Memcached Servers Being Exploited in Huge DDoS Attacks

Multiple vendors this week say they have seen a recent spike in UDP attacks coming in via port 11211.

Multiple security vendors this week are warning about threat actors for the first time exploiting unprotected Memcached servers to launch dangerously large denial-of-service attacks against target organizations.

German DDoS mitigation service provider Link11, one of those to report on the new activity, says that over the past few days it has observed massive UDP attacks in which Memcached servers have been used as an amplification vector.

Each of the high-bandwidth attacks that Link11 observed in late February has exceeded 100 Gbps, with peaks of well over 400 Gbps. The attacks went on over multiple consecutive days and lasted up to 10 minutes on average, according to the company.

Akamai Technologies says this Monday it mitigated a 190 Gbps Memcached attack that generated over 17 million packets per second. Cloudflare, another vendor to report on the previously unseen attack type, says that over the past two days it has seen an increase in UDP attacks coming in via UDP port 11211, the port associated with Memcached services.

The company says the peak inbound UDP Memcached traffic it has seen so far is 260 Gbps, which is massive for a completely new amplification vector.

Memcached is open source software that many organizations install on their servers to increase performance speed. It works by caching data in system memory and is designed purely for use behind firewalls and on enterprise LANs, says Link11 CTO Karsten Desler. But many organizations have deployed Memcached hosts that are completely accessible from the public Internet. All that attackers have to do is to search for these hosts and then use them to direct high-volume DDoS traffic at a victim.

Desler says a recent Link11 scan showed at least 5,000 Memcached servers deployed on the public Internet that are open for exploit. These servers give attackers a way to generate massive volumes of DDoS traffic with even a relatively small bandwidth connection and minimal input.

“The amplification factor with Memcached servers is hundreds of times larger than DNS,” says Desler. “You need a lot fewer servers to get the same bandwidth [compared to] using DNS, NTP, or any other amplification vector,” he says.

With DNS amplification, for instance, an attacker might be able to generate a 50KB response to a 1KB request. But with a Memcached server, an attacker would be able to send a 100-byte request and get a 100MB or even 500MB response in return. In theory, at least, the amplification could be unlimited, Desler says.

Security researchers have previously warned about Internet-facing Memcached servers being open to data theft and other security risks. Desler theorizes one reason why attackers have not used Memcached as an amplification vector in DDoS attacks previously is simply because they have not considered it and not because of any technical limitations.

Exploiting Memcached servers is new as far real-world DDoS attacks are concerned, says Chad Seaman, senior engineer, with Akamai’s Security Intelligence Response Team. “A researcher had theorized this could be done previously,” Seaman says. “But as Memcached isn’t meant to run on the Internet and is a LAN-scoped technology that is wide open, he thought it could really only be impactful in a LAN environment.”

But the use of default settings and reckless administration overall among many enterprises has resulted in a situation where literally tens of thousands of boxes running Memcached are on the public-facing Internet, Seaman says. “And now the DDoS attackers have found them and appear to be capitalizing on them before significant clean-up efforts take place.”

What makes the attacks worrisome is that Memcached services are deployed on servers and in hardware pools with plenty of bandwidth and resources. Unlike typical reflected attacks with mostly static payloads — like CharGen and NTP — that cannot be easily modified, with Memcached reflection an attacker has much more control over the payload. This gives them to the potential to do a lot more damage, Seaman says.

The primary problem is that Memcached, with its lack of authentication or controls, is world readable and writable. It’s also very fast, as it does all data management directly in memory, and by default it supports key value stores of up to 1MB.”

So, if attackers can find suitably beefy machines and load them up with as many keys as they want, they can use the box to launch waves of traffic with amplification rates far exceeding the norm for DDoS attacks, Seaman says. “In theory, an attack could unleash gigs of traffic from a single machine with a packet that’s only a few dozen bytes.”

