Hacked: How Business Is Fighting Back Against the Explosion in Cybercrime

Business is under assault from cybercriminals like never before, and the cost to companies is exploding. Here’s what you need to know about safeguarding your digital assets.

1. Under attack

In the summer of 2015, several of New York’s most prestigious and trusted corporate law firms, including Cravath Swaine & Moore and Weil Gotshal & Manges, found themselves under cyberattack. A trio of hackers in China had snuck into the firms’ computer networks by tricking partners into revealing their email passwords. Once inside the partners’ accounts, the thieves snooped on highly sensitive documents about upcoming mergers. Then, from computers halfway around the world, the cybercrooks allegedly traded on the purloined information, netting $4 million in stock market gains.

Like most other victims of corporate espionage, the firms preferred to keep mum about having been victimized. They feared antagonizing other digital thugs as well as damaging their reputations as keepers of clients’ secrets. Instead, word of the attack leaked in the press and then was confirmed by federal prosecutors and the firms themselves. The Feds made public their discoveries and trumpeted their efforts to bring the alleged perpetrators to justice. “This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” said Preet Bharara, then the U.S. Attorney in Manhattan. “You are and will be the targets of cyberhacking because you have information valuable to would-be criminals.”

It may have been a shock to the system for the legal community, but the incident only served to underscore a hard truth that CEOs, company directors, and network security experts have been grappling with for some time now: Business is under assault like never before from hackers, and the cost and severity of the problem is escalating almost daily.

The latest statistics are a call to arms: According to Cisco, the number of so-called distributed denial-of-service (DDoS) attacks—assaults that flood a system’s servers with junk web traffic—jumped globally by 172% in 2016. Cisco projects the total to grow by another two and a half times, to 3.1 million attacks, by 2021. Indeed, the pace of cyberassaults is only increasing. Internet security firm Nexusguard reports that it observed a 380% increase in the number of DDoS attacks in the first quarter of 2017 compared with a year earlier.

As the number and scale of network attacks grow, the toll on business is rising. The average total cost of a data breach in the U.S. in 2014 was $5.85 million, according to research from IBM and the Ponemon Institute, and this year it’s estimated to be $7.35 million. According to a report earlier this year from business insurer Hiscox, cybercrime cost the global economy more than $450 billion in 2016. The WannaCry ransomware attack alone, which crippled computers in more than 150 countries in May, could cost as much as $4 billion according to some estimates.

What is slowly dawning on corporate hacking victims is how vulnerable and defenseless they really are, even when their opponents may be three guys in a room halfway around the world. Expensive data-security systems and high-priced information security consultants don’t faze today’s hackers, who have the resources to relentlessly mount assaults until they succeed. In the New York law-firm case, for example, prosecutors said the attackers attempted to penetrate targeted servers more than 100,000 times over seven months.

It has become abundantly clear that no network is completely safe. Where once companies thought they could defend themselves against an onslaught, they’re now realizing that resistance is, if not futile, certainly less important than having a plan in place to detect and neutralize intruders when they strike.

But there remains a gaping chasm between awareness of the threat and readiness to address it: A survey last fall by IBM and Ponemon of 2,400 security and IT professionals found that 75% of the respondents said they did not have a formal cybersecurity incident response plan across their organization. And 66% of those who replied weren’t confident in their organization’s ability to recover from an attack.

Cybercrime is metastasizing for the same reason online services have become so popular with consumers and businesses alike: Ever-more-accessible technology. Hacking is easier than ever thanks to the ever-growing number of online targets and the proliferation of off-the-shelf attack software. The very Internet networks that were built for convenience and profit are exposing their users to a steady stream of new threats.

What’s more, the tense state of affairs is a glaring example of how the entire nature of business has changed in the digital age. In most cases, technology is much more than just a supplement to a company’s core operations. For scores of the world’s most valuable companies—from Alphabet to Amazon to Facebook to Uber—the assets that live on their networks are their core operations.

No sector of corporate America is safe. Hackers have plundered big retailers like Neiman Marcus and Home Depot for credit card and customer information. They’ve burrowed into banks like JPMorgan Chase. Even tech companies can’t seem to protect themselves. Yahoo’s ineptitude in repelling (or even being aware of) hackers forced it to reduce its sale price to Verizon. Google and Facebook recently fell victim to a hacker who conned their accountants into wiring him a total of more than $100 million. And OneLogin, a startup that bills itself as a secure password management service, recently lost certain customer data to hackers.

In one survey, 66% of security and I.T. professionals replied that they weren’t confident that their organization could recover from a cyberattack.

It’s not like companies aren’t trying to play defense. Accenture estimates that companies worldwide spent $84 billion in 2015 to protect against attacks. That spending is an acknowledgment that every company needs to safeguard its digital assets, which in turn requires knowing about the criminals that keep coming at them and what defenses they can build to minimize the damage.

2. A new breed of criminal

Hacking is particularly frustrating for corporate executives who don’t understand their enemy. Embezzlers or extortionists? Sure. But faceless gangs of nasty nerds? It’s often harder for CEOs to wrap their brains around the motivation of their antagonists—or their audacity. “At the C-level they feel violated,” says Jay Leek, a venture capitalist pursuing cybersecurity investments and a former chief information security officer at private equity giant Blackstone. “I witness this emotional ‘What just happened?’ You don’t walk in physically to a company and violate it.”

The brazenness Leek describes is a hallmark of hackers who—despite their mystique in popular culture—are basically everyday thieves, like bank robbers. Where hackers are different, however, is that they rarely meet in person. Instead, they convene in online forums on the “dark web,” an anonymous layer of the Internet that requires a special browser to access. Deep in the forums, crooks hatch hacking plots of all sorts: breaking into corporate databases or selling stolen Social Security numbers or purchasing inside information from unscrupulous employees.

Cybercriminals have proved adept at adopting successful corporate strategies of their own. A recent development has seen the cleverest crooks selling hacking tools to criminal small-fry. It’s analogous to semiconductor companies licensing their technology to device manufacturers. According to a report from security software giant Symantec, gangs now offer so-called ransomware as a service, a trick that involves licensing software that freezes computer files until a company pays up. The gangs then take their cut for providing the license to their criminal customers.

