Concern Mounts for SS7, Diameter Vulnerability

The same security flaws that cursed the older SS7 standard and were used with 3G, 2G and earlier are prevalent in the Diameter protocol used with today’s 4G (LTE) telephony and data transfer standard, according to researchers at Positive Technologies and the European Union Agency For Network and Information Security (ENISA).

Network security is built on trust between operators and IPX providers, and the Diameter protocol that replaced SS7 was supposed to be an improved network signaling protocol. But when 4G operators misconfigure the Diameter protocol, the same types of vulnerabilities still exist.

“As society continues to leverage mobile data capabilities more and more heavily, from individual users performing more tasks directly on their smartphones, to IoT devices which use it when regular network connections are not available (or not possible), service providers need to take the security of this important communications channel more seriously,” said Sean Newman, director of product management for Corero Network Security.

Given that the Diameter protocols are slated to be used in 5G, reports of critical security capabilities not being enabled in the Diameter protocol used for 4G mobile networks are worrisome. Of particular concern is the potential that misconfigurations that lead to the vulnerability could result in distributed denial of service (DDoS) attacks for critical infrastructure relying on mobile access. An attacker would not need to harness any large-scale distributed attack capabilities.

“The latest generation of denial of service protection solutions are critical for any organization that relies on always-on internet availability, but this can only be effective if service providers are ensuring the connectivity itself is always-on,” Newman said.

Concerns over the threats from smartphones have even been presented to Congress with pleas that they should act immediately to protect the nation from cybersecurity threats in SS7 and Diameter.

“SS7 and Diameter were designed without adequate authentication safeguards. As a result, attackers can mimic legitimate roaming activity to intercept calls and text messages, and can imitate requests from a carrier to locate a mobile device. Unlike cell-site simulator attacks, SS7 and Diameter attacks do not require any physical proximity to a victim,” wrote Jonathan Mayer, assistant professor of computer science and public affairs, Princeton University, in his testimony before the Committee on Science, Space, and Technology of 27 June.


Small businesses aren’t properly prepared for cyberattacks

Even though businesses all over the world are increasingly taking online protection seriously – they still aren’t 100 per cent confident they could tackle serious cybersecurity threats.

Polling 600 businesses in the US, UK and Australia, a study by Webroot found that new types of attacks are dominating in 2018 (compared to the year before) but that the cost of a breach is decreasing, as well.

Phishing has taken the number one spot as the most dangerous type of attack, from malware. Ransomware is also up, from fifth to third, mostly thanks to the large success of WannaCry.

With 25 per cent on a global scale, insider threats seem to be least dangerous of the bunch.

When it comes to the UK in particular, ransomware is the biggest threat. SMBs are far less concerned about DDoS attacks in the UK, compared to their US counterparts, too.

The report has also taken a closer look at training and uncovered that even though almost all businesses do conduct training to teach their staff about cybersecurity, this training isn’t continuous. This leads to the next stat, 79 per cent can’t say they are “completely ready to manage IT security and protect against threats.”

“As our study shows, the rise of new attacks is leaving SMBs feeling unprepared,” commented Charlie Tomeo, vice president of worldwide business sales, Webroot.

“One of the most effective strategies to keep your company safe is with a layered cybersecurity strategy that can secure users and their devices at every stage of an attack, across every possible attack vector.”


Protonmail Hit By Yet Another DDoS Attack

Attack comes as scale, scope and sophistication of DDoS attacks rises sharply

Popular encrypted email provider Protonmail was this morning hit by the latest in a long-running serious of malicious attacks on its infrastructure.

The privacy-focussed Geneva-based email provider, which has some 500,000 users, has faced numerous DDoS attacks since being founded.

As one of the only email providers which owns and manages all of its servers and network components such as routers and switches, it is in a unique position – particularly since the company is its own internet service provider.








In 2015 its servers were hit with a 50Gbps wall of “junk data” that threatened to torpedo the company.

After initially paying a ransom following an attack that took its main data centre offline, the company faced a further week-long assault from another adversary that targeted 15 different ISP nodes simultaneously, then attacked all the ISPs going into the datacentre using a wide range of sophisticated tactics.

No ransom nor responsibility claim was made.

The company, born from work done at CERN, has since partnered with DDoS protection specialists, Israel-headquartered Radware, and uses BGP redirection and GRE tunnels to defend itself. Today’s attack slowed email delivery and its VPN for several hours, but did not result in the loss of any emails, Protonmail said.

“Our network was hit by a DDoS attack that was unlike the more ‘generic’ DDoS attacks that we deal with on a daily basis. As a result, our upstream DDoS protection service (Radware) needed more time than usual to perform mitigation,” a ProtonMail spokesperson wrote in an email. ”

“Radware is making adjustments to their DDoS protection systems to better mitigate against this type of attack in the future. While we don’t yet have our own measurement of the attack size, we have traced the attack back to a group that claims to have ties to Russia, and the attack is said to have been 500 Gbps, which would be among the largest DDoS’s on record,” the spokesperson wrote.

Carl Herberger, Vice President for Security Solutions at Radware, earlier noted: “Corporations need to understand the severity of the Advanced Persistent DoS attacks, such as SMTP DoS, and review their security measures”.

“APDoS is akin to the way bomber aircraft would jam radar systems many years ago – the type of attack is so varied and frequent that it becomes near impossible to detect them all, and more importantly difficult to mitigate them without impacting your legitimate web traffic.”

DDoS Attacks Continue to Rise

The attack comes after a new report from Akamai revealed that there was a 16 percent increase in the number of DDoS attacks recorded since last year, with the largest DDoS attack of the year setting a new record at 1.35 Tbps by using a memcached reflector attack.

Akamai said in its State of the Internet report: “To understand the scale of such an attack, it helps to compare it to the intercontinental undersea cables in use today. The TAT-14 cable, one of many between the US and Europe, is capable of carrying 3.2 Tbps of traffic, while the Japan-Guam-Australia cable, currently under construction, will be capable of 36 Tbps. Neither of these hugely important cables would have been completely swamped by February’s attack, but an attack of that magnitude would have made a significant impact on intercontinental traffic, if targeted correctly.”