Mitigation at this point is basically blocking traffic from source port 11211 at the router, firewall, and elsewhere along the network edge, adds Domingo Ponce, director of global security operations at Akamai. Organizations also need to ensure they have the bandwidth to absorb the attacks while allowing legitimate traffic to remain up.

“It’s real and we’ve seen it,” Ponce says. “At the end of the day, your pipes better be big enough.”


  • 0

Storage Terminals need protection against cyber attacks

Cyber security is a subject that we read about almost every week and one thing is for sure, we need to take the matter more seriously both at a business and personal level.

This is a key focus at the forthcoming StocExpo Europe conference and exhibition in Rotterdam.

The tank storage industry has its own cyber security challenges with many terminals in existence using older equipment which is often susceptible to cyber-attack. Terminal owners and tank storage operators must protect their assets from cyber-attacks by ensuring that their entire automation and control systems are compliant to IEC62443. This is defacto standard for the operational technology environment worldwide.  The European Union has recognised the potential threats businesses have, and as such is in the process of developing the new IACS Cyber Security Framework.

There are two major threats that terminals and tank storage companies should be aware of; ransomware and Denial of Service (DDos). Of course, there is also the threat of general cyber espionage to consider. On initial reading of this latter point, cyber espionage may not seem relevant to the terminal and tank storage industry until you consider that cyber criminals could use programs to manipulate and influence the stock market through interference with the production process. Of course, that in turn opens up issues of health and safety.

Today many terminal operators are taking active steps to determine the current state of cyber security in order to identify key risks. For example, establishing whether equipment, installation or control systems are directly connected to the internet without the appropriate protection.

Companies such as Hudson Cybertec often begin this process by conducting interviews looking at the organizational structure, review policies and procedures and review technology. These three pillars are important because investing in technology alone is not the answer. Speaking at the upcoming StocExpo Europe exhibition and conference, which is being held in Rotterdam on 20-22 March, Marcel Jutte, Managing Director of Hudson Cybertec and Ruud Timmermans, Automation Engineer at VTTI, will be addressing the entire subject of cyber security as it effects the terminal and tank storage industry and will be giving best practice advice those delegates in attendance.

Several exhibitors will also be showcasing their innovative solutions, products and services focused around security and safety, including:

·         Zheijiang Dahua Technology, leading solution provider in the global vídeo surveillance industry, will be showcasing their network cameras that provide an all-in-one solution to capturing long distance surveillance for outdoor applications.

·         Eccos, who have extensive experience in safety and security projects, will be showcasing three new products; Orgman (a computerized management system); Epsimax (an advance software solution) and a new internal corrosion monitoring system.

Visitors attending StocExpo Europe 2018 can find out more information about the latest innovations and developments and how they are improving security within industry at the show. Attendees are encouraged to register online to ensure free entry to the event or


  • 0

Cloudflare rushes to repair nasty bug

Data lost

Cloudflare got its skates on to fix a bug which could have exposed shedloads of user data.

For those not in the know, Cloudflare helps optimise the security and performance of more than 5.5 million websites so when it warned customers that a recently fixed software bug exposed a range of sensitive information that could have included passwords and cookies and tokens used to authenticate users.

The leak may have been active since September 22, nearly five months before it was discovered, although the most significant period of impact was from February 13 and February 18. Google cached some sensitive data, so can be found on a search. Hackers could access the data in real-time by making Web requests to affected websites and to obtain some of the leaked data later by crafting queries on search engines.

Cloudflare CTO John Graham-Cumming wrote in his bog that the bug was severe because the leaked memory could contain private information and because search engines had cached it.

“We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

Apparently, there was a bug in an HTML parser chain Cloudflare uses to modify webpages as they pass through the service’s edge servers. The parser performs a variety of tasks, such as inserting Google Analytics tags, converting HTTP links to the more secure HTTPS variety, obfuscating e-mail addresses, and excluding parts of a page from malicious Web bots.

When the parser was used in combination with three Cloudflare features—e-mail obfuscation, server-side excludes, and Automatic HTTPS Rewrites—it caused Cloudflare edge servers to leak pseudo random data.