If it weren’t all blatantly illegal, the practices would be laudably corporate. “Cybercriminals no longer need all the skills to complete any particular crime,” says Nicole Friedlander, a former assistant U.S. Attorney in charge of the key Southern District of New York’s complex fraud and cybercrime unit. “Instead, they can hire other cybercriminals online who have those skills and do it together.” In that sense, hackers have become service providers like doctors or lawyers or anyone else, says Friedlander, who joined the New York office of law firm Sullivan & Cromwell last year.

Graphic by Nicolas Rapp 

But the bad guys aren’t all freelancers. In fact, some of the most sinister hacking outfits operating today are “state-sponsored” groups supported, or at least loosely supervised, by governments. That includes the Russians who are believed to have hacked into the Democratic National Committee last year and the North Korean team credited with unleashing the WannaCry malware as a moneymaking scheme.

3. Playing defense

In early March, the information security team at ride-hailing giant Uber leaped into action: An Uber employee had reported a suspicious email message, and similar reports were flooding in from all over the company.

Uber’s databases contain the email addresses and personal information of millions of riders around the world, making security a particularly pressing issue. And the company has had its share of problems as a caretaker of sensitive data. In 2014, Uber suffered a breach that exposed the insurance and driver’s license information of tens of thousands of drivers; it took the mega-startup months to discover and investigate the incident and fully notify its drivers.

As soon as the alarm was raised in March, Uber established an “incident commander” to manage the developing situation. The job of the incident commander—a term of art in cybersecurity circles—is to keep the company informed about potential attacks. It turned out that the attack was targeting users of Google’s Gmail service, not Uber itself. But anyone with a Gmail address was vulnerable. Later that same day Google fixed the vulnerability in its Gmail service, allowing Uber’s incident commander to stand down.

Uber’s reaction is an example of the vigilance with which companies must treat the torrent of threats coming at them every day. John “Four” Flynn, a former Facebook executive who now is chief information security officer for Uber, says the key to cybersecurity incidents—which he defines as everything from a data breach to a stolen laptop—is to have a clear communication strategy. “During an incident, the role of executives is to give support,” says Flynn. “There’s no room for confusion about who’s in charge.”

Graphic by Nicolas Rapp 

Flynn has every right to sound confident in his authority. The chief information security officer, or CISO, is possibly the hottest job in the C-suite today. Cybercrime is so serious that these formerly little-known and unloved executives now typically have a direct line to boards of directors—a big break from the past. Before, the CISO would report to the chief information officer, who was responsible for buying and operating computers, not obsessing over flies in the ointment. If the CISO sounded the alarm over a breach, too often he or she ended up being the one sacrificed to appease top management. “It was my job to tell my boss his baby was ugly,” one former information security executive laments.

These days, though, smart companies treat hacking threats like other existential risks to their business—recessions, terrorist attacks, and natural disasters come to mind—and plan accordingly. The CISO is pivotal in maintaining readiness. “If you’re a Fortune 500 company, you already have a response,” says Leek, the former executive at Blackstone, which had several portfolio companies that suffered breaches, including arts-and-crafts merchant Michaels Stores. “But people forget to take it out, blow the dust off, and recall: ‘Let’s do what we decided when we had a sound mind.’ ”

Having a clear line of authority and a good action plan take a company only so far. At some point it has to call the cops, specifically the Federal Bureau of Investigation or the U.S. Secret Service. Both agencies have reach and power that allow them to take the fight to foreign cybercrooks. On several occasions, U.S. law enforcement agents working undercover on the dark web have managed to lure presumed offenders out of hiding with phony deals, and then had them apprehended in and extradited to the U.S.

During the incident, the role of executives is to give support,” says Uber’s chief information officer. “There’s no room for confusion about who’s in charge.”

Calling law enforcement has downsides, however. The likely outcome—an investigation—imposes burdens on the victim company in terms of money and time. And it increases the chance that sensitive details about the hack will leak publicly. That’s why the best course of action is for companies to avoid FBI-level hacking incidents in the first place. A new, multibillion-dollar industry has sprung up to help.

4. An industry is born

The videoconference camera looked like any other. But unbeknownst to its corporate owner, the device was working overtime: Hackers had captured the microphone remotely and were using it to spy on every meeting that took place in the boardroom. The company, which does not want to be identified, finally got wise to the spying scheme thanks to Darktrace, a global cybersecurity company that uses artificial intelligence to detect aberrant activity on client networks. Darktrace CEO Nicole Eagan says her company noticed the camera had been gobbling abnormal amounts of data. This raised a red flag, enabling Darktrace to notify its client that something was amiss.

Darktrace is just one of hundreds of firms that offer help to combat the hacking epidemic. Once a stodgy corner of enterprise software, cybersecurity has become a hot sector for venture capitalists. Investors put some $3.5 billion into a total of 404 security startups last year, according to New York research firm CB Insights. That’s up from $1.8 billion for 279 investments in 2013.

Graphic by Nicolas Rapp 

For executives, all of this entrepreneurial activity translates into a dizzying array of security options. There are newcomers like Tanium, for instance, which offers a service that lets companies see who is on their network. Publicly traded Palo Alto Networks makes a kind of intelligent firewall that uses machine learning to thwart intruders. There are also a host of niche security firms such as Area 1 (which specializes in defending against phishing scams) and Lookout (which is a mobile-phone-focused security service).

With all of this firepower arrayed against it, how can cybercrime continue to grow so fast? One answer is that some of the glitzy defense systems don’t work as advertised. Security insiders grumble about firms bamboozling clients with “blinky lights” in order to sell “scareware”—software that plays to customers’ insecurities but doesn’t protect them.

At the end of the day, though, humans are as much to blame as software. “The weak underbelly of security is not tech failure but poor process implementation or social engineering,” says Asheem Chandna, an investor with Greylock Partners and a Palo Alto Networks director. Chandna notes that most hacking attacks come about in two ways, neither of which involves a high level of technical sophistication: An employee clicks on a booby-trapped link or attachment—perhaps in an email that appears to be from her boss—or someone steals an employee’s log-in credentials and gets access to the company network.

