Hackers Will Target Small Business Through the Internet of Things in 2018, New Report Says

A new report finds hackers are poised to target small businesses that use Internet of Things (IoT) technology to gain access to data from larger global firms in 2018. The  2018 Cybersecurity Predictions by Aon’s Cyber Solutions predicts a small business Internet of Things (IoT) breach will create a domino effect that damages a larger company.

2018 Cybersecurity Predictions

The report also found that while  55 percent of small businesses were breached between 2015 and 2016,  only a small minority see cybersecurity as a critical issue. This is despite the fact that the overall money spent on cybersecurity in 2017 was $86.4 billion, an increase of 7 percent over 2016.

New Threat

The Internet of Things (IoT) is at heart of this new threat.  It’s loosely defined as all software enabled devices we use (from appliances to smartphone sand computers) that can exchange data.

Criminals hijacked hundreds of thousands of Internet of Things (IoT) devices worldwide in 2017. They’ve even fine tuned  social engineering and spear-phishing tactics according to the report.

Jason J. Hogg, CEO of Aon Cyber Solutions explains the looming threat as small businesses use this technology.

“IoT is notoriously unsecured: manufacturers often lack necessary security expertise, constant product innovation creates vulnerabilities, and companies frequently overlook proper patch management programs. Hackers exploit this reality, targeting IoT as a pivot point to enter systems and take control of physical operations.”

Botnets

The report found that hackers favored botnets like “Hajime” and “IoT_reaper” last year. The growing trend caused concerns about DDoS attacks and other issues. DDoS attacks occur when hackers flood servers with bogus data and websites and networks get shut down.

High Cost

Any attack can really harm a small businesses’ operations as well as a larger organization.  There’s always a high cost to having your business shut down for any amount of time. What’s more, there’s lasting reputational damage because these smaller firms are working more and more with big organizations that have a large reach.

Hogg also says there are some other reasons why small businesses are ripe for this new Internet of Things (IoT) cybersecurity threat.

“Small businesses, lacking resources and/or awareness to effectively secure their systems, are particularly vulnerable to cyber attacks on IoT,” he says. “The breach will serve as a wake-up call for small and midsized businesses to implement better security measures so as not to risk losing business.”

Passwords

The report also predicts passwords will continue to be hacked. Multifactor authentication will become critical as hackers learn to get around biometrics.  Larger businesses will adopt standalone cyber insurance policies and chief risk officers will play a larger role.

The report also sees the spotlight on regulation strengthening and widening as calls for a harmonized approach to cyber security get more intense.  It points to the EU’s attempt to set  a universal standard for consumer data privacy and Global Data Protection Regulation (GDPR), that oversees companies collecting data from EU citizens.

Criminals will also target transactions that use points as currency like retailers who use rewards, gift and loyalty programs.  The use of cryptocurrencies will encourage an increase in ransomware attacks in 2018 like the WannaCry ransomware that affected 200,000 computers in 150 countries in 2017.

Source: https://smallbiztrends.com/2018/01/2018-cybersecurity-predictions.html

New year, new defence: Cybersecurity help and predictions for 2018

Organisations will adopt AI and other emerging technologies to help fight this year’s growing cyber threats.

With 2017 seeing an enormous number of data breaches, businesses should be looking at their cybersecurity processes and planning how to effectively monitor their network security in the year to come. With massive developments in monitoring and AI providing unmissable cybersecurity opportunities, here are five predictions of what we expect to see in 2018.

1. Organisations will increasingly adopt AI-based systems to help with Cybersecurity

In 2018, we’ll see companies using AI-based tools to benchmark their networks to ensure that companies know exactly what systems should ‘normally’ look like, allowing abnormalities to be identified faster before cyber incidents become full-blown attacks.

Despite hackers constantly evolving their attack methods to target new vulnerability points and bypass existing defence systems, AI-based tools can use real-time analytical models to search for anomalies. While analysts still need to decide whether these anomalies require urgent action or not, AI can help make them more productive.

We can also expect to see AI being used more to evaluate and prioritise security alerts. This will automate the more routine procedures that analysts have to undertake, and may even reduce threat related ‘false positives’ alerts in networks. Many companies are relying on rule-sets provided by third-party providers to deal with false positives, and they often don’t have the ability to tune and change the rules. This means that they either suffer the false positives and ignore them, or turn off that rule if the false positives are too prevalent – neither of which is an effective strategy.

AI-based systems can help by filtering out the noise of false positives, making it easier for analysts to identify, and focus on, the real threats.

2. Companies will handle breach communication much better than they did in 2017

PayPal is a great example of this. The company should be commended for implementing good hygiene practices that resulted in identifying and announcing the breach at TIO on 4th December, and for showing leadership in claiming responsibility for dealing with the outcome. We’re set to see a big difference between those companies that try and sweep breaches under the carpet, and those that are set up with the right processes to investigate breaches and respond appropriately. Those who attempt to hide breaches – we’re looking at you Uber – will be treated with contempt by customers and the media, as indicated by surveys that indicate as many as 85% of respondents wouldn’t do business with firms that had suffered a data breach.

Of course, on 25th May, 2018, the General Data Protection Regulation (GDPR) will come into effect, which means companies will have to notify the Information Commissioner’s Office (ICO) of a breach within 72 hours, or a fine of up to 4% of global revenue.

Sensible organisations will look to implement stronger protection using application whitelisting, encryption and other techniques and improve their detection capability. They should also look to collect and store more definitive evidence about what takes place on their networks – in the form of more verbose log data, NetFlow history and full packet capture. Without this, organisations will find it impossible to investigate a breach quickly enough to satisfy regulatory obligations.