Within an hour of the bug coming to Cloudflare’s attention early last Saturday morning, engineers had already disabled e-mail obfuscation, a measure that mostly plugged the memory leak. It took another six hours for Cloudflare to identify and fix the underlying bug in the HTML parser.


  • 0

Interpol Tests Global Cops with IoT Simulation

Interpol last week held a simulated training exercise for global investigators designed to help overcome Internet of Things (IoT) skills shortages.

The international police organization’s annual Digital Security Challenge saw 43 cybercrime investigators and digital forensics experts from 23 countries face a simulated cyber-attack on a bank launched through an IoT device.

During the course of the simulation, investigators found that the malware was sent in an email attachment via a hacked webcam, and not direct from a computer.

Interpol claimed this is an increasingly popular tactic designed to obfuscate the source of attacks, but warned that police may not have the skills to forensically examine IoT devices.

“The ever-changing world of cybercrime is constantly presenting new challenges for law enforcement, but we cannot successfully counter them by working in isolation,” said Noboru, Nakatani, executive director of the Interpol Global Complex for Innovation.

“A multi-stakeholder approach which engages the expertise of the private sector is essential for anticipating new threats and ensuring police have access to the technology and knowledge necessary to detect and investigate cyber-attacks.”

The first two Digital Security Challenge exercises in 2016 and 2017 simulated cyber-blackmail involving Bitcoin and a ransomware attack, so the new focus on IoT is reflective of the changing nature of threats.

Last week, Trend Micro claimed in its 2017 roundup report that IoT devices are increasingly being “zombified” to mine crypto-currency and launch cyber-attacks like DDoS.

Hackers can target exposed IoT endpoints to infiltrate corporate networks, conscript into botnets or even interfere with critical infrastructure.

However, nearly half (49%) of all IoT “events” observed by the security vendor last year — amounting to a total of 45.6 million — involved crypto-currency mining.

Adam Brown, security solutions manager at Synopsys, argued that IoT attacks will continue until firmware flaws are addressed.

“Good practices by vendors around configuration and authentication need to be initiated or matured to prevent this in future,” he added.

“I would love to see certification for IoT devices become commonplace so that consumers can know that the devices are cyber-safe, much in the same way that if you buy a toy with a CE mark you know it has been through a process of assessment and it won’t, for example, poison anyone because it has lead in its paint.”


  • 0

DDoS Costs Skyrocket for SMBs and Enterprises Alike

The financial impact of a distributed denial-of-service (DDoS) attack is continuing to rise globally – with significant cost spikes for both small to medium-sized businesses (SMBs) and enterprises per attack.

Kaspersky Lab’s IT Security Risks Survey 2017, which polled 5,200 business representatives from 29 countries, shows that whether as the result of a single incident or as part of a multi-faceted cyberattack, the financial implications of reacting to a DDoS attack in 2017 is $123,000 for SMBs per incident, compared to $106,000 in 2016.

For enterprises, the cost has soared more than half a million dollars – from $1.6 million in 2016 to $2.3 million in 2017 on average per attack. The rising financial costs of DDoS attacks, coupled with unquantifiable impacts such as reputational damage, are crippling for many organizations.

When asked about the specific consequences experienced as a result of a DDoS attack, most organizations (33%) claim that the cost incurred in fighting the attack and restoring services is the main burden, while a quarter (25%) cited money spent investing in an offline or back-up system while online services are unavailable. Additionally, 23% said that a loss of revenue and business opportunities occurred as a direct result of DDoS attacks, whereas 22% listed the loss of reputation among clients and partners as another direct consequence of a DDoS attack.

Previous Kaspersky Lab research also found that the attack rate is accelerating, with more than a third (33%) of organizations facing a DDoS attack in 2017, compared to just 17% in 2016. Even so, organizations are undereducated about taking steps to protect themselves. For instance, they often expect third parties to protect their businesses.