While cyberdefense tools can mitigate such attacks, some will always succeed. Humans are curious creatures and, in a big organization, there will always be someone who clicks on a message like, “Uh-oh. Did you see these pictures of you from the office party?” When it comes to hacking, a penny of offense can defeat a dollar’s worth of defense. That’s why the fight against hacking promises to be a never-ending battle.

Source: https://fortune.com/2017/06/22/cybersecurity-business-fights-back/

  • 0

Microsoft Skype Hit By Alleged DDoS Attack, Causes Connectivity Challenges

Microsoft has confirmed an outage in its Skype offering, which caused connectivity issues earlier this week and is allegedly the result of a Distributed Denial of Service attack.

Skype users started complaining about connectivity issues on Monday, with hours of downtime. The issues continued into Tuesday, with users losing connectivity and having trouble exchanging messages on the communications platform. The outage appeared to primarily affect Europe.

It is not clear if the connectivity issues affected just the consumer Skype application, or also Skype for Business.

Microsoft confirmed the issues with the service in a Tweet and on its blog, saying Monday that they were “aware of an incident where users will either lose connectivity to the application or may be unable to send or receive messages. Some users will be unable to see a black bar that indicates them that a group call is ongoing, and longer delays in adding users to their buddy list.” On Tuesday Microsoft updated the blog post to say it was “seeing improvements” but some users still were having issues with the service and the company was “working on that.”

Microsoft further updated the blog on Tuesday, saying it had made “some configuration corrections and mitigated the impact.”

“We are continuing to monitor and we will post an update when the issue is fully resolved,” Microsoft said.

Microsoft did not confirm reports at the time that the outage was the result of a DDoS attack. A hacker group, called CyberTeam, claimed responsibility for the attack in a tweet, saying “Skype Down by Cyberteam.”

Michael Goldstein, president and CEO of LAN Infotech, a Fort Lauderdale, Fla.-based Microsoft partner, called the incident “pretty scary,” assuming reports of a DDoS attack were true. He said it is concerning for small and medium businesses if a company as large as Microsoft can be hit by such an attack.

“It is definitely showing how the bad guys, how the dark side, is still looking to push [against big companies],” Goldstein said.

Goldstein said his company views Skype for Business as a “critical product” for both its own business and for its clients. He said he hopes Microsoft is working to bolster its Skype for Business product, as well as its consumer Skype product, against further attacks.

The reports of a DDoS attack against Microsoft come just a few months after a massive DDoS attack on Dyn caused significant Internet outages on the East Coast. The incident took down many popular websites, including Twitter and Netflix, as well as more than 1,200 other sites. The attacks in the October attack came from devices infected by the Mirai botnet – a malware that was revealed earlier in the month and spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

Source: http://www.crn.com/news/security/300087511/microsoft-skype-hit-by-alleged-ddos-attack-causes-connectivity-challenges.htm

  • 0

DDOS Attacks on the Rise

Distributed Denial of Service (DDoS) attacks leverage compromised devices to generate a flood of traffic, overwhelming online services and rendering them unresponsive. DDoS services are widely available on the internet, with research by Trend Micro finding that the small cost of US$150 can buy a DDoS attack for a week.  (It also brings organised crime into your life – but that’s a different point!)

The latest statistics from Cisco reveal that the number of DDoS attacks grew by 172% in 2016. Combine this with an average DDoS attack size of 1.2Gbps, capable of taking most organisations offline, and there is real cause for concern among cyber security experts. It is hard to trace DDoS attacks to their proprietors, as the majority of devices used in attacks belong to innocent users.

Organisations must understand the risk and impact posed by DDoS attacks, and implement mitigation strategies that promote business continuity in the face of these attacks. Industry peers must share knowledge where appropriate, and keep government agencies adequately informed, to deter hackers from launching a DDoS attack.

Cisco expects that the number of DDoS attacks in the future will only get worse, with 3.1 million predicted attacks in 2021 globally.

Source: http://www.natlawreview.com/article/ddos-attacks-rise

  • 0

US Blames North Korea For Series Of DDoS Attacks

The Department of Homeland Security and the Federal Bureau of Investigation issued a rare cybersecurity bulletin linking North Korea to a series of attacks that have targeted global businesses and critical infrastructure since 2009.

The alert focuses on a malware strain called DeltaCharlie, which DHS and FBI say was used by the North Korean government to launch distributed denial of service attacks. DDoS attacks use floods of web traffic from compromised devices to knock websites or services offline.

North Korea targeted “the media, aerospace, financial, and critical infrastructure sectors in the United States and globally,” the alert says.

The US government refers to North Korea’s hacking team as Hidden Cobra, but cybersecurity firms often use the slightly less sinister name Lazarus Group. The North Koreans have also been linked to the WannaCry ransomware that spread virally in May and shut down hospitals and businesses.

WannaCry primarily targeted unpatched Windows machines, and it sounds like the Lazarus Group’s DDoS malware is also primarily exploiting devices that run old versions of Windows. “The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation,” the alert notes.

Windows typically stops issuing patches for older operating systems after they have been retired, but the company today released patches that thwart WannaCry on outdated devices, ZDNet reports.

Although DHS and FBI released data that will help detect and mitigate Lazarus Group attacks, the agencies said more research is necessary to “understand the full breadth” of the group’s capabilities.

Source: https://www.gizmodo.com.au/2017/06/us-blames-north-korea-for-series-of-ddos-attacks/

  • 0

Ten steps for combating DDoS in real time

To the uninitiated, a distributed denial-of-service (DDoS) attack can be a scary, stressful ordeal. But don’t panic. Follow these steps by David Holmes, senior technical marketing manager: Security, F5 Networks, to successfully fight an attack:

If you appear to be suffering a volumetric attack, it helps to have a historical sense of your own traffic patterns. Keep a baseline of normal traffic patterns to compare against. If you have determined that you are under a DDoS attack, record the estimated start time in your attack log. Monitor volumetric attacks. Remember to keep a monitoring web page open to indicate when the attack may be over (or mitigated). You will need to follow (up to) 10 steps for your DDoS mitigation:

Step 1: Verify the attack
Not all outages are caused by a DDoS attack. DNS misconfiguration, upstream routing issues, and human error are also common causes of network outages. You must first rule out these types of non-DDoS attacks and distinguish the attack from a common outage.