3. Retailers will be far more risk averse during holidays

Companies have begun to accept that optimised monitoring needs to take place all year-round, and Christmas will be no exception. However, companies will become more risk adverse, and whether it’s a bank or a retailer, as the holiday period approaches, often there’s a “blackout” period during which network and security teams are not allowed to make updates and changes to their networks other than urgent patches.

Threat actors may step their activity during the holiday period because there is a higher chance of evading identification and more to gain. This year, Shopify revealed that at the peak of Black Friday, online shoppers were making 2,800 orders per minute, worth approximately US$1million. Had Shopify experienced an outage of just five minutes during this busy period, it would have cost them US$5million in revenue. Protecting against outages – such as might result from a Distributed Denial Of Service (DDOS) attack – is critical at these times. Additionally, this volume of online activity makes it easy for hackers to hide their movements while everyone’s focus is on making sure systems stay up and handle the load.

4. New housekeeping and the end of BYOD

Basic house-keeping will play a big role in cybersecurity in 2018. We’ll see a lot more staff training, and more focus on patching and standardisation so that companies avoid attacks like the widespread ransomware outbreaks we saw this year.

We’re also likely to see more companies moving away from BYOD. The reality is that BYOD has simply proven too hard to regulate and the risk it poses too difficult to protect against. In sensitive networks, with a lot at stake, this risk is not acceptable any longer.

5. Increasing use of strong encryption, and attacks over encrypted connections.

We already know that encryption of network traffic is being used more frequently by attackers as way to hide evidence of their activity. Analysts and their detection tools can’t see into the payload of encrypted traffic.

Unless, of course, they have the encryption keys. If operators force all SSL connections to pass through a proxy, they can decrypt the traffic and see inside the payload. This allows the proxy to provide a clear-text version of the traffic to security tools for analysis, or to full packet capture appliances like the EndaceProbe Network Recorder.

 We should expect to see the adoption of SSL proxy appliances increasing in 2018 – great news for companies like Ixia, Gigamon, Bluecoat, Juniper and others that make these appliances.

Conclusion

So, will 2018 be just as unpredictable when it comes to cybersecurity, data breaches and network infiltration? Chances are, most likely it will. However, with the right plans, practices and network monitoring in place, companies can at least prepare themselves for the worst, and prevent any possible breaches from being anywhere near as extensive as those that took place in 2017.

Source: https://www.itproportal.com/features/new-year-new-defence-cybersecurity-help-and-predictions-for-2018/

Old Vulnerabilities still available to be exploited ROBOT

Old Vulnerabilities still available to be exploited
R.O.B.O.T:
Return Of Bleichenbacher’s Oracle Threat

A joint study by researchers from Ruhr-Universitat Bochum/Hackmanit GmbH and Tripwire VERT has revealed a re-tread of an old vulnerability from 1998 that allows an attacker to leverage RSA decryption and cryptographic operations. It does so by using the private key configured on the vulnerable TLS servers. This latest CVE, dubbed ROBOT (Return Of Bleichenbacher’s Oracle Threat) has a surprisingly large target area, affecting almost a third of the top 100 domains (according to ALEXA).

I won’t detail the history and specifics of the exploit; there is a pretty good overview over at The Hacker News and of course at the researchers own website, where they have provided an online and downloadable tool for testing for this exploit.

What I will bring to attentionare the hardware vendors that are identified as being susceptible to this exploit even today , as it contains some of the biggest names in the IT industry: Cisco, F5, Citrix, and the most surprising isRadware, who specialize in building cybersecurity products. Granted some of the listed platforms are older legacy platforms, but given that the RSA cipher has been deprecated for over a decade, one would assume that patches to remove it would have been offered and applied years ago. One may be led to believe that this type of negligence is one way to incentivize customers to continually spend on expensive hardware upgrades, but of course we all know better than that…..

With regards to DOSarrest and R.O.B.O.T, we’ve long known about the weakness of using RSA ciphers, and only use strong, hardened cipher suites in our operations.

If you are using one of the affected hardware vendors, we can help. With our DDoS Proxy Defense Network, we can take all HTTPS connections and ensure your origin server/s are protected from this CVE, as well as many other vulnerabilities.

Jag Bains, CTO

DOSarrest Internet Security

Source: https://www.dosarrest.com/ddos-blog/old-vulnerabilities-still-available-to-be-exploited-robot/

Throwing Caution to the Cloud?

The Hidden Costs of Moving IT operations onto the Cloud

As the CTO of a Cloud DDoS Protection Service, it would seem that I would be shooting myself in the foot by raising alarms about hidden costs in moving onto the cloud. After all, shouldn’t everything IT (including Security) be moved to cloud, with it’s promises of low cost, high flexibility and immediate scalability? On the surface, this sounds like a great opportunity for CIO’s and CSO’s who are trying to deal with a volatile budget, but like anything else in life, it’s best to take a closer look before committing.