According to the research, 34% of organizations expect their ISP will protect them from DDoS attacks, and another 26% expect their data center or infrastructure partners will do so. Additionally, nearly a third (28%) claim that it is unlikely that they will be targeted by a DDoS attack in general.

“DDoS attacks, both standalone or as part of an attack arsenal, can cost an organization thousands, if not millions – that’s without counting reputational damage and lost clients and partners as a result,” said Kirill Ilganaev, head of Kaspersky DDoS protection, Kaspersky Lab. “It is therefore wise to be aware of these threats and invest in their own protective measures in advance. It is also important to choose reliable specialized security solutions that are based on cybersecurity expertise and tailored to fight the most sophisticated DDoS attacks organizations face today.”


  • 0

DDoS: Defense or Devastation

Your money or your data. Cybercriminals are forcing some companies to make the choice: Either send money or risk a distributed denial of service (DDoS) attack, which can take down company IT systems, disrupting infrastructure or services and resulting in significant losses across the organization. Corero research has shown that DDoS attacks increased by 35 percent in 2017 from the previous year and are becoming more sophisticated, with tools and techniques evolving alongside the explosion of vulnerable internet of things (IoT) devices hitting the market.

DDoS-for-Hire services are a significant factor in the increase in attack activity. For the right price, anyone can make a payment and name a target and a crippling attack is launched. It has become that easy. While DDoS attacks can be attributed to someone wanting to send a big message or with an ideologic view, organized crime has now discovered its uses and the profitability that comes with it. The big shift has been toward financially motivated attacks, with significant increases in extortion and ransom threats.

The Art of the DDoS

Greater awareness of this evolving plague started with the Mirai code, which was used to search and identify IoT devices that could be recruited into a giant botnet used to launch huge DDoS attacks. Just over a year ago, the market was forced to acknowledge this threat vector, when domain name service (DNS) provider DYN was attacked by a complex DDoS attack that impacted dozens of internet platforms and services such as Twitter, Spotify, Reddit, Netflix and others.

Once Mirai’s author made the code public, the DDoS landscape was changed forever. Mirai has spawned myriad variants including Okiru, Satori and now Matsuta. This new dawn of opportunities for the cybercriminal community demonstrates how hackers typically start with the path of least resistance and, when that becomes blocked, look for the next easiest path. Early reports of a new botnet variant named “Masuta” show how the initial Mirai simple password brute-force methods, which are still employed, are now being supplemented with more sophisticated vulnerability exploits. Satori targeted Huawei routers, and now the Okiru code has opened up a whole new group of devices which can be recruited into botnets—from cars to phones to TV cameras and more—by targeting ARC processors, which are embedded in more than a billion products per year. This progression is enabling a broader range of devices, from a wider range of more well-known vendors, to be recruited into botnets, ready to be exploited for various nefarious purposes, including DDoS attacks.

Transforming the Attacks

Once a botnet has been herded, cybercriminals select from the myriad of delivery mechanisms, such as pulse-waves, floods, reflection, amplification or any other of the many DDoS attack vectors. Pulse-wave attacks are gaining favor, as they enable perpetrators to attack multiple targets, one after each other, with short high-volume bursts in a rapidly repeating cycle. They can ramp the attack traffic faster and increase the chances of evading legacy protection on a network. Short Duration attacks are often combined with more calculated, sub-saturating traffic volumes, rather than using massive brute-force attacks. These short duration, surgical attacks are often crafted specifically to fly under the radar of conventional DDoS protection, as they can blend in with regular traffic volumes.

DDoS attacks are being used for a variety of purposes, but now, more than ever, they are leveraged in conjunction with other attacks. Similar to a slight of hand, while the target organization focuses on the ramifications of the DDoS attack, other attacks are launched to infiltrate the network and carry out activities, such as exfiltrating valuable data.

Next Generation Internet Gateways

The increase in DDoS attacks, combined with their possibly devastating impact, has been the driver for many companies to redefine and standardize the way they manage their connections to the internet.  These so called next-generation internet gateways include next-generation firewalls and the latest always-on DDoS mitigation, with corporate policies designed to enable access to the internet that is designed, managed and monitored in a repeatable manner.