· Rule out common outages: The faster you can verify the outage is a DDoS attack, the faster you can respond. Even if the outage was not caused by a misconfiguration or other human error, there may still be other explanations that resemble a DDoS attack.
· Check outbound connectivity: Is there outbound connectivity? If not, then the attack is so severe that it is congesting all inbound and outbound traffic. Check with your usual diagnostic tools (such as traceroute, ping, and dig) and rule out all such possibilities.
· Rule out global issues: Check Internet weather reports, such as Internet Health Report and the Internet Traffic Report, to determine if the attack is a global issue.
· Check external network access: Attempt to access your application from an external network. Services and products that can perform this kind of monitoring include: Keynote testing and monitoring, HP SiteScope agentless monitoring, SolarWinds NetFlow Traffic Analyzer, and Downforeveryoneorjustme.com.
· Confirm DNS response: Check to see if DNS is responding for your website. The following UNIX command resolves a name against the OpenDNS project server: % dig @ yourdomain.com

Step 2: Contact team leads.
Once the attack is verified, contact the leads of the relevant teams. If you have not filled out any quick reference sheets or a contact list, create one now or use our templates. When an outage occurs, your organisation may hold a formal conference call including various operations and applications teams. If your company has such a process in place, use the meeting to officially confirm the DDoS attack with team leads.

· Contact your bandwidth service provider: One of the most important calls you can make is to the bandwidth service provider. List the number for your service provider in your contact sheet. The service provider can likely confirm your attack, provide information about other customers who might be under attack, and sometimes offer remediation.
· Contact your fraud team: It is especially important to invoke the fraud team as soon as the attack is verified. DDoS attacks can be used as cover to hide an infiltration. Logs that would normally show a penetration may get lost during a DDoS attack. This is why high-speed, off-box logging is so important.

Step 3: Triage applications
Once the attack is confirmed, triage your applications. When faced with an intense DDoS attack and limited resources, organisations have to make triage decisions. High-value assets typically generate high-value online revenue. These are the applications you will want to keep alive. Low-value applications, regardless of the level of legitimate traffic, should be purposefully disabled so their CPU and network resources can be put to the aid of higher-value applications. You may need the input of team leads to do this.

Ultimately, these are financial decisions. Make them appropriately. Create an application triage list; it takes only a few minutes to fill one out, and will greatly assist in making tough application decisions while combating an actual DDoS event. Decide which applications are low priority and can be disabled during the attack. This may include internal applications.

Step 4: Protect partners and remote users.
· Whitelist partner addresses: Very likely you have trusted partners who must have access to your applications or network. If you have not already done so, collect the IP addresses that must always be allowed access and maintain that list. You may have to populate the whitelist in several places throughout the network, including at the firewall, the Application Delivery Controller (ADC), and perhaps even with the service provider, to guarantee that traffic to and from those addresses is unhindered.
· Protect VPN users: Modern organisations will whitelist or provide quality-of-service for remote SSL VPN users. Typically this is done at an integrated firewall/ VPN server, which can be important if you have a significant number of remote employees.

Step 5: Identify the attack
Now is the time to gather technical intelligence about the attack. The first question you need to answer is “What are the attack vectors?” There are four types of DDoS attack types, these are
· Volumetric: flood-based attacks that can be at layers 3, 4, or 7;
· Asymmetric: designed to invoke timeouts or session-state changes;
· Computational: designed to consume CPU and memory; and
· Vulnerability-based: designed to exploit software vulnerabilities.

By now you should have called your bandwidth service provider with the information on your contacts list. If the attack is solely volumetric in nature, the service provider will have informed you and may have already taken steps at DDoS remediation. Even though well-equipped organisations use existing monitoring solutions for deep-packet captures, you may encounter cases where you have to use packet captures from other devices, such as the ADC, to assist in diagnosing the problem. These cases include: SSL attack vectors and FIPS-140.

Step 6: Evaluate source address mitigation options
If Step 5 has identified that the campaign uses advanced attack vectors that your service provider cannot mitigate (such as slow-and-low attacks, application attacks, or SSL attacks), then the next step is to consider the following question: “How many sources are there?” If the list of attacking IP addresses is small, you can block them at your firewall. Another option would be to ask your bandwidth provider to block these addresses for you.

· Geoblocking: The list of attacking IP address may be too large to block at the firewall. Each address you add to the block list will slow processing and increase CPU. But you may still be able to block the attackers if they are all in the same geographic region or a few regions you can temporarily block. The decision to block entire regions via geolocation must be made as a business decision. Finally, if there are many attackers in many regions, but you don’t care about any region except your own, you may also use geolocation as a defence by blocking all traffic except that originating from your region.
· Mitigating multiple attack vectors: If there are too many attackers to make blocking by IP address or region feasible, you may have to develop a plan to unwind the attack by mitigating “backwards”; that is, defending the site from the database tier to the application tier, and then to the web servers, load balancers, and finally the firewalls.

You may be under pressure to remediate the opposite way; for example, mitigating at layer 4 to bring the firewall back up. However, be aware that as you do this, attacks will start to reach further into the data centre.

Step 7: Mitigate specific application attacks
If you have reached this step, the DDoS attack is sufficiently sophisticated to render mitigation by the source address ineffective. Tools such as the Low Orbit Ion Cannon, the Apache Killer, or the Brobot may generate attacks that fall into this category. These attacks look like normal traffic at layer 4, but have anomalies to disrupt services in the server, application, or database tier.

To combat these attacks, you must enable or construct defences at the application delivery tier.

Once you have analysed the traffic in Step 4, if the attack appears to be an application-layer attack, the important questions are: Can you identify the malicious traffic? Does it appear to be generated by a known attack tool?

Specific application-layer attacks can be mitigated on a case-by-case basis with specific F5 counter-measures. Attackers today often use multiple types of DDoS attack vector, but most of those vectors are around layers 3 and 4, with only one or two application-layer attacks thrown in. We hope this is the case for you, which will mean you are nearly done with your DDoS attack.

Step 8: Increase application-level security posture.
If you have reached this step in a DDoS attack, you’ve already mitigated at layers 3 and 4 and evaluated mitigations for specific application attacks, and you are still experiencing issues. That means the attack is relatively sophisticated, and your ability to mitigate will depend in part on your specific applications.