When I speak with our customers, many of whom have been transitioning their system and storage to a cloud provider, we’ll often have discussions about support of their new setups within Amazon, Azure, etc. These migrations pose no problems for the DOSarrest service, and the conversations will invariably pivot into a Q&A on ideal hosting setups within these popular platforms, as I have had experience working with cloud hosting in my past lives. What I have noticed in conversing with these customers is that the same mistakes of the past are still occurring with high frequency even now, which is the pursuit of short term saving without fully auditing their existing setups and requirements. IT managers are still often attempting to take a snapshot of their server inventory and attempt to replicate it in the cloud during a migration, without fully appreciating that they have excess server capacity. This results in buying extra capacity when it is not required. What’s even worse are when IT managers are blissfully ignorant of the resources and processes operating within their environment that typically have little cost, and have no idea what that will look like on the invoice sheet when those same processes get moved into the cloud. Some good examples of areas that get overlooked in the migration are:

  1. CPU & Memory – it’s a safe bet you could walk into any enterprise datacenter and the vast majority of the systems will be running idle with the occasional 10% CPU load and minimal RAM. Yet each system will have robust specs (eg. 8 core, 32 Gb/s of RAM). Do you really need to replicate those specs in the cloud, even if it is cheaper than buying the actual server yourself?
  2. Storage –Similar to point 1, you will see a lot of disk space being unused in a datacenter. We all have to deal with growing and shrinking volumes, but have you recorded peak disk usages on a system for 1 day, 1 month, 1 year? Doing so would help ensure you don’t simply get the 5 TB option when it’s not needed
  3. Data Transfer/Bandwidth – it’s surprising to me how bandwidth generated by a server farm is often ignored by IT managers. BW plans with their upstreams will allow them to be ignorant of that I suppose. However, when moving to the cloud, you could end up with a hefty bill if you are unsure how much traffic your systems can generate during peak loads. You should also be aware of charges for data transfer between regions and zones.

When it comes to Security in the cloud, there are again other considerations one should account for to avoid paying extra costs.

a) Service Level Agreements – Does the cloud service provider have triple 9’s, Quadruple 9’s? More importantly, does the SLA have a limit to the size of attacks it will support? Is there a different price for each tier of SLA’s?

b) Throughput – the Service provider may say that they have Tb/s of capacity, but is there extra charges if there is a sustained attack over 50 Gb/s? 100 Gb/s? 500 Gb/s?

c) Tiered Support – often you will see a different price schedule for the types of support. 30 minute response versus 15. Phone support being extra

d) Cost for features – Are their additional charges for CDN? How about Web Application Firewall? Machine Learning for identifying anomalous traffic patterns?

At DOSarrest we recognize the cost risk for IT managers, and put all services under one fixed price, simplifying their budgetary exercises and minimizing potential cost over runs in the face of an unknown threat landscape. I know that if a customer of ours is fully using the services we offer that have no extra cost to them they can save thousands of dollars a month on a cloud hosting platform invoice.

In summary, do your due diligence. The cloud can be incredibly powerful with significant savings, but understand what your requirements are.

Jag Bains

CTO, DOSarrest Internet Security

Source: https://www.dosarrest.com/ddos-blog/throwing-caution-to-the-cloud/

Bitfinex restored after DDoS attack

Bitcoin exchange Bitfinex says its systems have been restored after the company was hit by a second denial of service attack in just over a week.

Bitfinex, which claims to be the world’s largest and most advanced cryptocurrency exchange, says it has restored its systems after coming under a “heavy” distributed denial of service (DDoS) attack.

Despite claiming on its website that Bitfinex is “protected by automatic distributed denial of service” systems, the company has been affected twice in December 2017 and once in November by DDoS attacks.

According to Bitfinex, the attackers created “hundreds of thousands of new accounts,” causing stress on the Bitfinex’s infrastructure. The exchange said it took about 12 hours to restore normal operations and that new user signups had been suspended temporarily to reduce demand on its infrastructure.

The latest DDoS attack on Bitfinex comes just days after an Imperva report showed that the bitcoin industry was one of the top ten industries most targeted by DDoS attacks in the third quarter of 2017.

Cyber security industry analysts say the increased interest in Bitcoin as its value continues to surge is making it a prime target for cyber criminals either for extortion or theft.

Igal Zeifman, director at Imperva Incapsula, extortionists and other cyber criminals are commonly drawn to successful online industries, especially emerging ones that are less likely to be well protected.

“Specifically for bitcoin, the DDoS attacks we mitigated could also have been attempts to manipulate the price of bitcoin and other cryptocurrency, something we know offenders had tried in the past,” he said.

According to the Imperva report, organisations targeted by DDoS campaigns in the third quarter spent an average of 12 hours under attack.

This latest DDoS attack on Bitfinex underlines how increased prominence can make businesses more vulnerable to DDoS attacks, said Kirill Kasavchenko, principal security technologist for Europe at Arbor Networks.

“The bitcoin market has been a hot topic over the past week, which has led to a surge in buyers,” he said. “Hackers are notoriously opportunistic, so it makes sense that they’re seizing this opportunity to make it difficult for Bitfinex to maintain usual business activities.”

Businesses which rely on their website as a route to market, said Kasavchenko, must learn lessons from this, and evaluate whether their current DDoS protection could work harder for their business.

“In response to bitcoin’s growth, attackers might launch DDoS attacks against exchanges not only as extortion threat, but also as a way to manipulate cryptocurrency rates by making trading platforms unavailable.

“Last but not least, cryptocurrencies do not have any legal status in most countries,” he said. “This means prosecution of attackers is often problematic not only from technical, but also from a legal point of view.”

Targeting bitcoin exchanges

In line with the trend of targeting bitcoin exchanges, cyber criminals stole nearly $80m worth of bitcoin from bitcoin mining and exchange service NiceHash.

According to NiceHash, the attackers – believed to be from outside the EU – accessed the company’s systems at around 00:18 GMT on 7 December, and began stealing bitcoin three and a half hours later.

This is the latest in a string of cryptocurrency heists in 2017, and security researchers are predicting the trend will only intensify in 2018.

As the bitcoin value continues to soar, its attractiveness to attackers – both at a criminal and nation state level – will increase in proportion, according to Richard Ford, chief scientist at security firm Forcepoint.

