are used in power stations, for air traffic control and for rail and other transport systems.

Sean Newman, director at Corero Network Security, said there is nothing new in the claims. “The potential for such attacks has been growing for several years as more systems become connected,” he said.

“There are many good reasons for connecting operational and information networks, including efficiency and effectiveness. However, this opens up operational controls to potential attacks from across the internet, where previously they were completely isolated and only accessible from the inside.”

According to Newman, the question is no longer whether such attacks are theoretically possible, but who is bold enough to carry out such assaults and risk the likely repercussions.

“It is reasonable to assume that it’s more a matter of time than if, so the operators of such systems need to be fully cognisant of the potential risks and deploy all reasonable protection to minimise it,” he said.

“This includes preventing remote access to such systems, as well as real-time defences against DDoS [distributed denial of service] attacks which could disrupt their operation or prevent legitimate access for operation and control purposes.”

Andrea Carcano, chief product officer at Nozomi Networks, said the reality is that the UK’s infrastructure, and those in every developed country around the world, is being continually poked and probed, not just by nation states but by criminals, hacktivists and even curious hobbyists.

“We have seen the damage that can be done from hacks in the Ukraine, where attackers were able to compromise systems and turn the lights out,” he said. “With each incursion, both successful and those that are thwarted, the attackers will learn what has worked, what hasn’t, and what can be improved for the next attempt.

“The challenge for those charged with protecting our critical infrastructure is visibility, as you can’t protect what you don’t know exists.”
According to Carcano, 80% of the industrial facilities Nozomi visits do not have up-to-date lists of assets or network diagrams.

“Ironically, this doesn’t pose a problem to criminals who are using readily available open source tools to query their targets and build a picture of what makes up their network environment and is potentially vulnerable – be it a power plant, factory assembly line, or our transport infrastructure,” he said.

Nozomi researchers created a security testing and fuzzing tool, using open source software, that is capable of automatically finding vulnerabilities in proprietary protocols used by industrial control system (ICS) devices.

“Using just this tool, and in a limited time period, they identified eight zero-day vulnerabilities that, if exploited, could be used to shut down the controllers, making the devices unmanageable, and even potentially corrupt normal processes, which could be extremely serious or even fatal,” said Carcano.

“As the cyber security risk to critical infrastructure and manufacturing organisations increases, it is important for enterprises to actively monitor and secure operational technology [OT] networks. An important aspect of this is having complete visibility to OT networks and assets and their cyber security and process risks.”

However, Deverell suggested that as well as making sure cyber security is continually improving, the UK should also have an offensive capability to respond to attacks on critical infrastructure if necessary, reports The Telegraph.

His comments echo those by UK attorney general Jeremy Wright, who recently suggested that the UK has a legal right to retaliate against aggressive cyber attacks in the same way as it would to armed attacks.

“Cyber operations that result in, or present, an imminent threat of death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self defence,” he said.

According to Wright, if a hostile state interfered with the operation of one of the UK’s nuclear reactors, resulting in the widespread loss of life, the fact that the act was carried out via a cyber operation does not prevent it from being viewed as an unlawful use of force or an armed attack.
“States that are targeted by hostile cyber operations have the right to respond to those operations in accordance with the options lawfully available to them,” he said.

The UK has previously indicated that it is building cyber-offensive capabilities, but in January 2018, Ciaran Martin, head of the National Cyber Security Centre (NCSC), said that while this will be an “increasing part of the UK’s security toolkit”, a cyber attack would not necessarily trigger a retaliatory cyber attack, but a range of responses would be considered, including sanctions.

Commenting on calls by UK defence chief of general staff Nick Carter for increased defence spending to help the country keep up with its adversaries, particularly in light of the fact that cyber attacks that target military and civilian operations are one of the biggest threats facing the country, Martin confirmed that some of these attacks were aimed at identifying vulnerabilities in infrastructure for potential future disruption, but added that there had been no successful attacks on UK infrastructure.

A report by the Kosciuszko Institute, published in January, predicts that 2018 could be a year of cyber attacks on critical infrastructure.

In the report, Paul Timmers, an academic at Oxford University and former director of the European Commission’s Sustainable & Secure Society Directorate, noted that attacks on systems that are crucial for the functioning of the state and society, including logistics, health and energy, date from 2016.

Timmers believes that the risk of attacks in 2018 may spread to other sectors of the economy, such as transport. An important element of the potential incidents, he said, will be their predicted international and cross-sector nature, which creates an urgent need for cooperation between international organisations, governments and companies.

Sean Kanuck, director of future conflict and cyber security at the International Institute for Strategic Studies and formerly the first US national intelligence officer for cyber issues, predicted a period of intense use of sanctions as a diplomatic tool against entities that undertake offensive actions in the cyber space.

The growing likelihood of ever-escalating conflicts in the cyber space makes it necessary to address standards of operation in the digital space, the report said.

Source: https://www.computerweekly.com/news/252443085/Cyber-attack-warnings-highlight-need-to-be-prepared

Most Risk to Internet Originates from US

“America first” isn’t always a good thing, particularly when it comes to cyber-risk. Still, the US was number one on the list of nations from which the most risk to the internet originated, according to the third annual National Exposure Index released today by Rapid7.

Analysis of the current state of internet exposure revealed which geopolitical regions are most at risk for deliberate, wide-scale attacks on core services. “A country with a higher percentage of exposed services in relation to its total allocated IP address space will tend to score higher on National Exposure,” according to the report. North America, China, South Korea and the UK top the list of nations most vulnerable to cyber-attacks.

Combined, those nations control over 61 million servers listening on at least one of the surveyed ports. The report also found that nearly half a million exposed Microsoft Server Message Block (SMB) servers in the US, Taiwan, Japan, Russia, and Germany are targeted today.

“There are 13 million exposed endpoints associated with direct database access, half of which are associated with MySQL. Along with millions of exposed PostgreSQL, Oracle DB, Microsoft SQL Server, Redis, DB2, and MongoDB endpoints, this exposure presents significant risk of crucial data loss in a coordinated attack,” the report said.

This year has already made record for having the largest distributed denial-of-service (DDoS) attack using unsecured memcached user datagram protocol (UDP) servers; however, approximately 40,000 unpatched, out-of-date memcached servers remain at risk of being drafted into the next record-breaking DDoS attack.

While the report noted that it is nearly impossible to identify the country with the lowest risk exposure, the Federated States of Micronesia ranked 187 out of 187 countries on the list.

Rapid7 aims to use these statistics to identify the nations that can reduce their exposure to nefarious actors – particularly nation-state actors – by making improvements to their local infrastructures. According to the report, “This indicates to us that national internet service providers in these countries can use these findings to understand the risks of internet exposure, and that they, along with policymakers and other technical leaders, are in an excellent position to make significant progress in securing the global internet.”

Source: https://www.infosecurity-magazine.com/news/most-risk-to-internet-originates/