Asymmetric application attack: Very likely you are being confronted with one of the most difficult of modern attacks: the asymmetric application attack. This kind of attack can be:
· A flood of recursive GETs of the entire application.
· A repeated request of some large, public object (such as an MP4 or PDF file).
· A repeated invocation of an expensive database query.

Leveraging your security perimeter: The best defence against these asymmetric attacks depends on your application. For example, financial organisations know their customers and are able to use login walls to turn away anonymous requests. Entertainment industry applications such as hotel websites, on the other hand, often do not know the user until the user agrees to make the reservation. For them, a CAPTCHA (Completely Automated Public Turning test to tell Computers and Humans Apart) might be a better deterrent.

Choose the application-level defence that makes the most sense for your application: A login wall, human detection or real browser enforcement.

Step 9: Constrain resources.
If all the previous steps fail to stop the DDoS attack, you may be forced to simply constrain resources to survive the attack. This technique turns away both good and bad traffic. In fact, rate limiting often turns away 90 to 99 percent of desirable traffic while still enabling the attacker to drive up costs at your data centre. For many organisations, it is better to just disable or “blackhole” an application rather than rate-limit it.

· Rate shaping: If you find that you must rate-limit, you can provide constraints at different points in a multi-tier DDoS architecture. At the network tier, where layer 3 and layer 4 security services reside, use rate shaping to prevent TCP floods from overwhelming your firewalls and other layer 4 devices.

Connection limits: Connection limits can be an effective mitigation technique, but they do not work well with connection-multiplexing features. Application tier connection limits should provide the best protection to prevent too much throughput from overwhelming your web servers and application middleware.

Step 10: Manage public relations
Hacktivist organisations today use the media to draw attention to their causes. Many hacktivists inform the media that an attack is underway and may contact the target company during the attack. Financial organisations, in particular, may have policies related to liability that prevent them from admitting an attack is underway. This can become a sticky situation for the public relations manager. The manager may say something like, “We are currently experiencing some technical challenges, but we are optimistic that our customers will soon have full access to our online services.”

Journalists, however, may not accept this type of hedging, especially if the site really does appear to be fully offline. In one recent case, a reporter called a bank’s local branch manager and asked how the attack was proceeding. The branch manager, who had not received media coaching, responded, “It’s awful, we’re getting killed!”

If the DDoS attack appears to be a high-profile hacktivist attack, prepare two statements:
· For the press: If your industry policies allow you to admit when you are being externally attacked, do so and be forthright about it. If policy dictates that you must deflect the inquiry, cite technical challenges but be sure to prepare the next statement.
· For internal staff, including anyone who might be contacted by the press: Your internal statement should provide cues about what to say and what not to say to media, or even better, simply instruct your staff to direct all inquiries related to the event back to the PR manager. Include a phone number.
Anton Jacobsz, managing director at Networks Unlimited, a value-adding reseller of F5 solutions throughout Africa, notes that it is the organisations focusing on a holistic security strategy that are considered forward-looking and ahead of the digital economy curve.

“In a digital age – where sensitive or personal information is at risk of being exposed, and where geo-location and sensor-based tools track movements – organisations need to be prepared for a cyber attack. It has become essential to scrutinise security throughout the entire operation and offerings in order to build the strongest cornerstones for establishing trust between company, employees and consumers,” says Jacobsz.

Source: http://www.itnewsafrica.com/2017/06/ten-steps-for-combating-ddos-in-real-time/

  • 0

Why IoT Botnets Might be the Next Big Worry ?

Rise of IoT globally is still in its early days hence the level of protection is on the lower end.

We all love Internet of Things (IoT), isn’t it? It has brought ‘things’ a.k.a devices, around us to life – from watch, bed, luggage, bulb and clothes to even buildings (in some time). But that love is now turning into a spoiler. The smart band or watch on your wrist and other IoT electronics are being hacked by malware attackers to turn them into an army of zombie machines, and launch botnet attacks.

Much like October 2016 attack that used IoT webcams and video recorders to block user access to many sites including Twitter, Reddit, Spotify, etc., by spamming the domain name service used by them. Read on as Dhruv Khanna, CEO, Data Resolve – cyber intelligence company shares insights on it.

Distributed denialof-service (DDoS) attacks aren’t new. So using IoT devices are of a new type?

There are multiple types. First is the conventional botnets that target your laptop and desktop servers to track your online activity. Second is the enterprise specific attacks called distributed denial-ofservice attack(DDoS) when botnets blocks all your access to the device.

Third is where your activity and data is captured and sent to a third party. Fourth is where your device is remotely controlled and access is blocked until some money is paid to the attacker. IoT botnets are like DDoS attacks that not just use computers in a conventional botnet way but also IoT devices to break into information and data.

But why IoT devices have become favourites to launch attacks?

Rise of IoT globally is still in its early days hence the level of protection is on the lower end. Moreover there are constraints in IoT devices such as using basic version of the operating system, less processing, storage and computational power in terms of setting up anti-virus and firewall and other security applications to them. This makes them an easy target for attackers to use to them as botnet for attack in comparison to using just computers and laptops which are relatively better secured. For e.g. Mirai botnet that target consumer devices like remote cameras, and home appliances.

The ecosystem in India too isn’t making efforts to be ready. Right?

That’s because IoT here is beginning to take its first step, hence, the awareness around it is not significant. On the enterprise side before pushing business services on IOT devices, as a best practice chief information security officers of the company eventually would have to frame a security manual and controls around IOT devices in terms of IOT device on-boarding, incident monitoring and control. Also, there is a need of regulation to control and monitor them.

Are we better off without IoT?

Not really. Advantage of IoT is that it is part of the cloud ecosystem. Securing the cloud is as good as securing the device. That’s why people are not spending too much on the device level but more on the cloud side. In a typical malware attack you are not able to control the source of attack but in IoT device you can as you know where your service is based on the cloud. But if your cloud application is compromised, it would be difficult to trace it.

So, this is next level of cyber security challenge?

It is certainly the next level of attack. For large businesses, it will be a significant hit on their brand along with data. If10,000 of ant vendor devices in the market get compromised then it will impact on the company. It is not impacting just you as an individual but all the devices that are interconnected to your device and vice versa.