The company’s researchers also identified a four percent increase in reflection-based DDoS attacks since last year and a 38 percent increase in application-layer attacks such as SQL injection or cross-site scripting.


How to Prevent DDoS Attacks: 6 Tips to Keep Your Website Safe

Falling victim to a distributed denial of service (DDoS) attack can be catastrophic: The average cost to an organization of a successful DDoS attack is about $100,000 for every hour the attack lasts, according to security company Cloudflare.

There are longer term costs too: loss of reputation, brand degradation and lost customers, all leading to lost business. That’s why it is worth investing significant resources to prevent a DDoS attack, or at least minimize the risk of falling victim to one, rather than concentrating on how to stop a DDoS attack once one has been started.

In the first article in this series, we discussed how to stop DDoS attacks. If you’re fortunate enough to have survived an attack – or are simply wise enough to think ahead – we will now address preventing DDoS attacks.

Understanding DDoS attacks

A basic volumetric denial of service (DoS) attack often involves bombarding an IP address with large volumes of traffic. If the IP address points to a Web server, legitimate traffic will be unable to contact it and the website becomes unavailable. Another type of DoS attack is a flood attack, where a group of servers are flooded with requests that need processing by the victim machines. These are often generated in large numbers by scripts running on compromised machines that are part of a botnet, and result in exhausting the victim servers’ resources such as CPU or memory.

A DDoS attack operates on the same principles, except the malicious traffic is generated from multiple sources, although orchestrated from one central point. The fact that the traffic sources are distributed – often throughout the world – makes DDoS attack prevention much harder than preventing DoS attacks originating from a single IP address.

Another reason that preventing DDoS attacks is a challenge is that many of today’s attacks are “amplification” attacks. These involve sending out small data packets to compromised or badly configured servers around the world, which then respond by sending much larger packets to the server under attack. A well-known example of this is a DNS amplification attack, where a 60 byte DNS request may result in a 4,000 byte response being sent to the victim – an amplification factor of around 70 times the original packet size.

More recently, attackers have exploited a server feature called memcache to launch memcached amplification attacks, where a 15 byte request can result in a 750 kb response, a amplification factor of more than 50,000 times the original packet size. The world’s largest ever DDoS attack, launched against Github in earlier this year, was a memcached amplification attack that peaked at 1.35 Tbps of data hitting Github’s servers.

The benefit to malicious actors of amplification attacks is that they need only a limited amount of bandwidth at their disposal to launch far larger attacks on their victims than they could do by attacking the victims directly.

Six steps to prevent DDoS attacks

1. Buy more bandwidth

Of all the ways to prevent DDoS attacks, the most basic step you can take to make your infrastructure “DDoS resistant” is to ensure that you have enough bandwidth to handle spikes in traffic that may be caused by malicious activity.

In the past it was possible to avoid DDoS attacks by ensuring that you had more bandwidth at your disposal than any attacker was likely to have. But with the rise of amplification attacks, this is no longer practical. Instead, buying more bandwidth now raises the bar which attackers have to overcome before they can launch a successful DDoS attack, but by itself, purchasing more bandwidth is not a DDoS attack solution.

2. Build redundancy into your infrastructure

To make it as hard as possible for an attacker to successfully launch a DDoS attack against your servers, make sure you spread them across multiple data centers with a good load balancing system to distribute traffic between them. If possible, these data centers should be in different countries, or at least in different regions of the same country.

For this strategy to be truly effective, it’s necessary to ensure that the data centers are connected to different networks and that there are no obvious network bottlenecks or single points of failure on these networks.

Distributing your severs geographically and topographically will make it hard for an attacker to successfully attack more than a portion of your servers, leaving other servers unaffected and capable of taking on at least some of the extra traffic that the affected servers would normally handle.

3. Configure your network hardware against DDoS attacks

There are a number of simple hardware configuration changes you can take to help prevent a DDoS attack.

For example, configuring your firewall or router to drop incoming ICMP packets or block DNS responses from outside your network (by blocking UDP port 53) can help prevent certain DNS and ping-based volumetric attacks.

4. Deploy anti-DDoS hardware and software modules

Your servers should be protected by network firewalls and more specialized web application firewalls, and you should probably use load balancers as well. Many hardware vendors now include software protection against DDoS protocol attacks such as SYN flood attacks, for example, by monitoring how many incomplete connections exist and flushing them when the number reaches a configurable threshold value.

Specific software modules can also be added to some web server software to provide some DDoS prevention functionality. For example, Apache 2.2.15 ships with a module called mod_reqtimeout to protect itself against application-layer attacks such as the Slowloris attack, which opens connections to a web server and then holds them open for as long as possible by sending partial requests until the server can accept no more new connections.

5. Deploy a DDoS protection appliance

Many security vendors including NetScout Arbor, Fortinet, Check Point, Cisco and Radware offer appliances that sit in front of network firewalls and are designed to block DDoS attacks before they can take effect.

They do this using a number of techniques, including carrying out traffic behavioral baselining and then blocking abnormal traffic, and blocking traffic based on known attack signatures.

The main weakness of this type of approach of preventing DDoS attacks is that the appliances themselves are limited in the amount of traffic throughput they can handle. While high-end appliances may be able to inspect traffic coming in at a rate of up to 80 Gbps or so, today’s DDoS attacks can easily be an order of magnitude greater than this.

6. Protect your DNS servers

Don’t forget that a malicious actor may be able to bring your web servers offline by DDoSing your DNS servers. For that reason it is important that your DNS servers have redundancy, and placing them in different data centers behind load balancers is also a good idea. A better solution may even be to move to a cloud-based DNS provider that can offer high bandwidth and multiple points-of-presence in data centers around the world. These services are specifically designed with DDoS prevention in mind. For more information, see How to Prevent DNS Attacks.


Cyber attack warnings highlight need to be prepared

Fresh warnings about the vulnerability of national infrastructure to cyber attacks show the need for securing and monitoring associated control systems connected to the internet.