Source: http://www.computerweekly.com/news/450431741/Bitfinex-restored-after-DDoS-attack

Bitcoin industry enters top 10 DDoS targets

The bitcoin industry has become one of the top 10 industries most targeted by distributed denial of service attacks, a report has revealed

A spike in the number of bitcoin-related sites targeted by distributed denial of service (DDoS) attacks coincided with a spike in the value of the cryptocurrency of $4,672 in the third quarter, according to Imperva’s latest global DDoS report.

The report is based on data from 3,920 network layer and 1,755 application layer DDoS attacks on websites using Imperva Incapsula services between 1 July and 30 September 2017.

The data shows that 73.9% of all bitcoin exchanges and related sites on the Imperva Incapsula service were attacked during the quarter, ahead of the cryptocurrency’s meteoric rise to more than $11,600 in the first week of December.

As a result of the third-quarter spike, the relatively small and young bitcoin industry made it into the top 10 most attacked industries during the three-month period, taking eighth spot above the transport and telecoms sectors.

The most-attacked sector was gambling (34.5%), followed by gaming (14.4%) and internet services (10.8%).

Igal Zeifman, director at Imperva Incapsula, said the large number of attacks on bitcoin exchange sites is a clear example of DDoS attackers following the money.

“As a rule, extortionists and other cyber criminals are commonly drawn to successful online industries, especially emerging ones that are less likely to be well-protected,” he said.

“Specifically for bitcoin, the DDoS attacks we mitigated could also have been attempts to manipulate the price of bitcoin and other cryptocurrency, something we know offenders have tried in the past.”

According to the report, organisations targeted by DDoS campaigns in the third quarter spent an average of 12 hours under attack, half of network layer targets were hit at least twice, and almost 30% were attacked more than 10 times.

Nearly one-third of DDoS targets in the third quarter were attacked 10 or more times, with an interval of at least an hour between assaults.

Hong Kong topped Imperva’s list of the most targeted countries for network layer assaults during the quarter, mainly because of a persistent attack on a local hosting service that was hit hundreds of times in the quarter.

The largest application layer assault targeted a financial services company headquartered in Europe, which was hit multiple times with attacks above 100,000 requests per second.

The quarter also saw high packet rate attacks, in which the packet forwarding rate escalates above 50 million packets per second (Mpps), becomes more common, with 5% of all network layer assaults above 50 Mpps, and the largest attack peaking at 238 Mpps.

This is a cause for concern, the report said, because many mitigation systems are ill-equipped to process packets at such a high rate.

In November 2017, Harshil Parikh, director of security at software-as-a-service platform firm Medallia, told the IsacaCSX Europe 2017 conference in London that any business dependent on the internet should use tried and tested ways of detecting and mitigating DDoS.

He said it is important that such organisations take time and effort to build their DDoS defence capabilities because DDoS attacks are fairly easy and cheap for attackers to carry out.

“With the advent of botnet-based DDoS attack services that will be effective against most companies, anyone can target an organisation for just a few bitcoins,” said Parikh.

source: http://www.computerweekly.com/news/450431318/Bitcoin-industry-enters-top-10-DDoS-targets

Cybersecurity and Privacy Predictions for 2018

The past year in cybersecurity has been one of combating ransomware extortion attacks, bracing systems against DDoS attacks and securing internet of things (IoT) systems. Looking to next year, cybersecurity experts at McAfee Labs laid out their predictions for the industry’s top concerns in 2018.

Among the top concerns for next year are hackers using machine learning to create an arms race of development, newer ways that hackers will target businesses with ransomware and potential exploits in serverless applications. Privacy is also a growing concern as consumer data collection through our devices shows no signs of slowing.

The McAfee Labs 2018 Threats Predictions Report explains five of the top cybercrime trends to be aware of and prepare for.

Machine learning has been put to use in dozens of industries, including cybersecurity, but cyber criminals are adapting it to automate the process of discovering exploits, responding to defenses and disrupting systems. While machine learning can help automate our defenses by checking defenses and using data to predict attacks, attackers will likely use it as a response, creating an arms war of machine versus machine.

Attackers can use machine learning for a number of purposes, such as machine-driven searches for vulnerabilities, more sophisticated and data-driven phishing attacks, and successfully using weak or stolen credentials over services and devices. Machine-driven attacks can scan for vulnerabilities much faster than humans, allowing them to exploit systems faster than they can be patched.

“We must recognize that although technologies like machine learning, deep learning and artificial intelligence will be cornerstones of tomorrow’s cyber defenses, our adversaries are working just as furiously to implement and innovate around them,” said Steve Grobman, senior vice president and chief technology officer for McAfee.

According to McAfee, machine learning is only as good as the humans who feed it data. Therefore, human and machine partnerships will be essential for combating cyber criminals and their machine learning techniques. It will be up to human defenders to work with machines to find vulnerabilities first and patch them.

Ransomware has already been a problem for businesses everywhere, costing them millions of dollars. According to McAfee, ransomware attacks have risen 56 percent over the last year; however, payments toward the extortions have declined. This can be attributed to more companies improving their data backups, decryption technology and overall awareness of the attacks.

Cyber criminals adapt and are changing their strategies with ransomware. Traditional ransomware is targeted toward computers and databases, blocking users with encryption and demanding a fee (usually in nondetectable cryptocurrency) to return access. Experts, however, see an even greater potential for damage as more of our devices become part of our networks in IoT systems.

While it may seem outlandish now, imagine hackers locking you out of your smart car and demanding a ransom before unlocking it. If hackers find ways to gain access to a company’s devices that are essential to its productivity, analysts predict that the greater loss of profits due to these disruptions will prompt the attackers to go after higher-profile targets.