So many organizations now rely on their Internet presence to do business and the only safe approach to ensuring continuous online availability is to include real-time, automatic, DDoS protection as part of a next generation defense.


  • 0

Brazil hit by 30 DDoS attacks per hour in 2017

The country is part of a global ranking of the five nations most targeted by cybercriminals, says study.

Brazil ranks fifth on a list of countries most targeted by distributed denial of service (DDoS) attacks in 2017, according to a study released today.

The country has seen a total of 264.900 so about 735 attacks per day and 30 events per hour last year. The data features on the 13th annual Worldwide Infrastructure Security Report by NETSCOUT Arbor.

Of the attacks that have taken place in Brazil, 34,9 percent have been originated in the country itself, followed by attacks originating in the United States (30,3 percent), Canada (17,8 percent) and the United Kingdom (17,8 percent).

Globally, there were 7,5 DDoS attacks in 2017, according to the report, which lists US as the country where most events took place, followed by South Korea, China and France.

The study is based on data com 360 Internet service providers, mobile operators and other networking vendors worldwide and relates to the months between November 2016 to October 2017.


  • 0

Californian may not see stars for years after conviction for DDoS attack against telescope retailer

A California man was convicted of launching distributed denial of service (DDoS) attacks against telescope retailer Astronomics and the online astronomy forum the company runs called Cloudy Nights.

David Chesley Goodyear, of El Segundo, Calif., was found guilty by a jury last week of hitting both the Norman, Okla.-based retailer and forum in August 2016, reported Robert J. Troester, Acting United States Attorney for the Western District of Oklahoma. Troester presented evidence to the jury that Goodyear had belonged to the Cloudy Nights forum, but twice had been blocked from the site for violating its terms of service, which included sending threats to users, administrators, and moderators.

Goodyear used two aliases to place posts on Cloudy Nights on August 9 and 13, 2016. In these posts he threatened to “talk with his contacts and hit the forum and Astronomics with a DoS attack, Troester said.

“Evidence further showed that DDoS attacks against Astronomics and Cloudy Nights commenced that night and continued intermittently until the end of August 2016, when Goodyear was interviewed by law enforcement and admitted he was responsible for the attacks,” Troester said.

Goodyear faces up to 10 years in prison and a $250,000 fine.


  • 0

The risks of DDoS and why availability is everything

DDoS attacks bring significant risk to organisations that depend on their networks and websites as an integral part of their business. And these days, that’s just about everyone. Think about online banking, retailing, travel reservations, medical patient portals, telecommunications, B2B e-commerce – virtually every business model today includes a significant online transactional component or, in some cases, has shifted online entirely.

We’ve all experienced the feeling of frustration, or even desperation, when the online services we expect are not available to us instantly when we want or need them. Imagine that happening to thousands or even millions of customers worldwide, simultaneously, and you can understand the potential impact of a single DDoS attack on your organisation. Maintaining availability of digital platforms, networks, applications and services is not simply a security issue – it is a business risk and continuity issue.

It doesn’t take much to take down a substantial section of the internet. In November 2016, an accidental misconfiguration at a major internet infrastructure company led to outages at several large carriers. Although the “route leak” was accidental and not malicious, the resulting 90-minute lack of availability was still painful for the carriers and their customers alike.

A concerted attack can have far more damaging consequences. Unlike advanced threats or data breaches, which are designed for stealth to exfiltrate data of value, a successful DDoS attack is instantly recognisable. The symptoms range from poor performance and intermittent outages, to a stream of customer complaints, all the way to sudden and complete unavailability. Whatever the motive, disruption or denial of service is the goal.

Have threat capabilities leapfrogged your protection capacity?