The commander of Britain’s Joint Forces Command has warned that UK traffic control systems and other critical infrastructure could be targeted by cyber adversaries – but industry experts say this is nothing new and something organisations should be preparing for.

According to Christopher Deverell, these systems could be targeted by countries such as Russia. “There are many potential angles of attack on our systems,” he told the BBC’s Today programme.

Other vulnerable control systems that are connected to the internet are used in power stations, for air traffic control and for rail and other transport systems.

Sean Newman, director at Corero Network Security, said there is nothing new in the claims. “The potential for such attacks has been growing for several years as more systems become connected,” he said.

“There are many good reasons for connecting operational and information networks, including efficiency and effectiveness. However, this opens up operational controls to potential attacks from across the internet, where previously they were completely isolated and only accessible from the inside.”

According to Newman, the question is no longer whether such attacks are theoretically possible, but who is bold enough to carry out such assaults and risk the likely repercussions.

“It is reasonable to assume that it’s more a matter of time than if, so the operators of such systems need to be fully cognisant of the potential risks and deploy all reasonable protection to minimise it,” he said.

“This includes preventing remote access to such systems, as well as real-time defences against DDoS [distributed denial of service] attacks which could disrupt their operation or prevent legitimate access for operation and control purposes.”

Andrea Carcano, chief product officer at Nozomi Networks, said the reality is that the UK’s infrastructure, and those in every developed country around the world, is being continually poked and probed, not just by nation states but by criminals, hacktivists and even curious hobbyists.

“We have seen the damage that can be done from hacks in the Ukraine, where attackers were able to compromise systems and turn the lights out,” he said. “With each incursion, both successful and those that are thwarted, the attackers will learn what has worked, what hasn’t, and what can be improved for the next attempt.

“The challenge for those charged with protecting our critical infrastructure is visibility, as you can’t protect what you don’t know exists.”
According to Carcano, 80% of the industrial facilities Nozomi visits do not have up-to-date lists of assets or network diagrams.

“Ironically, this doesn’t pose a problem to criminals who are using readily available open source tools to query their targets and build a picture of what makes up their network environment and is potentially vulnerable – be it a power plant, factory assembly line, or our transport infrastructure,” he said.

Nozomi researchers created a security testing and fuzzing tool, using open source software, that is capable of automatically finding vulnerabilities in proprietary protocols used by industrial control system (ICS) devices.

“Using just this tool, and in a limited time period, they identified eight zero-day vulnerabilities that, if exploited, could be used to shut down the controllers, making the devices unmanageable, and even potentially corrupt normal processes, which could be extremely serious or even fatal,” said Carcano.

“As the cyber security risk to critical infrastructure and manufacturing organisations increases, it is important for enterprises to actively monitor and secure operational technology [OT] networks. An important aspect of this is having complete visibility to OT networks and assets and their cyber security and process risks.”

However, Deverell suggested that as well as making sure cyber security is continually improving, the UK should also have an offensive capability to respond to attacks on critical infrastructure if necessary, reports The Telegraph.

His comments echo those by UK attorney general Jeremy Wright, who recently suggested that the UK has a legal right to retaliate against aggressive cyber attacks in the same way as it would to armed attacks.

“Cyber operations that result in, or present, an imminent threat of death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self defence,” he said.

According to Wright, if a hostile state interfered with the operation of one of the UK’s nuclear reactors, resulting in the widespread loss of life, the fact that the act was carried out via a cyber operation does not prevent it from being viewed as an unlawful use of force or an armed attack.
“States that are targeted by hostile cyber operations have the right to respond to those operations in accordance with the options lawfully available to them,” he said.

The UK has previously indicated that it is building cyber-offensive capabilities, but in January 2018, Ciaran Martin, head of the National Cyber Security Centre (NCSC), said that while this will be an “increasing part of the UK’s security toolkit”, a cyber attack would not necessarily trigger a retaliatory cyber attack, but a range of responses would be considered, including sanctions.

Commenting on calls by UK defence chief of general staff Nick Carter for increased defence spending to help the country keep up with its adversaries, particularly in light of the fact that cyber attacks that target military and civilian operations are one of the biggest threats facing the country, Martin confirmed that some of these attacks were aimed at identifying vulnerabilities in infrastructure for potential future disruption, but added that there had been no successful attacks on UK infrastructure.

A report by the Kosciuszko Institute, published in January, predicts that 2018 could be a year of cyber attacks on critical infrastructure.

In the report, Paul Timmers, an academic at Oxford University and former director of the European Commission’s Sustainable & Secure Society Directorate, noted that attacks on systems that are crucial for the functioning of the state and society, including logistics, health and energy, date from 2016.

Timmers believes that the risk of attacks in 2018 may spread to other sectors of the economy, such as transport. An important element of the potential incidents, he said, will be their predicted international and cross-sector nature, which creates an urgent need for cooperation between international organisations, governments and companies.

Sean Kanuck, director of future conflict and cyber security at the International Institute for Strategic Studies and formerly the first US national intelligence officer for cyber issues, predicted a period of intense use of sanctions as a diplomatic tool against entities that undertake offensive actions in the cyber space.

The growing likelihood of ever-escalating conflicts in the cyber space makes it necessary to address standards of operation in the digital space, the report said.


Tech Network Security in the Age of the Internet of Things

There are a lot of changes taking place in the business world today. One of the things that all businesses need to go out of their way to keep up with is cyberattacks. Most of these target traditionally unconnected devices. As we enter into a new generation of using connected, intelligent devices in the workplace, businesses are growing more productive, serving customers in more efficient ways, and also expanding into new markets. While this is good news, as it happens it brings more smart devices into the burgeoning Internet of Things (IoT). This transition has scrambled the historical notion of the corporate endpoint. Now the world has been forced to move beyond the realm of desktop and laptop computers. Modern life has also been forced to move beyond the use of mobile phones and tablets. Today, there are millions of “things” that are connected. These “things” populate enterprise’s far-flung networks. They also send and receive a lot of valuable data across the internet

Understanding the Role of Digital Disruption

Although digital disruption is important and has its role in business culture today, it also comes with a price. This is because with each new device there is a potential entry point for cybercriminals. When this is viewed from a security perspective it is easy to imagine some very nasty sci-fi scenarios. Some companies even got a real life, sneak peek at one of these scenarios last year when they had their digital video cameras compromised by the Mirai botnet-powered massive distributed denial-of-service (DDoS) attack that hackers launched against important parts of the internet. This incident stunned the security world. It made a lot of people stand up and take notice of how successful some cyber attackers were at finding new ways to infect devices that were not susceptible in the past. Symantec said this shows how enterprises are now faced with the threat of defending against attacks that start with hacks of management interfaces on devices that were not even connected to the internet in the past, things like video cameras, fish tanks, and coffee machines.