“The evolution of ransomware in 2017 should remind us of how aggressively a threat can reinvent itself as attackers dramatically innovate and adjust to the successful efforts of defenders,” Grobman said.

McAfee predicts that individuals who are seen as high-value targets can expect threats to shut down their essential devices, such as expensive smartphones and smart home appliances like thermostats and vehicles. Wealthier targets are perceived by hackers as more likely to pay the ransom.

Another trend with ransomware are attacks that encrypt businesses’ data and shut them out of essential systems but that don’t ask for a ransom or appear to have any means to request one. These types of attacks, such as the outbreak of WannaCry Ransomware, are puzzling, with experts theorizing that these attacks are tests or demonstrations to show others their destructive power, making an example of certain businesses so other companies are more willing to pay for their removal.

The use of serverless applications using platforms such as Amazon Web Service to build high-quality and smooth-running applications is growing in popularity, but security experts warn that proper precautions need to be taken before rushing into this technology. Serverless applications are built on a framework where the backend setup and upkeep are handled by a third-party cloud service.

McAfee says that while this saves developers the trouble of maintaining servers and allocating resources, these applications are still vulnerable through traditional means, such as privilege escalation attacks, which allow hackers to hijack the application’s network. Because an application’s function must be transferred over a network to the servers where the data resides, it creates a new point of intrusion for hackers.

As serverless applications continue to catch on, McAfee warns that attacks on the companies that implement them will also increase. As security methods evolve for serverless computing, it’s advised that developers ensure traffic on their application takes place over a VPN or that some form of encryption is used.

Gathering data on consumers becomes easier with each device added to a household. Corporations rely on a consumer’s willingness to hit the I Agree button on privacy agreements without reading them. Corporations have incentives to gather and sell as much data as possible so our connected devices that are capable of listening, watching, tracking and analyzing are turning consumers’ homes into buffets of information.

Corporations can, and likely will, push the line as to how far they can go with data collection, according to McAfee. New updates and firmware installations usually come with new privacy agreements that users must agree to in order to use them, with more permissions and disclosures snuck into the agreements. McAfee predicts that some corporations will tow this line by calculating the cost of breaking privacy laws and paying fines against profits gained by data collection.

While this mass data is consumed with the purpose of marketing in mind, with high-profile data breaches of notable corporations occurring regularly, this trend could result in such data falling into criminal hands.

It’s no secret that employers often pull up search results, histories and digital records of potential employees. For most adults, this history extends to the time we first starting using the internet and building social profiles. It’s technically possible that children born and raised during this time of mass collection could have these profiles created from moment they’re born.

For most small children, data collected is likely trivial. But habits and behaviors can still be recorded and stored. A worst-case scenario explained by McAfee is a child being denied entry to a school because officials could find out they spent most of their time binge-watching videos. The capabilities of technology to gather data on children should be concerning. While it’s hard to tell what this data collection will result in as time goes on, it’s important to know that it’s happening and will likely escalate.

If a child’s privacy is important, then parents are advised to pay attention to the devices they buy, turn off unnecessary features and change the default passwords to something stronger.

Source: https://www.businessnewsdaily.com/10418-cybersecurity-privacy-predictions.html

The dangers of DDoS overconfidence for European businesses

Is your organisation properly equipped to deal with a DDoS attack?

With cyber-attacks hitting headlines on an almost daily basis, from ransomware to data breaches and increasingly, DDoS attacks, there is no doubt that today’s cybercriminals are becoming more sophisticated. Take the Mirai botnet attack that targeted Dyn in October 2016, for instance. This high-profile attack caused the likes of Twitter, Amazon and even the BBC to be undermined, and is a perfect example of how cybercriminals are taking advantage of connected devices to carry out cyber-attacks en masse. The recent news of the Reaper botnet only adds fuel to fire, and is said to have the potential to carry out even bigger DDoS attacks than the Mirai botnet of last year.

The threat of DDoS attacks for European businesses across all industries is real. But despite warnings in the media, many businesses are confident in their preparedness to withstand a DDoS attack. But reality doesn’t paint the same pretty picture, and businesses’ overconfidence in their DDoS mitigation could actually be putting them in great danger.

The rise of DDoS

Our own research shows it isn’t just the number of DDoS attacks that is growing – the likelihood of being attacked is also on the rise. In 2014, the number of DDoS attacks grew by just 29% year on year, where attacks were mostly targeted at the online gaming industry. But in 2015, attacks grew by an astounding 200% – and these attacks were aimed at the online gaming industry, as well as public sector bodies and financial services too.

Businesses don’t just need to take into account the volume of attacks – the size of attacks is also growing at a somewhat alarming rate. While the largest detected attack in the first half of 2015 was 21Gbps, in 2016, the largest attack was almost three times the size at 58.8 Gbps.

With DDoS attacks becoming a bigger threat to businesses than ever before, CDNetworks investigated the preparedness, investment and confidence of more than 300 businesses across the UK and DACH. While the research shows that European businesses are taking notice, and 64% are set to increase their investment in DDoS mitigation in the next 12 months, the danger is that this investment will simply not be enough.

More investment, less risk?

Even though 79% of businesses think the likelihood of their infrastructure being attacked is likely to almost certain, many believe they aren’t actually at risk of suffering a DDoS attack. In fact, the combination of widespread, recent, and growing investment in DDoS mitigation has led to an overwhelming confidence, and 83% of respondents are either confident, or very confident, in both their current DDoS mitigation arrangements and with how resilient they would be in two years’ time.

