Category - Denial of Service

1
The complete guide to understanding web applications security
2
How to Improve Website Resilience for DDoS Attacks ? Part II ? Caching
3
Report Looks at Future Trends in Cyber Security
4
FCC Admits It Lied About the DDoS Attack During Net Neutrality Comment Process ? Ajit Pai Blames Obama
5
?SCRAPER? BOTS AND THE SECRET INTERNET ARMS RACE
6
Cyberespionage Campaign in Ukraine Uses Free and Custom RATs
7
DDoS Attacks Get Bigger, Smarter and More Diverse
8
GDPR Hurts Security but Publicity Might Help
9
Your IoT Is Probably Not A-OK
10
Critical infrastructure remains insecure

The complete guide to understanding web applications security

MODERN businesses use web applications every day?to do different things, from interacting and engaging with customers to supporting sales and operations.

As a result, web applications are rich with data and critical to the functioning of the company ? which means, special precautions must be taken in order to protect them from hackers.

However, not all organizations or their applications are subject to the same level of threats and attacks. In an exclusive interview with Gartner?s Research Director Dale Gardner, Tech Wire Asia learns how businesses can best protect their web applications.

Gartner splits attacks on web and mobile applications and web APIs into four categories:

# 1 | Denial of service (DoS)?

DoS is a specific subtype of abuse where the attacker?s goal is to disrupt the availability of the web application or service.

In particular, this attack type covers volumetric attacks, which overwhelm network capabilities, and so-called ?low and slow? attacks, which overwhelm application or service resources.

# 2 | Exploits?

Exploits take advantage of design, code or configuration issues that cause unintended behaviour of the application.

Some common examples include SQL Injection (SQLi), cross-site scripting (XSS), buffer overflows, and various Secure Sockets Layer (SSL) and Transport Layer Security (TLS) manipulation attacks.

# 3 | Abuse?

Abuse covers many non-exploit types of attack that primarily take advantage of business logic. This includes scraping, aggregating, account brute-forcing, scalping, spamming and other ? often automated ? scenarios.

# 4 | Access

Access violations?occur when an attacker or legitimate user takes advantage of weaknesses in the authentication (AuthN) or authorization (AuthZ) policies of a web application or service.

Of the four categories, Gardner says only exploits can be potentially addressed with secure coding and configuration. The others require design-level considerations that cannot be?reasonably?compensated for in code.

For example, although it?s arguably possible to defend against account takeovers in individual application code, it is much more economical and error-proof to do so in the identity and access management (IAM) system or another external capability.

In an ideal world, the highest level of protection would be available at all times or as needed, but this isn?t feasible due to complexity and cost factors.

And continuously providing the highest level of protection to all web assets can be an expensive proposition, both from economic and operational perspectives.

Securing web applications and web APIs from attacks and abuse requires businesses to assess what level of protection is necessary.

?Security teams must first pick a protection baseline. Then they must decide what extra protections are necessary to apply to specific assets,? recommends Gardner.

When thinking of protecting web applications, security teams often first look to existing network technologies, such as next-generation firewall (NGFW) platforms and intrusion detection and prevention systems (IDPSs).

But these do not provide strong-enough capabilities in any of the protection areas, warns Gardner.

They are not easily integrated to intercept TLS and do not have the same signatures, rules, behavioral analysis and business logic insight as security solutions that focus on web applications and APIs.

Organizations often first look at a ?completely automated public Turing test to tell computers and humans apart? (CAPTCHA) when they suffer from abuse of functionality.

But an always-on CAPTCHA creates user-experience hurdles for legitimate users, and it is also no guarantee to keep the abuser out (attackers keep finding ways to circumvent or solve many CAPTCHAs).

Multifactor authentication (MFA) and out of band (OOB) challenges are often used to enable strong access control, as well as to try to thwart abuse. Unfortunately, they suffer from similar issues as CAPTCHA, and in addition are often complex and expensive to implement.

Currently, no single security platform or solution implements the highest possible level of protection in each of the exploit, abuse of functionality, access violation and DoS mitigation categories.

Some organizations will still be able to start with a single solution to address the biggest potential risks. But they often find themselves needing greater security capabilities over time due to changes in threats and the application landscape.

Web application firewalls (WAFs) are broadly deployed, but buyers routinely express disappointment and frustration over factors such as accuracy, the ability to prevent attacks, the administrative overhead required to maintain attack detection profiles and price.

Incumbent vendors have begun addressing emerging requirements, but many products still lag.

The market for solutions to protect web applications will continue to grow, but given buyer dissatisfaction, vendors with innovative approaches and new product packaging will capture the bulk of new spending.

Buyers are shifting to service-based offerings, and demand for infrastructure as a service (IaaS) deployable products is growing. These shifts pose risks, especially to incumbents, but also present opportunities for new offerings and greater growth.

Gartner believes that by 2020, stand-alone WAF hardware appliances will represent less than 20 percent of new WAF deployments, down from 40 percent today.

By 2020, more than 50 percent of public-facing web applications will be protected by cloud-based WAAP services that combine content delivery networks, DDoS protection, bot mitigation and WAFs, which is an increase from fewer than 20 percent today.