There are many new challenges that arise due to the emergence of the IoT. One of the main challenges is learning how to handle security when it comes to endpoints, networks, and data in a world that is now full of a lot more connected devices. Attacks on these things can come from any vector. In the connected world in which society exists today, it is important to be aware of these new vulnerabilities.

Living in the Age of Smart Devices

Today, most people realise that their computers and its software are vulnerable to cybersecurity threats. As such, they will take adequate steps to protect these items. While this is great, at the same time they, unfortunately, seem to forget about all the different smart devices they have directly connected to the same network that their computer is running on. This is something that is important for people to never overlook though because hackers can find their way into those systems through a lack of attention. While cutting-edge technologies are helpful for business many of them were never designed to protect themselves against a digital attack. This is why they are so vulnerable to various threats, including malware and IoT botnets.

Many people do not understand what IoT botnets are though. This is because they are still relatively new, only having been first created in 2016. However, these are something that everyone should familiarise themselves with since there will be 6.4 billion connected devices by 2020. Every computer in this compromised network (along with any and all internet-connected device) was hijacked by these cyber attackers who are now using them for unapproved or illegal purposes, including denial of service attacks.

Botnets are not only growing in number today, they are also becoming much more advanced. This is because now they are able to target a lot more devices all at the same time. Today’s cyber attackers are able to use new code that lets them create new types of malware. These cyber attackers are now unleashing their attacks on new targets as well. This is because there are new, more obvious targets available. This includes things like Wi-Fi cameras and security systems, things that offer them an easier way in which to circumnavigate a lot of things, even when users have taken all the necessary, normal precautions.

Clearly, this means that IoT devices are much more vulnerable than those more traditional devices. According to Fortinet, there are two primary reasons why IoT devices are so commonly compromised. These include:

  • There is a lack of regulation surrounding the IoT industry today. While this may sound surprising to some people, it is important to understand how this will directly impact business instead of ignoring it or taking a “wait and see” attitude. This is something people need to understand because this means that many brands are not obligated to even think about cyber security threats and actions they can take to protect devices. Since this is the prevailing attitude today, many coders do not even think twice about using things like trash code, hard coded passwords, backdoors, or any other type of design flaw that could compromise them. In fact, they treat these things as though they are trivial.
  • Unfortunately, a lot of IoT manufacturers do not even have a Product Security and Incident Response Team (PSIRT) in place. Even those who do have one are not able to respond quickly to any new vulnerabilities that may arise. This means that even if they are able to detect a threat, they do not have anyone to whom they could report the issues, which means that not much can be done about them. As time goes on, this is going to become an even bigger problem, especially for businesses who should be taking a proactive approach to all of these things instead of waiting to simply react to them instead.

How to Protect Devices

The importance of protecting devices is not something that can be emphasised enough. This is growing more important today as new technologies are being deployed everywhere, in both homes and businesses alike. Many processes have also evolved recently as well, which is making modern life even more convenient but at the same time it is also placing users at an even greater risk of being “attacked.” This is not something that most people think of or pay attention to today.

When people have some of these devices linked up in a network, they need to take some time to prepare themselves for attacks. They can start by making sure that they have strong authentication set up at access points. This will let users see and track devices. They should also keep track of their devices, including their manufacturers and software versions, so they can quickly identify how vulnerable these devices are when they uncover a threat. Additionally, establishing network segmentation and micro segmentation strategies will help make sure that any devices that are at risk are kept separate from critical production resources. These steps will help ensure that businesses get back on track soon after any attack occurs.


How employee behavior impacts cybersecurity effectiveness

A recent OpenVPN survey discovered 25 percent of employees, reuse the same password for everything. And 23 percent of employees admit to very frequently clicking on links before verifying they lead to a website they intended to visit.

Sabotaging corporate security initiatives

Whether accidental or intentional, an employee’s online activities can make or break a company’s cybersecurity strategy. Take password usage as one example. Employees create passwords they can easily remember, but this usually results in weak security that hackers can bypass with brute force attacks. Similarly, individuals who use the same password to protect multiple portals — like their bank account, email and social media — risk compromising both their personal and work information.

To reinforce strong password habits, some employers have adopted biometric passwords, combining ease-of-use with security. A reported 77 percent of employees trust biometric passwords, and 62 percent believe they are stronger than traditional alphanumeric codes. But even among those who trust things like fingerprint scans and facial recognition, user adoption is lagging — just a little more than half of employees (55 percent) use biometric passwords.

Convenience also plays a factor in determining how employees approach cybersecurity behaviors. Unfortunately, some individuals are unwilling to trade the convenience of basic passwords and certain technologies for secure cyber habits. Employees are reluctant to abandon things like voice-activated assistants, for example, even though 24 percent of them believe it has the potential to be hacked.

In fact, only 3 percent of employees have actually stopped using their Alexas and Google Homes out of fear of being hacked. This signals to employers that even when employees know the security risks associated with a certain technology, they will ignore the warning signs and continue to use it because of its convenience.

Developing safe cyber hygiene practices

Employers have a responsibility to teach their employees good cyber habits to protect themselves and business operations from malicious actors. Simply telling people to avoid visiting infected websites isn’t enough — more than half (57%) of Millennials admit to frequently clicking on links before verifying they lead to a website they were intending to visit.