But not everyone holds these same high levels of confidence. There is some underlying doubt from a minority (44%) of businesses who harbour doubts about their preparedness, and believe they are currently underinvesting in DDoS mitigation.

The dangers of overconfidence

While recent high-profile DDoS attacks seem to have motivated businesses to invest in DDoS mitigation technologies, when we take a closer look at the number of attacks that have taken place, this confidence is in fact, misplaced. When asked about the frequency of DDoS attacks, 86% confirmed they had suffered a DDoS attack in the last 12 months.

But if confidence is to be proven to be complacency, the number of attacks isn’t what is important – it’s the number of successful attacks that is key. And despite the amount of money companies are investing, and the levels of confidence they have in their DDoS mitigation technology, more than half of respondents (54%) suffered at least one successful attack in the past year. Which means this is more than a contrast of preparedness versus reality.

The complacency of businesses is also echoed in how they believe DDoS will impact them. In short, until you have experienced a successful attack, you cannot really appreciate the damage it can do to your business.

The administrative level is largely oblivious to how their reputation may be affected by failing to protect their business from a DDoS attack, while the C-suite cannot deny it would impact their view of the IT team, and were most likely to rate the impact as catastrophic. Understandably, the heads of the IT department felt the damage most keenly, being most convinced that their department’s reputation would suffer some or serious impact. IT heads therefore need to bear in mind that DDoS attacks are not only commercially damaging, but they will also affect their own prospects.

Ensuring DDoS mitigation

The good news is that enterprises can ensure their DDoS mitigation is not under-provisioned. Firstly, they need to perform a vulnerability test to identify where gaps lie in their systems and network defences. An extensive review of a network’s strengths and weaknesses will show where vulnerabilities lie, and determine whether the DDoS mitigation tools they have in place are fit for purpose. A vulnerability test will highlight the services and technology needed to ensure businesses are protected against DDoS.

Businesses also need to prepare for the worst. The lucky few that have not yet fallen victim to DDoS attacks are the ones that underestimate their severity– and regardless of confidence, business continuity must be a key part of DDoS planning. DDoS attacks can have catastrophic financial, legal, regulatory and brand reputation effects, so aside from the technical requirements of duplicating information, and ensuring recovery time objectives and recovery point objectives match business needs, there are also procedural requirements businesses need to consider. Identifying the crisis team and any security partners immediately for example, as well as having a communications plan in place, will ensure partners, employees, customers and the media are kept informed if an attack does take place.

Finally, with cybercriminal activity becoming more sophisticated, businesses need to be prepared in case a DDoS attack comes with a ransom demand. In such circumstances, paying cybercriminals is not recommended. Instead, businesses should consider having insurance policies in place. There will be some instances where cybercriminals win, and having insurance against data breaches and other types of attack will help to overcome some of the damage.

Source: https://www.itproportal.com/features/the-dangers-of-ddos-overconfidence-for-european-businesses/

How to protect against a DDoS attack

We explain why and how you should guard against distributed-denial-of-service incidents.

The distributed-denial-of-service (DDoS) attack landscape is constantly evolving, and is now routinely populated by hacktivists, trolls, extortioners and even used as a distraction from data exfiltration elsewhere on your network.

According to A10 Networks’ DDoS: A Clear and Present Danger report, the average organisation suffers more than 250 hours of DDoS business disruption each year.

Rather than asking if you can afford the cost of dedicated DDoS mitigation, maybe you should be asking if you can afford not to.

And while DDoS attacks still mainly target large or high-profile organisations, small businesses are increasingly being affected. An Akamai study reported a 180% annual increase in the number of DDoS attacks against small organisations.

We explain how to protect against a DDoS attack on the next page, but first, let’s take a look at why you should.

What is a DDoS?

According to the Oxford Dictionary, a Distributed Denial of Service (DDoS) attack is the the “intentional paralysing of a computer network by flooding it with data sent simultaneously from many individual computers”.

While technically true, it is a very basic description of a tactic that has evolved to become one of most complex and efficient threats facing a digital economy. To understand how far it has come, you need to first look back at the roots of DDoS attacks.

A very brief history of DDoS

The methodology we know today as DDoS is widely considered to have first emerged in 1995 during the Net Strike attacks against sites owned by the French government. Attacks had become somewhat automated by 1997, primarily due to the FloodNet tool created by the Electronic Disturbance Theater group.

Following an attack by Anonymous in 2010, the DDoS tactic would be firmly planted on the threat map. Using a tool dubbed the ‘Low Orbit Ion Cannon’, the group was able to successfully flood targeted servers with TCP or UDP packets, facilitated through a point-and-click interface.

Recent attacks

DDoS has since evolved further, with two recent attacks demonstrating the ease at which criminals are able to take down targeted servers.

In October 2016, an 18-year-old allegedly configured his Twitter account and website to contain a redirect link that when clicked would automatically make a 911 call. Emergency services in the towns of Surprise and Peoria, Arizona, as well as the Maricopa County Sheriff’s Office were inundated with fake calls as a result.

Surprise received over 100 calls in the space of a few minutes, while Peoria PD received a “large volume of these repeated 911 hang up calls”, which, given enough data traffic, could have knocked the 911 service offline for the whole of the Maricopa county.

More details of how the attack was actually carried out can be found here.

The second notable incident it the DDoS attack on DNS provider Dyn, which took place at about the same time as the Surprise 911 overload. It’s thought that attack was powered by Mirai, a piece of malware that recruits IoT devices into a botnet.

Dyn said it had observed tens-of-millions of discrete IP addresses associated with Mirai were part of the attack, with an army of 150,000 internet-connected CCTV cameras thought to have been a core part of the botnet.