Source: https://www.entrepreneur.com/article/295274

  • 0

Lawmakers seek answers on alleged FCC DDoS attack

Five Democratic senators are seeking an FBI investigation into possible cyberattacks on the Federal Communication Commission’s online comment system.

The FCC’s Electronic Comment Filing System crashed in the early hours of May 8 in what the agency called “deliberate attempts by external actors to bombard” the commission and render its systems unusable by legitimate commenters.

Sens. Brian Schatz (D-Hawaii), Al Franken (D-Minn.), Patrick Leahy (D-Vt.), Ed Markey (D-Mass.) and Ron Wyden (D-Ore.) want acting FBI director Andrew McCabe to make an investigation of that May disruption a priority, and also called for an investigation into the source of the attack. The senators’ letter emphasized that they were especially troubled by the disruption of the process of public commentary given that public participation is crucial to the integrity of the FCC’s regulatory process.

The request comes as FCC Chairman Ajit Pai is moving to roll back Obama-era net neutrality regulations over the objections of Democrats in Congress and internet freedom activists.

“Any cyberattack on a federal network is very serious,” the senators wrote. “This particular attack may have denied the American people the opportunity to contribute to what is supposed to be a fair and transparent process, which in turn may call into question the integrity of the FCC’s rulemaking proceedings.”

The senators seek a reply by June 23.

It’s possible, however, that what the FCC is reporting as a DDoS attack was in fact a traffic spike spurred by TV comedian John Oliver, who urged viewers to register their opposition to the net neutrality rollback in an May 7 broadcast.

The partisan fight over FCC actions on net neutrality has cast a political shadow over the attack, the follow-up and any future investigation. Three of the letter’s five signatories (Schatz, Markey, Franken) also signed a May 17 open letter lambasting the FCC’s possible net neutrality rollback.

Wyden and Schatz also sought clarification from Pai about the ability of the agency to protect against DDoS attacks in a separate May 9 letter. The two sought details on the user capacity of the FCC’s website and requested a reply by June 8.

Meanwhile, the FCC is accepting comments on its net neutrality proceeding through Aug. 16.

Source: https://fcw.com/articles/2017/05/31/fcc-ddos-senators-berliner.aspx

  • 0

7 nightmare cyber security threats to SMEs and how to secure against them

Small businesses face a range of cyber threats daily and are often more vulnerable than the larger organisations.

Small businesses that see themselves as too small to be targeted by cyber criminals are putting themselves at direct risk.

In fact, small businesses are at an equal, if not greater risk of being victims of cyber crime – two thirds of small UK firms were attacked by hackers between 2014-2016, according to a report from the Federation of Small Businesses.

Cyber crime can cause massive damage to a young business’s reputation, result in loss of assets and incur expenses to fix the damage caused. These attacks could mean the difference between cutting a profit or going bust.

Legal action could also be taken if businesses are found to have failed to put proper safeguards in place. When new data protection laws are introduced in 2018 under GDPR, complacent businesses risk fines of up to £17 million or 4% of annual turnover (whichever is higher) if they suffer a data breach.

So what can small businesses do to protect themselves and the sensitive data of their customers? These are 7 nightmare cyber security threats and how to secure against them.

Threat 1: internal attacks

This shouldn’t come as a surprise to readers, but internal attacks are one of the largest cyber security threats facing small businesses today. Rogue employees, especially those with access to networks, sensitive data or admin accounts, are capable of causing real damage. Some theories even suggest that the notorious 2014’s Sony Pictures hack – typically linked to North Korea – was actually an insider attack.

To reduce the risk of insider threats, businesses must identify privileged accounts – accounts with the ability to significantly affect or access internal systems. Next, terminate those that are no longer in use or are connected with employees no longer working in the business.

Businesses can also implement tools to track the activity of privileged accounts. This allows for a swift response if malicious activity from an account is detected before the damage can be dealt.

Threat 2: phishing and spear phishing

Despite constant warnings from the cyber security industry, people still fall victim to phishing every day. As cyber crime has become well-funded and increasingly sophisticated, phishing remains one of the most effective methods used by criminals to introduce malware into businesses.

Spear phishing is a targeted form of phishing in which phishing emails are designed to appear to originate from someone the recipient knows and trusts – like senior management or a valued client.

To target victims deemed ‘high value’ — i.e. those with access to privileged accounts — cyber criminals may even study their social media to gain valuable insights which can then be used to make their phishing emails appear highly authentic.

If an employee is tricked by a malicious link in a phishing email, they might unleash a ransomware attack on their small business. Once access is gained, ransomware quickly locks down business computers as it spreads across a network. Until a ransom is paid, businesses will be unable to access critical files and services.

To mitigate the risk posed by phishing – and ransomware – organisations must ensure staff are aware of the dangers and know how to spot a phishing email. Businesses must also ensure they have secure backups of their critical data. Because ransomware locks down files permanently (unless businesses want to cough up the ransom) backups are a crucial safeguard to recover from the hack.

But as ransomware attacks are on the rise, prevention remains better than treatment. Education is the best way of ensuring protection for small businesses.

Threat 3: a dangerous lack of cyber security knowledge

Entire cyber security strategies, policies and technologies are worthless if employees lack cyber security awareness. Without any kind of drive to ensure employees possess a basic level of cyber security knowledge, any measure or policy implemented will be undermined.

A well-targeted spear phishing email could convince an employee to yield their password and user information. An IT team can’t be looking over everyone’s shoulders at once. Because of this, education and training are essential to reduce the risk of cyber crime.

Some employees may not know (or care enough) to protect themselves online, and this can put businesses at risk. Hold training sessions to help employees manage passwords (hint: two-factor authentication for business accounts) and identify phishing attempts. Then provide support to ensure employees have the resources they need to be secure.

Some small businesses will also consider up-skilling members of their IT teams in incident handling, often through popular GCIH training from security vendor GIAC. Incident handling professionals are able to manage security incidents as they happen, and speed the process of recovery if hacks do occur.

Ultimately, even a basic level of knowledge and awareness could mean the difference between being hacked or avoiding the risk altogether.

Threat 4: DDoS attacks

Distributed Denial of Service (DDoS) attacks have overwhelmed some of the largest websites in the world, including Reddit, Twitter, and Netflix. DDoS attacks, which ambush businesses with massive amounts of web traffic, slow websites to a crawl and, more often than not, force crucial services offline.