Unlike traditional approaches to cybersecurity, a cyber hygiene routine encourages employees to proactively think about the choices they make on the internet. In addition to thorough security education and clear communications, employers can implement the following tips to help employees develop good cyber habits.

Promote positive reinforcement when employees make smart decisions

Employees may be a company’s first line of security, but many fail to report cyber attacks out of fear of retribution. Instead of employing fear tactics to scare employees off weak passwords and phishing schemes, employers should consider rewarding or acknowledging individuals who embrace good cyber strategies. Employees are less likely to shy away from security training and are more incentivized to change their approach to cybersecurity when they are sent encouraging messages for safe internet behavior.

Offer continuous training on best practices. Hackers work year round to catch companies off guard, using tools like phishing to man-in-the-middle to DDoS attacks to breach defense mechanisms in place. While employers can’t predict what they will face next, they can offer routine training to employees to keep them up-to-date with the latest security threats. This can help employees recognize and deal with evolving threats like smishing, a fairly recent scam targeting individuals with smartphones and other mobile devices.

Building a work culture centered around good cyber hygiene takes time, but will ultimately protect companies in the long run from online threats. When smart online habits become second nature, both employers and employees can better prevent hackers from taking advantage of otherwise stagnant security environments.


Six years on from the official launch, just how secure is IPv6?

The world launch of IPv6 happened back in June 2012, and World IPv6 Day is on Friday 8 June. But just how secure is IPv6 some six years after that fanfare deployment?

The world launch of IPv6 happened back in June 2012, and World IPv6 Day is on Friday 8 June. But just how secure is IPv6 some six years after that fanfare deployment?
Development of IPv6 first started in the early 1990’s when it was realised that the physical limitation of 4.3 billion unique IP addresses in the IPv4 protocol wasn’t going to be enough to support Internet growth. And that was before the Internet of Things had even been thought about. IPv6 addresses the problem, if you’ll excuse the pun, by providing 340 trillion, trillion, trillion unique addresses.
The newly published Internet Society State of IPv6 Deployment report for 2018 points to the success of IPv6 deployment. More than 25 percent of all Internet-connected networks advertise IPv6 connectivity, for example. If you combine the top 15 ISPs across the world, nearly half a billion people are using IPv6 already. Six years ago, less than one in every 100 connections to Google were using IPv6, today that is one in four. The report does admit, however, that “enterprise operations tend to be the elephant in the room when it comes to IPv6 deployment.”
Internet Society Chief Internet Technology Officer, Olaf Kolkman says that IPv6 is “increasingly seen as a competitive advantage, a market differentiator and an essential tool for forward-looking Internet applications and service providers of all kinds.” But the question for enterprise security teams remains, just how secure is IPv6?
“In the sense of the protocol, IPv4 and IPv6 are roughly similar in terms of security” says Dr. Stephen Strowes, Senior Researcher at the RIPE NCC in conversation with SC Media UK. “The difference comes from other layers” Dr Strowes adds “it’s the tools used and training that network operators get that makes all the difference.”
Cricket Liu, VP of Infrastructure at Infoblox, agrees. “IPv6 isn’t inherently more or less secure than IPv4.” However, speaking to SC Media Liu suggests that the major security implications of moving to IPv6 are that “network administrators have substantially less experience managing the protocol than they do with IPv4.” Throw in that network equipment vendors, security vendors,and so on often don’t support IPv6 as completely as they do IPv4 and “the chance of making configuration mistakes increases, as does the likelihood that some whizzy feature of your firewall, IDS or IPS that works great over IPv4 isn’t supported at all over IPv6.”
Wicus Ross, Security Researcher with SecureData, admits that “It’s possible that there are more misconfigurations present on IPv6 due to the relative lesser usages compared to IPv4.” However, to balance that there’s the small matter of the huge size of the IPv6 address space where a single IPv6 subnet can contain the entire IPv4 address space. “As such” Ross continues “IP Address enumeration or scanning through the IPv6 address space sequentially using current capability is not feasible.” This should be good news, as it makes it less efficient for attackers to hunt for vulnerable devices.
Earlier this year, DDoS protection experts Neustar experienced and successfully mitigated its first recorded native IPv6 DDoS attack. This targeted the authoritative DNS service on the Neustar network, and originated from around 1,900 native IPv6 hosts on more than 650 different networks. “IPv6 attacks present a particular set of challenges that, at this moment, cannot easily be rectified” Barrett Lyon, General Manager of DDoS at Neustar, told SC media UK. “For example, the massive number of addresses available to an attacker allows them to exhaust the memory of modern day security appliances” Lyon continues “as a result, the potential volume of an IPv6 attack has the opportunity to create a mess.”
Lyon concludes that, going forward “a great deal of work will need to be undertaken by security professionals to ensure that IPv6 is protected and that we are ahead of the curve when it comes to predicting a hacker’s next move.”

8 Questions to Ask in DDoS Protection

As DDoS attacks grow more frequent, more powerful, and more sophisticated, many organizations turn to DDoS mitigation providers to protect themselves against attack.

Before evaluating DDoS protection solutions, it is important to assess the needs, objectives, and constraints of the organization, network and applications. These factors will define the criteria for selecting the optimal solution.