More details of the Dyn DDoS attack and Mirai can be found here and here.

Who’s doing it and what do they use?

Don’t think that DDoS is a legitimate form of political protest. Impairing the operation of any computer is a crime.

It’s is also used as a smokescreen for other criminal activity, like when TalkTalk had data on four million customers exfiltrated while it was dealing with one.

DDoS is now almost exclusively the territory of botnets-for-hire, no longer populated just by compromised PCs and laptops: the Mirai botnet last year connected together hundreds of thousands of IoT devices to power a DDoS attack. Devices such as routers and even CCTV cameras have default credentials that often don’t get changed by owners, leaving hackers an easy route to infection and control.

A botnet comprising close to 150,000 digital CCTV cameras was thought to be used in the DDoS attack against DNS provider Dyn, an attack that took a swathe of well-known internet services offline.

How do they work again?

DDoS attacks come in many technical guises, and some are more common than others. Nearly all, however, involve flooding to some degree or other. Be it a User Diagram Protocol (UDP), Transmission Control Protocol (TCP) Synchronize (SYN), GET/POST or Ping of Death flood, they all involve sending lots of something that eats up server resources in trying to answer or checking for authenticity.

The more that are sent, the less resource the server has to respond until eventually it collapses under the strain.

What about cost?

That depends if you mean cost to the organisation who has fallen victim, or the perpetrators, of a DDoS attack. Kaspersky Labs reckons the average cost to an organisation is US$106,000 if you take everything from detection through to mitigation and customer churn into account. For small businesses, that figure is still a significant US$52,000.

For the attacker it’s less expensive, with DDoS-for-hire services ranging from US$5 for a few minutes to US$500 for a working day.

The bottom line is if you can’t afford your network, website or other digital channels to go down for any significant period of time, you need to prepare for a DDoS attack.

So how can you best mitigate against a DDoS attack? Here’s what you need to know.

Basic safeguards with your router

Rather than over-provisioning, simple things such as bandwidth buffering can help handle traffic spikes including those associated with DDoS attack and give you time to both recognise the attack and react to it.

This requires getting a business-grade router, if you haven’t already. Then you can put into place other basic safeguards that can gain you a few precious minutes: rate-limiting your router, adding filters to drop obvious spoofed or malformed packets and setting lower drop thresholds for ICMP, SYN and UDP floods. All these will buy you time to try and find help.

Incident response planning

The first thing every organisation should do when suspecting a DDoS attack is confirm it. Once you’ve discounted DNS errors or upstream routing problems, then your security response plan can kick in.

What should be in that response plan? First, you need to put together an incident response team that includes managers and team leaders likely to be affected by an outage, as well as your organisation’s key IT and cyber security people. Only by talking to all the right people can you formulate a comprehensive response plan.

Then contact your ISP, but don’t be surprised if it black-holes your traffic. A DDoS attack costs it money, so null routing packets before they arrive at your servers is often the default option. It may offer to divert your traffic through a third-party scrubber network instead; these filter attack packets and only allow clean traffic to reach you.

Be warned, this is likely to be a more expensive emergency option than had you contracted such a content distribution network (CDN) to monitor traffic patterns and scrub attack traffic on a subscription basis.

Prioritise, sacrifice and survive

Ensure the limited network resources available to you are prioritised – make this is a financially driven exercise as it helps with focus. Sacrifice low-value traffic to keep high-value applications and services alive. Remember that DDoS response plan we mentioned?

This is the kind of thing that should be in it, then these decisions aren’t being taken on the fly and under time pressure. There’s no need to allow equal access to high-value applications – you can whitelist your most trusted partners and remote employees using a VPN to ensure they get priority.

Multi-vector attacks

Multi-vector attacks, such as when a DDoS attack is used to hide a data exfiltration attempt, are notoriously difficult to defend against. It’s all too easy to say that you must prioritise the data protection, but the smokescreen DDoS remains a very real attack on your business.

The motivation behind a DDoS is irrelevant; they should all be dealt with using layered DDoS defences. These can include the use of a CDN to deal with volumetric attacks, with web application firewalls and gateway appliances dealing with the rest. A dedicated DDoS defence specialist will be able to advise on the best mix for you.

DDoS mitigation services

It’s worth considering investing in DDoS mitigation services if your network or digital channels are critical to your business – and particularly if you’re likely to be a target of a DDoS attack (for example, if you’re a well-known business) – or at least knowing about what’s out there, just in case.

One of the biggest and best known is Cloudflare, which has made headlines offering DDoS mitigation services to the likes of Wikileaks as well as working to mitigate wider attacks like the WireX botnet and the 2013 Spamhaus attack.

Cloudflare isn’t the only game in town, though, and many network and application delivery optimisation firms offer DDoS mitigation services.

Other well-known brands include Akamai, F5 networks, Imperva, Arbor Networks and Verisign. Less well known options that are also worth considering include ThousandEyes, Neustar and DOSarrest.

Some of these providers offer so-called emergency coverage, which you can buy when an attack is underway to mitigate the worst of it, while others require a more long-term contract.

If you’re already using other products from any of these companies, you may want to look into adding DDoS protection to your package. Alternatively, if you use another network optimisation firm not mentioned here, it’s worth seeing if it offers DDoS protection and how much it would cost.

As mentioned above, your ISP may also offer some form of DDoS protection, particularly in an emergency, but it’s worth seeing quite how comprehensive this would be beforehand, as well as the processes involved and how much it will cost.

And even if you don’t subscribe to any of these services, knowing who to turn to in an emergency should be part of your response plan.