DDoS attacks have been around just as long as e-commerce itself. Established organisations with a significant online presence have always taken measures to ensure availability. Ask yourself, however, if the protection you may have put in place several years ago is still adequate for a modern-day attack. DDoS threat capabilities have become more complex, dynamic and multi-vector. Increasingly, attackers employ a combination of attack methodologies, on the assumption that at least one will succeed while the others divert defences. These attack types include:

  • Volumetric: Large bandwidth-consuming attacks that essentially “flood” network pipes and router interfaces.
  • TCP State Exhaustion: Attacks that use up all available transmission control protocol (TCP) connections in internet infrastructure devices such as firewalls, load balancers and web servers.
  • Application Layer: “Low and slow” attacks indented to gradually wear down resources in application servers.

Moreover, attacks today are much easier for less sophisticated threat actors to launch, owing to the ready availability of inexpensive do-it-yourself attack tools and DDoS-for-hire services. The threat landscape has been further exacerbated by the rapid proliferation of inadequately secured Internet of Things (IoT) devices, which are being consumed into botnets and weaponised to launch multi-vector DDoS attacks.

Evaluating risks and defences

With the increase in multi-vector attacks, security experts agree that reducing the risk from DDoS attacks requires a defence-in-depth or layered approach utilising multiple, synchronised mitigation approaches.

Firewalls have long stood as the first line of defence, as policy enforcement solutions designed to prevent unauthorised data access. Unfortunately, firewalls are not very effective when it comes to availability threats like the modern-day, multi-vector DDoS attack.

Modern firewalls perform stateful packet inspection—maintaining records of all connections passing through the firewall. They determine whether a packet is the start of a new connection, part of an existing connection or invalid. But as stateful and inline devices, firewalls add to the attack surface and can be DDoS targets.

They have no inherent capability to detect or stop DDoS attacks because attack vectors use open ports and protocols. As a result, firewalls are prone to become the first victims of DDoS as their capacity to track connections is exhausted. Because they are inline, they can also add network latency.

Finally, because they are stateful, they are susceptible to resource-exhausting attacks such as Transmission Control Protocol synchronous (TCP SYN) floods and spoofed Internet Control Message Protocol (ICMP) ping floods.

Intelligent DDoS Mitigation Solutions (IDMS) are purpose built for DDoS defence, they’re deployed on-premise, in front of the firewall. These solutions can handle the majority of attacks, in fact, 80% of DDoS attacks are less than 1Gbps in attack size.

However, they are not adequate for the growing number of large-scale attacks intended to overwhelm internet bandwidth. These larger attacks are best mitigated in the cloud. Best practice defence today is intelligently integrated combination of on-premise and cloud-based solutions.

Recognising that denial of availability is a business risk, it makes sense to undergo a risk analysis to assess your vulnerabilities, understand the impact of a DDoS attack under various scenarios, and determine the measures you need to have in place for optimal risk mitigation.

Today’s DDoS threat is not the same as it was ten or even five years ago. If availability is paramount to your business, then defences need to be updated to match today’s threat.e:


  • 0

Digital transformation in the public sector: balancing the risks with data-driven cyber security

The possibility of falling victim to a cyber attack should not deter the public sector from moving to the cloud.

The 35 million people who saw Skyfall back in 2012 were in for a treat – thrills, tension, and a spectacular hacking attempt against the UK public sector. While many have picked up on the evident flaws in the Bond version of MI6’s approach to cyber security, the film provokes an interesting reminder that in our rush to digitise public services, there is certainly more to be done in ensuring that these services are secure. Cloud adoption in the public sector has risen to 78% in the UK in 2017 according to the Cloud Industry Forum. This is encouraging in showing that the public sector is moving towards adopting digital cloud-based technologies, but it is debatable whether the current cyber-security protocols are up to date for this new type of environment.

Public sector BYOD

These days most employees in both public and private firms have at least two devices connected to the company network – a personal phone and a work computer, often a laptop. While the organisation itself may have robust network security, with these types of devices, it is very easy for users to download confidential information from a cloud server and then access it while connected to a different, less secure network. In fact, 52% of data breaches are attributed to human error, according to CompTIA.