Below are eight questions to ask when considering DDoS protection:

  1. What are my data center plans? Many organizations are migrating their data center workloads to cloud-based deployments. The decision of whether to invest in new equipment or to use to a cloud service depends heavily on this consideration. Organizations that are planning to downscale (or completely eliminate) their data centers might consider a cloud service. However, if you know for sure that you are planning to maintain your physical data center for the foreseeable future, then investing in a DDoS mitigation appliance could be worthwhile.
  2. What is my threat profile? Which protection model is best for you also depends heavily on the company’s threat profile. If a company is constantly attacked with a stream of non-volumetric DDoS attacks, then a premise-based solution might be an effective solution. However, if they face large-scale volumetric attacks, then a cloud-based or a hybrid solution would be better.
  3. Are my applications mission-critical? Some DDoS protection models offer faster response (and protection) time than others. Most applications can absorb short periods of interruption without causing major harm. However, if your service cannot afford even a moment of downtime, that should factor heavily into the decision-making process.
  4. How sensitive are my applications to latency? Another key consideration is the sensitivity of the organization and its applications to latency. Cloud-based services tend to add latency to application traffic, so if latency is a big issue, then an on-premise solution – either deployed inline or out-of-path – might be relevant.
  5. Am I in a regulated industry? Some organizations are within regulated industries that handle sensitive user data. As a result, they’re prevented from – or prefer not to – migrate services/data to the cloud.
  6. How important is control for me? Some organizations place a big emphasis on control, while others prefer that others handle the burden. A physical device will provide you with more control, but will also require additional overhead. Others, however, might prefer the lower overhead usually offered by cloud services.
  7. OPEX vs. CAPEX? Solutions which include hardware devices (such as a premise-based DDoS appliance) are usually accounted for as a capital expenditure (CAPEX), whereas ongoing subscription services (such as cloud DDoS protection services) are considered operating expenses (OPEX). Depending on accounting and procurement processes, some organizations may have a preference for one type over the other.
  8. What is my budget? Finally, when selecting a DDoS protection solution, many times the decision comes down to costs and available funds. That’s why it is important to be cognizant of the total cost of ownership (TCO), including added overhead, infrastructure, support, staff and training.

Depending on the answers to those questions, organizations can define the criteria for what’s important for them in a DDoS solutions, and base their choice based on that.

  • Typically, for organizations seeking data center protection, or have mission critical and latency-sensitive applications they need to protect, a hybrid solution will provide optimal protection.

Hybrid DDoS protection combines both premise-based and cloud-based components. It provides both low latency and uninterrupted protection, as well as the high capacity required to mitigate large-scale volumetric DDoS attacks.

  • For organizations looking to protect applications hosted on public cloud providers (such as AWS or Azure), or customers who frequently come under attack, an cloud-based always-on solution will usually be best.

Always-On cloud service provides constant, uninterrupted cloud-based DDoS protection. However, since all traffic is routed through the provider’s scrubbing network, it may add latency to requests.

  • Finally, for customers who are infrequently attacked, or otherwise have a limited budget, a cloud-based on-demand solution will usually suffice.

On-Demand cloud service is activated only when organizations come under DDoS attack. However, detection and diversion usually take longer than in other models, meaning that the customer may be exposed for longer periods.

The parameters of the optimal DDoS solution will inevitably vary from organization to organization. Use these questions to help guide you to the solution that is best for you.


2018: Snapshot of the Most Important Worldwide Cybersecurity Laws, Regulations, Directives and Standards

Are you out of breath from the breakneck pace of cyberattacks since the start of 2018? Throughout the world, nearly daily news reports have been filed detailing the results of incredibly effective cyberattacks ranging from small companies to nation-states. The sum total of these attacks has permanently and dramatically changed the information security threat landscape.  This change hasn’t gone unnoticed with the regulators and now, depending on where your business operates, you have accrued even more work to demonstrate your diligence to these threats.

Among the numerous lessons drawn from this carnage is that cyberattacks have become an existential threat to many countries as the attacks, on financial services to power generation facilities, threaten the fidelity and integrity of numerous industrial segments. As a result, regulators throughout the world are stepping in to try and drive meaningful action where they believe it is required.  Normally these early efforts are the harbingers of future legislation and give birth to standard approaches and forums to debate the efficacy in approaches.

Since 2014 there have been 10 noteworthy efforts:

  • Effort#1: National Institute of Standards and Technology’s Cybersecurity Framework (U.S.)
  • Effort#2: Office of the Superintendent of Financial Institutions (OSFI) Memorandum (Canada)
  • Effort #3: Federal Financial Institution’s Examiner Council (FFIEC) Joint Statement on DDoS Cyber Attacks, Risk Mitigation and Additional Resources (U.S.)
  • Effort #4: Securities & Exchange Commission Cyber Exams (U.S.)
  • Effort #5: Office of the Comptroller of the Currency (OCC) Guidance (U.S.)
  • Effort #6: National Credit Union Administration (NCUA) Risk Alert (U.S.)
  • Effort #7: EU’s NIS Directive (EU)
  • Effort #8: EU’s GDPR (EU)
  • Effort #9: EU’s Regulation Against Geo-IP-based blocking of EU member countries or economies (EU)
  • Effort #10: Growth of Country Specific Cybersecurity Laws such as Korean Cyber Laws (KOREA)

Each of these efforts has taken different approaches but seem to have similar ethos.  Let’s explore each in a little more depth:

National Institute of Standards and Technology’s (NIST) Cybersecurity Framework

In response to a presidential directive, on Oct.22nd the U.S. National Institute of Standards and Technology (NIST) released the latest version of its cybersecurity framework which aims to better secure U.S. companies and government agencies. The new draft goes into significantly greater detail than the version released Aug. 28th, which laid out higher level principles of the framework, including items referred to as ‘pillars.’ The NIST laid out three central pillars to the framework which are designed to provide industry and government alike with common cybersecurity taxonomy, establish goals, intended targets, identify and prioritize opportunities for improvement, assess progress and improve communication among stakeholders. The final framework was announced in February of 2014. Many thought this framework was viewed as the seed which would spawn numerous industrial requirements throughout the U.S.

Office of the Superintendent of Financial Institutions (OFSI) DDoS Memorandum

Earlier this year, large Canadian-based banks were hit by cyberattacks whereby one or more hackers used a brute force “denial-of-service” attack to disable some bank’s websites and mobile applications. Attacks such as these were reminiscent of Operation Ababil, which began in September 2012 and focused on attacking the websites of large U.S.-based banks. Those attacks were similar to the Canadian attacks and slowed down website operations and caused many bank sites to be inoperative for a significant portion of their customers. Mindful of this very real threat and the need to manage risk, on October 28, 2013, the Office of the Superintendent of Financial Institutions (OSFI) released a memorandum to federally-regulated Canadian financial institutions (FRFIs) discussing the measures that FRFIs should be taking to prevent, manage and remediate cyberattacks. The memorandum states that cybersecurity is growing in importance because: (i) FRFIs increasingly rely on technology; (ii) the financial sector is interconnected; and (iii) FRFIs play a critical role in our economy. As part of this memorandum, OSFI has required all FRFIs to conduct a self-assessment of the risks and take actions against those risks. OSFI also will be reviewing the fidelity of the assessment and the corresponding risk mitigation steps.