If a small businesses relies on a website or other online service to function, the outages caused by DDoS attacks will be catastrophic. Most DDoS attacks last between 6-24 hours and cause an estimated £30,000 per hour, according to data from Incapsula, a DDoS prevention firm.

Whilst businesses can’t stop a website or service being targeted in a DDoS attack, they can work to absorb some of the increased traffic, giving them more time to form a response or filter out the spam data.

Ensuring there is extra bandwidth available, creating a DDoS response plan in the event of an attack or using a DDoS mitigation service are all great steps towards reducing the impact of an attack. But that’s just scratching the surface of DDoS mitigation – here are more ways to prevent a DDoS attack.

Threat 5: malware

Malware is a blanket term that encompasses any software that gets installed on a machine to perform unwanted tasks for the benefit of a third party. Ransomware is a type of malware, but others exist, including spyware, adware, bots and Trojans.

To prevent malware from taking hold, businesses should invest in solid anti-virus technology. Plus, operating systems, firewalls and firmware, and previously mentioned anti-virus software must be kept up-to-date.

If services are outdated or not updated regularly, businesses are at a serious risk. Just look at the damage caused when malware infected the UK’s National Health Service through an exploit within an outdated version of Windows XP. And that was just one of the high profile targets affected by the global WannaCry ransomware attack.

Threat 6: SQL Injection

Almost every business relies on websites to operate and many depend entirely on the service they provide online. However, poorly secured websites could be wide open to data theft by cyber criminals.

Of the many attacks that can be staged against a website, SQL injection is amongst the most dangerous and even the largest companies fall victim to it.
SQL injection refers to vulnerabilities that allow hackers to steal or tamper with the database sitting behind a web application. This is achieved by sending malicious SQL commands to the database server, typically by inputting code into forms – like login or registration pages.

It takes a few well-calculated steps to protect against SQL injection. As a precaution, businesses should assume all user-submitted data is malicious, get rid of database functionality that isn’t needed and consider using a web application firewall. For a closer look at SQL injection, take a look at this documentation from Cisco.

Properly preventing SQL injection is primarily a responsibility for a web development or security team, but the change has to be driven from the top. Still not convinced? Take a look at this video from Computerphile to see how effective and dangerous SQL injection can be.

Threat 7: BYOD

Businesses are vulnerable to data theft, especially if employees are using unsecure mobile devices to share or access company data. As more small businesses make use of bring your own device (BYOD) technology, corporate networks could be at risk from unsecured devices carrying malicious applications which could bypass security and access the network from within the company.

The solution is nailing down a defined BYOD policy. A comprehensive BYOD policy educates employees on device expectations and allow companies to better monitor email and documents that are being downloaded to company-owned devices.

Ensure employee-owned devices can access the business network through a VPN which connects remote BYOD users with the organisation via an encrypted channel. A VPN is crucial if employees are using public WiFi networks to access business data. Public Wi-Fi is notoriously unsecure and provides little protection against criminals that might be watching the transfer of sensitive data.

If an attacker does capture encrypted VPN traffic they will only see incomprehensible characters going from you to a VPN server – meaning no sensitive data is leaked.

Source: http://www.information-age.com/7-nightmare-cyber-security-threats-smes-secure-123466495/

  • 0

Long Before ‘WannaCry’ Ransomware, Decades Of Cyber ‘Wake-Up Calls’

By latest counts, more than 200,000 computers in some 150 countries have been hit by a cyberattack using ransomware called WannaCry or WannaCrypt, which locked the data and demanded payment in bitcoin. The malware was stopped by a young U.K. researcher’s lucky discovery of a kill switch, but not before it caused hospitals to divert patients and factories to shut operations.

The origins of the malicious software — which feeds on a Microsoft vulnerability — trace back to the National Security Agency: cybertools stolen from the government and posted publicly in April. Microsoft had issued a patch in March. (And here are good tips to generally secure yourself.)

“The governments of the world should treat this attack as a wake-up call. … We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” Microsoft President Brad Smith wrote in a follow-up blog post. “We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. … In this sense, the WannaCrypt attack is a wake-up call for all of us.”

This one, it’s a wake-up call. Haven’t we heard that somewhere before? In fact, archival searches show the use of the cliché stretching back decades — as far back as the early viruses and worms of the 1980s.

“I think people use ‘wake-up call’ in different ways, but it’s generally used to mean to treat cybersecurity like a bona fide national security problem, which we still for the most part don’t do,” says Philip Reitinger, head of the nonprofit Global Cyber Alliance. “In general, it’s ‘Gosh, now people will understand, governments and private sector will understand how serious it is — and do something. When the history has shown, no, they won’t.”

Reitinger and numerous others veterans in the field have been making many of the same calls through the years: Commit proper funding, like to any other national security threat; write new laws that would tangibly incentivize and enforce good behavior by companies large and small; put proper priority on creating a system that can defend itself.

“I’m tired of people writing reports and recommendations,” Reitinger says. “We’re not treating this like the moonshot; we just get the words.”

Well, in the spirit of the focus on words, let’s follow it through history. Below is a select taste of some of the major hacks and attacks that were declared to be a “wake-up call” by government officials and security experts.

1998: The Pentagon

The AP reported on Feb. 26: “The Pentagon’s unclassified computer networks were hit this month by the ‘most organized and systematic’ attack yet.” It was later attributed to two California teenagers, guided by an Israeli teen.

The AP cited Deputy Defense Secretary John Hamre saying that the government and the private sector had not done enough to protect sensitive networks from attacks. In a story on NPR’s All Things Considered, Hamre said: “It was certainly a wake-up call. It certainly is indicative of a future we could be facing that’s much more serious. And we need to learn the lessons from this experience and take advantage of it.”

2000: Popular websites

In a highly publicized denial-of-service attack, a 15-year-old known online as Mafiaboy, brought down Amazon, CNN, Dell, E*Trade, eBay and Yahoo!, which was then the largest search engine. On Feb. 15, then-White House Chief of Staff John Podesta appeared on CNN, saying:

“I think these latest attacks have been a wake-up call for Americans that more needs to be done, that we need to get together and do what we did to deal with the Y2K crisis, which is to come together to share ideas, to do more research and development on security measures that can be taken to enhance the network security, and to build a really strong foundation of security and privacy for the information infrastructure as we create this great promise of the digital economy.”