While organisations can ensure they are educating their employees about the importance of not sharing confidential information over unsecure connections, it can also be useful for organisations to be able to track who has accessed which bits of information in the cloud environment. This is especially effective in monitoring for corporate whistle-blowers, or habitual leakers. Data lineage technology can keep track of who is accessing, copying or changing information, while big data analytics can be used to spot erroneous activity from different individuals or groups within an organisation. For example, if a person is channelling terabytes of data out of the organisation, or repeatedly accessing information that isn’t pertinent to them, the system can spot this and alert management. The advantage of automating this is that the system can scale to detect these types of activity across the organisation, in a way that humans cannot.

The rise of DDoS

According to recent research from Corero Network Security, organisations in the US were hit by 237 DDoS attacks per month on average, during Q3 2017. This represents a 91% increase compared to Q1, highlighting that this ever-popular cyber-attack remains a pertinent threat to organisations both in the public and private sectors.

When it comes to public sector services, the damage that downtime can cause is often not just financial, but can severely hamper essential public services. The 2007 cyber-attacks on Estonia impacted the parliament, several news organisations, banks and presented a major threat to national security on a scale that had previously been unprecedented. As we increasingly digitalise services such as health and transport, it’s not hard to imagine the potential for chaos should a successful DDoS take one of these critical infrastructure networks offline.

However, far from being immitigable, sophisticated real-time mitigation software can make use of big data analytics to identify and block IP addresses making repeat suspect requests. The very size of a DDoS attack’s botnet could actually work against it, providing more data to help the intelligent computer system learn to detect and stop current and future threats.

Compared to the traditional approach to mitigating DDoS attacks by preventing all connections to the service, blocking only the suspect IP addresses allows the majority of users to continue accessing the network without experiencing significant disruption. Machine learning and big data processing form the essential backbone of this, allowing computers to bear the brunt of analysing, categorising and pattern detection of different IP addresses.

The threat of malware

The public sector only needs to look back a few months to the Petya, NotPetya and WannaCry malware attacks to see the types of chaos that ransomware Trojan horses can cause. At NHS hospitals in the UK, doctors were unable to check patient records, issue prescriptions, or order vital tests – leading to delays in treatment and risk to patients. Unsurprisingly, the review by the Department of Health found that there were lessons to be learned in developing a response plan for such attacks.

The sad truth of the matter is that ransomware attacks are more likely than ever before. Attacks are increasing in both volume and complexity, and without a more advanced approach to analytics, the public sector risks falling prey to more such attacks in future.

Unlike DDoS attacks where there are identifiable sources that can be blocked and redirected, malware is harder to spot. When a malware threat emerges, there will be certain pieces of information connected to it that remain consistent – either a behavioural pattern or physical bytes of code. Historically, these could be detected by humans, but modern malware tends to adapt and evolve itself. This makes the signatures almost impossible to track manually. However, big data analytics, which can look at a much wider range of the data, can spot larger-scale patterns and trends in malware – helping security experts detect and combat them.

But if big data is the stitch in time that saves nine for many of the cyber-security threats facing organisations today, then efficient data management is the thread without which the solution would be impossible. Without being able to pull together all of the different data streams from a range of different servers and systems into one consistent format, analysis on this sort of large scale would be impossible. This is where a vendor-agnostic, open-source approach to data integration is a crucial part of the digitisation process for security-conscious public sector entities.

The threat of cyber-attacks should not deter the public sector from adopting data-driven, cloud-based technologies. After all, the potential benefits of such technologies – from centralised medical records to sensor-driven city management – are hard to overstate. However, in the process of digitising, public sector organisations need to ensure they are also sparing resources to embrace the data integration and data analysis tools needed to back up their digital technology with robust cyber security provisions. This will be key to ensuring that the public sector is able to keep pace with the 21st century’s rush on innovation, which requires organisations to be flexible and dynamic, but above all, secure.


  • 0