Back in 2005, the OSFI established the Canadian Cyber Incident Response Centre (CCIRC) with a mandate to collaborate with the private sector in responding to the threat of cyberattack.

Last year, however, a report from the country’s auditor general showed that the government had made only limited progress, with gaps in protection, especially at the CCIRC which at the time was only open during business hours, limiting its ability to provide timely information for stakeholders. OSFI suggests in its cybersecurity self-assessment that financial firms should work with the CCIRC, which had its hours extended.

FFIEC Joint Statement: Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources (US)

The Federal Financial Institutions Examination Council (FFIEC) members are issuing statements to notify financial institutions of the risks associated with cyberattacks on Automated Teller Machine (ATM) and card authorization systems and the continued distributed denial-of-service (DDoS) attacks on public-facing websites. The statements describe steps the members could expect institutions to take to address these attacks and highlight resources institutions can use to help mitigate the risks posed by such attacks.

The members also expect financial institutions to address DDoS readiness as part of their ongoing information security and incident plans. More specifically, each institution is expected to monitor incoming traffic to its public website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate.

Specifically, the FFIEC is guiding its members to do the following:

  1. Maintain an ongoing program to assess information security risks that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
  2. Monitor internet traffic to the institution’s website to detect attacks;
  3. Activate incident response plans and notify service providers, including internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
  4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack;
  5. Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly, and sharing the information can help institutions to identify and mitigate new threats and tactics; and
  6. Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.

Securities and Exchange Commission Cyber Exams (U.S.)

The SEC announced inaugural exams of member companies along with a list of questions they will use.

If you are not aware, the SEC governs most of the financial services which do not fall under the FFIEC jurisdiction. So, all mutual funds, wealth management and hedge funds (among many others) are regulated NOT by FFIEC guidelines, but rather SEC guidelines. Unlike the FFIEC and their regulatory arms (OCC, FDIC, OTS, & NCUA), up to this point the SEC did conduct ad-hoc reviews, however routine security reviews were maintained.

Office of the Comptroller of the Currency Guidance (U.S.)

In December 2012, the Office of the Comptroller of the Currency (OCC) notified it’s member financial institutions that DDoS attacks are on the rise and that they expect their members to take steps to identify the risks associated with the attacks and to provide notification to the OCC and others if they are under attack.  The guidance reads as follows:

“Recently, various sophisticated groups launched distributed denial of service (DDoS) attacks directed at national banks and federal savings associations (collectively, banks). Each of the groups had different objectives for conducting these attacks ranging from garnering public attention to diverting bank resources while simultaneous online attacks were under way and intended to enable fraud or steal proprietary information. This alert provides a general description of the attacks, along with risk mitigation information and sources of related risk management guidance. The alert also reiterates the Office of the Comptroller of the Currency’s (OCC) expectations that banks should have risk management programs to identify and appropriately consider new and evolving threats to online accounts and to adjust their customer authentication, layered security, and other controls as appropriate in response to changing levels of risk.

The OCC expects banks that are victims of or adversely affected by a DDoS attack to report this information to law enforcement authorities and to notify their supervisory office. Additionally, banks should voluntarily file a Suspicious Activity Report (SAR) if the DDoS attack affects critical information of the institution including customer account information, or damages, disables or otherwise affects critical systems of the bank.”

National Credit Union Administration Risk Alert (U.S.)

In February, 2013, the National Credit Union Administration (NCUA) issued a Risk Alert to member credit union institutions on “Mitigating Distributed Denial-of-Service Attacks.”   The alert included the following verbiage:

“The increasing frequency of cyber-terror attacks on depository institutions heightens the need for credit unions to maintain strong information security protocols. Recent incidents have included distributed denial-of-service (DDoS) attacks, which cause internet-based service outages by overloading network bandwidth or system resources. DDoS attacks do not directly attempt to steal funds or sensitive personal information, but they may be coupled with such attempts to distract attention and/or disable alerting systems.”

Clearly the sense of urgency and ferocity of the attacks came through in the alert and provided for an understanding of the issues being broader than the availability of credit union systems.

No one can say for certain how all of this will play out, however given the increased frequency, directed attacks, and effectiveness of the techniques, we can safely assume that regulators and government legislators will take head from public calls-to-action and will continue to drive prescriptive steps for all relevant organizations to follow.

European Union Security of Network Information Systems (NIS) Directive 2016/ 2018

In July 2016, the European Parliament set into policy the Directive on Security of Network and Information Systems (the NIS Directive).

The directive went into effect in August 2016, and all member states of the European Union were given 21 months to incorporate the directive’s regulations into their own national laws.  The aim of the NIS Directive is to create an overall higher level of cybersecurity in the EU. The directive significantly affects digital service providers (DSPs) and operators of essential services (OESs). Operators of essential services include any organizations whose operations would be greatly affected in the case of a security breach if they engage in critical societal or economic activities. Both DSPs and OES are now held accountable for reporting major security incidents to Computer Security Incident Response Teams (CSIRT). While DSPs are not held to as stringent regulations as operators of essential services, DSPs that are not set up in the EU but still operate in the EU still face regulations. Even if DSPs and OES outsource the maintenance of their information systems to third parties, the NIS Directive still holds them accountable for any security incidents.

The member states of the EU are required to create a NIS directive strategy, which includes the CSIRTs, in addition to National Competent Authorities (NCAs) and Single Points of Contact (SPOCs). Such resources are given the responsibility of handling cybersecurity breaches in a way that minimizes impact. In addition, all member states of the EU are encouraged to share cyber security information.[23]

Security requirements include technical measures that manage the risks of cybersecurity breaches in a preventative manner. Both DSP and OES must provide information that allows for an in-depth assessment of their information systems and security policies. All significant incidents must be notified to the CSIRTs. Significant cybersecurity incidents are determined by the number of users affected by the security breach as well as the longevity of the incident and the geographical reach of the incident.