In March, the tech panel of the Senate Judiciary Committee held a hearing on cyberterrorism, where subcommittee chairman Sen. Jon Kyl said the attacks “raised public awareness and hopefully will serve as a wake-up call about the need to protect our critical computer networks.”

2003: Computers worldwide

SQL Slammer became known as “the worm that crashed the Internet in 15 minutes.” In prepared testimony at the House of Representatives, Vincent Gullotto of Anti-Virus Emergency Response Team at Network Associates said:

“During the Slammer virus outbreak, major U.S. banks experienced widespread ATM outages, a major airline canceled or delayed flights, and a large U.S. metropolitan area lost its 911 emergency services. … Attacks such as those that occurred over the last several weeks provide an important wake-up call to governments, industries, and consumers. We must not be complacent; we must act.”

2010: Google

Google disclosed “a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property.” It was later dubbed “Operation Aurora,” said to have targeted dozens of companies.

After Director of National Intelligence Dennis Blair appeared before the Senate intelligence committee, NPR’s Mary Louise Kelly reported on All Things Considered on Feb. 2:

Blair “used much stronger language than I’ve heard him use before, talked about malicious cyberactivity, and I’ll quote him, ‘is occurring on an unprecedented scale with extraordinary sophistication.’ He talked about things like the recent hacking attack on Google, said that should be a wake-up call, said that the U.S. information infrastructure overall [is] severely threatened.”

2010: Iran’s nuclear program

Stuxnet is a massive computer worm that attacked Iran’s industrial equipment, including at a uranium-enrichment facility. On Nov. 17, Symantec executive Dean Turner testified before the Senate Homeland Security Committee:

“Stuxnet demonstrates the vulnerability of critical national infrastructure industrial control systems to attack through widely used computer programs and technology. Stuxnet is a wake-up call to critical infrastructure systems around the world. This is the first publicly known threat to target industrial control systems and grants hackers vital control of critical infrastructures such as power plants, dams and chemical facilities.”

2012: Saudi Aramco

In August, a virus called Shamoon wiped out files from 30,000 corporate computers of the world’s largest oil exporter.

In a Dec. 7 speech, then-Defense Secretary Chuck Hagel called the attacks on Saudi Aramco and a subsequent attack targeting the Qatari natural gas company RasGas, “a serious wake-up call to everyone.” Hagel added: “The United States will continue to help build the capacity of partners and allies to defend their critical infrastructure from cyberattack, especially major energy, infrastructure, and telecommunications facilities.”

2015: Office of Personnel Management

In the massive OPM data breach, hackers stole personal information of more than 20 million current and former federal employees, contractors, family members and others who had undergone federal background checks.

In a Timeop-ed titled “U.S. Cybersecurity Is Too Weak,” Sens. Chris Coons and Cory Gardner of the Senate Foreign Relations Committee wrote:

“The OPM hack remains the largest data breach ever suffered by the federal government and should have served as a wake-up call to Congress. … The United States must develop a robust prevention and recovery policy response that can adapt to current and future technological advancements.”

In his own op-ed for Federal News Radio, House Oversight Chairman Jason Chaffetz wrote: “This should serve as a wake-up call to all in government on how to best secure federal IT and data. A shift toward zero trust is one way to improve federal IT security.”

2016: Dyn

Hackers attacked a major Internet infrastructure company called Dyn, disrupting websites and services such as Twitter, Amazon, Spotify and Airbnb. The disruptions lasted most of the day, a result of a massive distributed denial-of-service attack delivered through millions of hijacked Internet-connected things such as baby monitors, DVRs and CCTV cameras, infected with Mirai malware.

Source: http://www.npr.org/sections/alltechconsidered/2017/05/16/528447819/long-before-wannacry-ransomware-decades-of-cyber-wake-up-calls

“It’s important for [Internet of Things] vendors who haven’t prioritized security to take this escalating series of attacks as a wake-up call,” The Washington Post quoted Casey Ellis of cybersecurity firm Bugcrowd as saying. “We’re entering a period where this is very real, calculable, and painful impact to having insecure products.”

A House Energy and Commerce panel convened to discuss the security of Internet-connected devices. Rep. Bob Latta, R-Ohio, weighed in: “The recent DDoS attack should serve as a wake-up call that our systems are susceptible to attempts to use IoT devices to wreak havoc.”

  • 0

APAC organisations report average revenue loss of US$250,000 to DDoS attacks

Distributed Denial of Service (DDoS) attacks are causing revenue loss to organisations in Asia Pacific (APAC), according to Neustar’s Worldwide DDoS Attacks and Cyber Insights Research Report.

A third (33 percent) of APAC organisations reported average revenue loss of at least US$250,000.

Nearly half (49 percent) of organisations in the region take at least three hours to detect, and 42 percent take at least three hours to respond.

The instances of ransomware and malware reported in concert with DDoS attacks were reported by 49 percent of organisations in APAC too.

“With organisations across Asia Pacific being attacked more often and DDoS attacks predicted to become even larger and more complex, IT and business leaders need to evaluate the effectiveness of existing security strategies,” said Robin Schmitt, general manager, APAC at Neustar.

Global findings

The report also found that 99 percent of organisations globally have some sort of DDoS protection in place. However, 849 out of 1,010 organisations surveyed globally were attacked with no particular industry spared. Forty percent of the ‘victims’ said they received attack alerts from customers.

More than half (51 percent) of attacks involved some sort of loss or theft, with a 38 percent increase year-over-year in customer data, financial and intellectual property thefts.

Forty-five percent of DDoS attacks across the globe were reported to be more than 10 gigabits per second (Gbps), while 15 percent of attacks were at least 50 Gbps..

“The research shows that simply identifying an attack and depending on basic defences is not enough. Organisations in the region need to adopt stronger defences and innovative solutions to more quickly and effectively mitigate the growing risk and likely impact of a major DDoS attack,” said Schmitt.

Source: https://www.mis-asia.com/tech/security/apac-organisations-report-average-revenue-loss-of-us250000-to-ddos-attacks/

  • 0