Source: https://www.bit.com.au/guide/how-to-protect-against-a-ddos-attack-476699

CERT issues cyber attack warning for India

Malware Reaper is acquiring internet-connected devices for coordinated attack, say State Cyber Police

Mumbai: The Maharashtra Cyber Department is in the process of issuing a State-wide advisory outlining steps to prevent potential targets from falling prey after the New Delhi-based Computer Emergency Response Team (CERT) said it has received intelligence inputs about a massive cyber attack on several countries, including India. The CERT is the country’s central cyber security agency.

Maharashtra Cyber Police officers confirmed to The Hindu that the attack would be similar to the Distributed Denial of Service (DDOS) attack that hit the State last year. In July 2016, The Hindu had reported how small and medium Internet Service Providers were under attack from unknown parties, who were pinging their servers incessantly to the point where the servers crashed, denying service to their clients and causing loss of revenue.

According to sources, the imminent DDOS attack, which is believed to be on a much larger scale, is being readied using malware known by two names, Reaper and IoTroop, and is currently taking over thousands of machines connected to the internet to be used for a synchronised attack on the target servers.

Maharashtra IG (Cyber) Brijesh Singh said, “Mirai had acquired five lakh devices. The Reaper malware has already affected two million devices worldwide, and is acquiring 10,000 devices per day. It seems to be targeting CCTV camera systems and Digital Video Recorders connected to the internet.”

Bot attack

A Cyber Police officer said, “It’s difficult to say at this point exactly who the targets are, but we have enough information to indicate that machines connected to the internet, including cell phones, laptops, CCTV cameras and other devices, are susceptible. A large number of such machines are being hacked and turned into bots as we speak. Our cyber intelligence network indicates a lot of abnormal behaviour on the internet, consistent with hacking of devices.”

A bot, or robot, is an automated programme. In this kind of cyber attack, hackers use malware to infect devices to turn them into bots that do their bidding. Sources said the perpetrators of Reaper are currently creating a huge network of bots, called a botnet in cyberspeak.

In October 2016, a malware known as Mirai had executed multiple DDOs attacks on servers of Dyn, a leading domain name service provider, affecting several popular websites including Twitter, Netflix and Reddit. Cyber Police officers said Reaper is amassing bots on a much larger scale than Mirai. “Once the botnet is ready as per the perpetrators’ requirements, they simply have to command the bots to ping servers of the target all at once, resulting in a server crash. Depending on the size of the company or industry targeted, it will result in massive losses of revenue.”

A possible way to execute the attack would be that the bots are pre-programmed to strike on a particular day. This possibility is also being probed, officers said.

Superintendent of Police Balsing Rajput, Maharashtra Cyber Police, confirmed that intelligence inputs about Reaper have been received. “We are working on the information and will soon be coming out with an advisory regarding the same.”

Source:

Malware Reaper is acquiring internet-connected devices for coordinated attack, say State Cyber Police

Mumbai: The Maharashtra Cyber Department is in the process of issuing a State-wide advisory outlining steps to prevent potential targets from falling prey after the New Delhi-based Computer Emergency Response Team (CERT) said it has received intelligence inputs about a massive cyber attack on several countries, including India. The CERT is the country’s central cyber security agency.

Maharashtra Cyber Police officers confirmed to The Hindu that the attack would be similar to the Distributed Denial of Service (DDOS) attack that hit the State last year. In July 2016, The Hindu had reported how small and medium Internet Service Providers were under attack from unknown parties, who were pinging their servers incessantly to the point where the servers crashed, denying service to their clients and causing loss of revenue.

According to sources, the imminent DDOS attack, which is believed to be on a much larger scale, is being readied using malware known by two names, Reaper and IoTroop, and is currently taking over thousands of machines connected to the internet to be used for a synchronised attack on the target servers.

Maharashtra IG (Cyber) Brijesh Singh said, “Mirai had acquired five lakh devices. The Reaper malware has already affected two million devices worldwide, and is acquiring 10,000 devices per day. It seems to be targeting CCTV camera systems and Digital Video Recorders connected to the internet.”

Bot attack

A Cyber Police officer said, “It’s difficult to say at this point exactly who the targets are, but we have enough information to indicate that machines connected to the internet, including cell phones, laptops, CCTV cameras and other devices, are susceptible. A large number of such machines are being hacked and turned into bots as we speak. Our cyber intelligence network indicates a lot of abnormal behaviour on the internet, consistent with hacking of devices.”

A bot, or robot, is an automated programme. In this kind of cyber attack, hackers use malware to infect devices to turn them into bots that do their bidding. Sources said the perpetrators of Reaper are currently creating a huge network of bots, called a botnet in cyberspeak.

In October 2016, a malware known as Mirai had executed multiple DDOs attacks on servers of Dyn, a leading domain name service provider, affecting several popular websites including Twitter, Netflix and Reddit. Cyber Police officers said Reaper is amassing bots on a much larger scale than Mirai. “Once the botnet is ready as per the perpetrators’ requirements, they simply have to command the bots to ping servers of the target all at once, resulting in a server crash. Depending on the size of the company or industry targeted, it will result in massive losses of revenue.”

A possible way to execute the attack would be that the bots are pre-programmed to strike on a particular day. This possibility is also being probed, officers said.

Superintendent of Police Balsing Rajput, Maharashtra Cyber Police, confirmed that intelligence inputs about Reaper have been received. “We are working on the information and will soon be coming out with an advisory regarding the same.”

Source: http://www.thehindu.com/news/cities/mumbai/cert-issues-cyber-attack-warning-for-india/article19920037.ece