European Union General Protection Regulation (GDPR) 

The EU General Data Protection Regulation (GDPR) went into effect on May 25th, 2018. The GDPR aims to bring a single standard for data protection among all member states in the EU. Changes include the redefining of geographical borders. It applies to entities that operate in the EU or deal with the data of any resident of the EU. Regardless of where the data is processed, if an EU citizen’s data is being processed, the entity is now subject to the GDPR.

Fines are also much more stringent under the GDPR and can total €20 million euros or 4% of an entity’s annual turnover, whichever is higher. In addition, like in previous regulations, all data breaches that effect the rights and freedoms of individuals residing in the EU must be disclosed within 72 hours.

The overarching board, the EU Data Protection Board, EDP, is in charge of all oversight set by the GDPR.

Consent plays a major role in the GDPR. Companies that hold data in regards to EU citizens must now also offer to them the right to back out of sharing data just as easily as when they consented to sharing data.

In addition, citizens can also restrict processing of the data stored on them and can choose to allow companies to store their data but not process it, which creates a clear differentiation. Unlike previous regulations, the GDPR also restricts the transfer of a citizen’s data outside of the EU or to a third party without a citizen’s prior consent.

What Does It Mean for Online Business and Cloud Service Providers?

For online businesses and cloud service providers, GDPR compliance means adherence to the principles of “Privacy by Design” and “Data Protection by Design” during the design, development, implementation and deployment of web applications or services and any components or services associated with them. With the rapid adoption of cloud services, there is a heightened concern with regard to the readiness of these applications and services. A recent study conducted by Symantec/Bluecoat shows that 98% of today’s cloud applications do not even come close to being GDPR-ready.

WAF, DDoS and the GDPR

Based on recital 39 of the GDPR, personal data should be processed in a manner that ensures appropriate security and confidentiality, including preventing unauthorized access to or use of personal data and the equipment used for the processing. Recital 49 goes further by requiring the ability of a network or an information system to resist accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems. The recital literally says “This could, for example, include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.” This would include brute force login attempts and automated mitigation techniques outlined in the OWASP Top 10 requirement for PCI compliance.

Most businesses will face the urgent need for increasing protection on published applications and services on all topics and purposes of data leak prevention, access control, web-based attack prevention and denial of service prevention. Leading providers of cloud and on-premise web application and API protection services as well as on-demand, always-on cloud and hybrid denial of service mitigation services do provide an adequate solution for this acute need. A fully managed WAF and DDoS Cloud service provides a fast route to check off one of the regulatory compliance boxes and a worry-free GDPR compliance strategy.

European Union Ban on Geo-IP Blocking of Member States 2018

In February 2018, The European Council adopted a regulation to ban unjustified geo-blocking in the internal market. The European Council has emphasized repeatedly the importance of the digital single market strategy and called for the speeding up of the implementation of the strategy, which includes the removal of remaining barriers to the free circulation of goods and services sold online and for tackling unjustified discrimination on the grounds of geographic location.

EU declared geo-blocking as a discriminatory practice that prevents online customers from accessing and purchasing products or services from a website based in another member state.

The new law will remove barriers to e-commerce by avoiding discrimination based on customers’ nationality, place of residence or place of establishment.

The end of geo-blocking of internet addresses of EU countries will significantly disrupt many mainline cyber defense strategies of many companies and countries. Moreover, this new complication is not well understood and alternatives are not always easy to implement.

The EU regulation goes into full effect in December 2018.

Payment transactions whereby:

Unjustified discrimination of customers in relation to payment methods will be forbidden. Therefore, traders will not be allowed to apply different payment conditions for customers for reasons of nationality, place of residence or place of establishment.

Non-discrimination for e-commerce website access whereby:

Traders will not be allowed to block or limit customers’ access to their online interface for reasons of nationality or place of residence.  A clear explanation will have to be provided if a trader blocks or limits access or redirects customers to a different version of the online interface.

On the positive side, the EU believes that the end of geo-blocking will mean wider choice and consequently better deals for consumers and more opportunities for businesses.

Growth of Country-Specific Cybersecurity Regulations such as Korean Cyber Laws

In Korea, there are various laws, regulations and guidelines that promote cybersecurity: two general laws (the Network Act and the Personal Information Protection Act (PIPA)) and other laws targeting specific areas, as discussed below.

The Act on the Promotion of IT Network Use and Information Protection (the Network Act) plays an important part in promoting cybersecurity in terms of protecting personal information and enhancing data security in the context of IT networks. The Network Act also prohibits any unauthorized access to a network system by means of a transfer or distribution of a program that may damage, destroy, alter or corrupt the network system, or its data or programs.  Under the Network Act it is prohibited to cause disruption of a ICN by intentionally disturbing network operations with large volumes of signal / data or superfluous requests.  Any violation shall be subject to imprisonment of not more than five years or a penalty of not more than KRW 50 Million.

There are additional targeted statutes, such as the Electronic Financial Transactions Act (EFTA), which includes provisions prohibiting electronic intrusion into the network systems of financial companies, and data protection is mandated for financial companies in the Regulation on Supervision of Electronic Financial Activities (the RSEFA), which is an administrative regulation subordinate to the EFTA.  Under the EFTA, any attacks on financial systems using programs such as viruses, logic or email bombs, with the intention of destroying or disrupting financial systems shall be subject to imprisonment of not more than 10 years or a penalty of not more than KRW 100 Million.

In contrast with the laws mentioned above, which are more focused on the protection of data, the Protection of Information and Communications Infrastructure Act (PICIA) is more engaged with the protection of information and communications infrastructure against ‘electronic intrusion’, which is defined as an act of attacking information and communications infrastructure by hacking, computer viruses, logic bombs, email bombs, denial of service, high-power electromagnetic waves and other means.