Web applications, mobile applications,?and web APIs are subject to increased numbers and complexity of attacks.

Gardner, who will be speaking at the Gartner Security & Risk Management Summit in Sydney later this month explains what organizations must keep in mind when planning and implementing solutions:

  • Public, limited-access external, and internal applications require different levels of security.
  • No one capability covers all types of attack.
  • No two capabilities have interchangeable protection efficacy.
  • Some of the capabilities have strong overlaps in addressing specific attack subcategories.
  • Enforcement of policy may be centralized or distributed (for example, use of micro-gateways).

?As a result, a mix of capabilities, though not necessarily separate products, have to be put in place as a layered approach,? concludes Gardener.

Considering the range of exploits and abuse that can occur with web and mobile applications and web APIs, technical professionals must leverage a mix of externalized security controls to deliver appropriate protection and alleviate burdens to development staff.

Source:?https://techwireasia.com/2018/08/the-complete-guide-to-understanding-web-applications-security/

How to Improve Website Resilience for DDoS Attacks ? Part II ? Caching

In the first post of this series, we talked about the practices that will optimize your site and increase your website?s resilience to DDoS attacks. Today, we are going to focus on caching best practices that can reduce the chances of a DDoS attack bringing down your site.

Website caching is a technique to store content in a ready-to-go state without the need (or with less) code processing. When a CDN is in place, cache stores the content in a server location closer to the visitor. It?s basically a point-in-time photograph of the content.

Caching

When a website is accessed, the server usually needs to compile the website code, display the end result to the visitor, and provide the visitor with all the website?s assets. This all takes a toll on your server resources, slowing down the total page load time. To avoid this overhead, it?s necessary to leverage certain types of caching whenever possible.

Caching not only will decrease load time indications, such as time to first byte (TTFB), it also saves your server resources.

Types of Caching

There are all sorts of caching types and strategies, but we won?t cover them all. In this article, we?ll approach three that we see most in practice.

Static Files

The first type is the simplest one, called?static files caching.

Images, videos, CSS, JavaScript, and fonts should always be served from a content delivery network(CDN). These network providers operate thousands of servers, spread out across global data centers. This means they can deliver more data much faster than your server ever could on its own.

When using a CDN, the chances of your server suffering from bandwidth exhaustion attacks are minimal.

Your website will also be much faster given the fact that a large portion of website content is composed of static files, and they would be served by the CDN.

Page Caching

This is definitely the most powerful type of cache. The page caching will convert your dynamic website into HTML pages when possible, making the website a lot faster and decreasing the server resource usage.

A while ago, I wrote an article about Testing the Impacts of Website Caching Tools.

In that article, with the help of a simple caching plugin, the web server was able to provide 4 times more requests using ? of the server resources when compared to the test without the caching plugin.

However, as you may know not every page is ?cacheable?. This leads us to the next type?

In-Memory Caching

By using a software such as Redis or Memcached, your website will be able to retrieve part of your database information straight from the server memory.

Using in-memory caching improves the response time of SQL queries. It also decreases the volume of read and write operations on the web server disk.

All kinds of websites should be able to leverage in-memory caching, but not every hosting provider supports it. Make sure your hosting does before trying to use such technology.

Conclusion

We highly recommend you to use caching wisely in order to spare your server bandwidth and to make your website work faster and better.

Or Website Application Firewall?(WAF) provides a variety of caching options that can suit your website needs. It also works as a CDN, improving your website performance. Not only do we protect your website from DDoS attacks, but we also make it up to 90% faster with our WAF.

We are still planning to cover other best practices about how to improve website resilience for DDoS attacks in other posts. Subscribe to our email feed and don?t miss our educational content based on research from our website security team.

 

Source:?https://securityboulevard.com/2018/08/how-to-improve-website-resilience-for-ddos-attacks-part-ii-caching/

Report Looks at Future Trends in Cyber Security

The Future Today Institute, an organization that provides forecasts about how emerging technology will disrupt business and transform the workforce, has once again looked into its crystal ball?and cyber security executives might not be thrilled with the predictions.

In its 2018 Tech Trends Report, the institute said organizations and individuals can expect to see more sophisticated data breaches,?advanced hacker tactics, and targeted ransomware against devices in offices and homes.

Here are some of the key security-related prognostications:

  • The historical tension between security and privacy domains will unleash new challenges this year, report said. Individuals are providing more data each day, and as more connected devices enter the marketplace the volume of available data will continue to rise. But the companies making devices and managing consumer data are not planning for future scenarios, and off-the-shelf compliance checklists will not be sufficient. Managers will need to develop and constantly update their security policies and make the details transparent. Today, most organizations aren?t devoting enough budget to securing their data and devices, the report said.
  • Distributed denial of service attacks (DDoS) will increase. In the past few years the number of DDoS attacks have spiked, the report said. The U.S. was hit with 122 million DDoS attacks between April and June 2017 alone. One of the more notable DDoS incidents was a massive attack that shut down many leading Internet cites, caused by the Mirai botnet and infecting Dyn, a company that controls a large portion of the Internet domain name system infrastructure. Cyber criminals are leveraging more sophisticated tools, and that means future attacks will be larger in scope and could have greater impact.
  • Ransomware will continue to be a threat with the growth of cryptocurrencies. There was a spread of ransomware attacks, including WannaCry, Petya, and NotPetya, during 2017. In England, WannaCry shut down systems in dozens of medical centers, which resulted in hospitals diverting ambulances and 20,000 cancelled appointments. Because cash and online bank transfers are easy to track, the currency of choice for ransomware attacks is bitcoin, which moves through an encrypted system and can?t be traced. The rise of blockchain and cryptocurrencies have transformed ransomware into a lucrative business, according to the report. Just backing up data will probably not be enough of a measure against these attacks.
  • Russia will remain a big source of hacker attacks. The country is home to the world?s most gifted and prolific hackers, who are motivated both by a lack of economic opportunity and weak law enforcement, according to the report. In the past two years it has become clear that Russia?s military and government intelligence agencies are eager to put home-grown hackers to work, infiltrating the Democratic National Committee, Olympic organizations and European election commissions, it said.
  • Zero-day exploits will be on the rise. These attacks are dangerous, and finding vulnerabilities is a favorite activity of malicious hackers, the report noted. A number of zero-day exploits have been lying dormant for years?and two emerged late in 2017. A flaw found on chips made by Intel and ARM led to the realization that virtually every Intel processor shipped since 1995 was vulnerable to two new attacks called Spectre and Meltdown.
  • There will be more targeted attacks on digital assistants. Now that digital assistants such as Alexa, Siri, and Cortana have moved from the fringe to the mainstream, expect to see targeted attacks, the report said. Whether they target the assistants or their hardware (Amazon Echo, Apple HomePod, Google Home), it?s clear that the next frontier in hacking are these platforms.
  • In the wake of several hacking attacks during elections around the world, several government agencies are now making public their plans to hack offensively, according to the report. The U.K.?s National Health Service has started hiring white hat hackers to safeguard it against a ransomware attack such as WannaCry, which took the nation?s health care system offline. Singapore?s Ministry of Defense is hiring white hat hackers and security experts to look for critical vulnerabilities in its government and infrastructure systems. And in the U.S., two agencies responsible for cyberwarfare?the U.S. Cyber Command and the National Security Agency?are looking to leverage artificial intelligence (AI) as a focus for the U.S. cyber strategy.
  • Also thanks to advancements in AI, one of the big trends in security is automated hacking?software designed to out-hack human hackers. The report said the Pentagon?s research agency DARPA launched a Cyber Grand Challenge project in 2016, with a mission to design computer systems capable of beating hackers at their own game. The agency wanted to show that smarter automated systems can reduce the response time?and develop fixes in system flaws?to just a few seconds. Spotting and fixing critical vulnerabilities is a process that can take human hackers months or even years to complete, the report said.

Source:?https://securityboulevard.com/2018/08/report-looks-at-future-trends-in-cyber-security/

FCC Admits It Lied About the DDoS Attack During Net Neutrality Comment Process ? Ajit Pai Blames Obama

During the time the Federal Communications Commission (FCC) was taking public comments ahead of the rollback of net neutrality rules, the agency had claimed its comments system was knocked offline by distributed denial-of-service (DDoS) attacks.

These attacks were used to question the credibility of the comment process, where millions of Americans had voiced against the net neutrality rollback.?The Commission then chose to ignore the public comments altogether.

FCC now admits it?s been lying about these attacks all this time

No one bought the FCC?s claims that its comment system was targeted by hackers?during the net neutrality comment process.?Investigators have today validated those suspicions revealing that there is no evidence to support the claims of?DDoS attacks in 2017. Following the investigation that was carried out after lawmakers and?journalists pushed the agency to share the evidence of these attacks, the?FCC Chairman Ajit Pai has today released a statement, admitting that?there was no DDoS attack.

This statement would have been surprising coming from Pai ? an ex-Verizon employee who has continued to disregard public comments, stonewall journalists? requests for data, and ignore lawmakers? questions ? if he hadn?t?thrown the CIO under the bus, taking no responsibility whatsoever for the lies. In his statement, Pai blamed the former CIO and the Obama administration for providing ?inaccurate information about this incident to me, my office, Congress, and the American people.?

He went on to say that the CIO?s subordinates were scared of disagreeing with him and never approached Pai. If all of that is indeed true, the Chairman hasn?t clarified why he wouldn?t demand to see the evidence despite everyone out of the agency already believing that the DDoS claim was nothing but a lie to invalidate the comment process.

?It has become clear that in addition to a flawed comment system, we inherited from the prior Administration a culture in which many members of the Commission?s career IT staff were hesitant to express disagreement with the Commission?s former CIO in front of FCC management. Thankfully, I believe that this situation has improved over the course of the last year. But in the wake of this report, we will make it clear that those working on information technology at the Commission are encouraged to speak up if they believe that inaccurate information is being provided to the Commission?s leadership.?

The statement comes as the result of an independent investigation by the Government Accountability Office that is to be published soon. However, looking at Pai?s statement it is clear what this report is going to say.

As a reminder, the current FCC leadership didn?t only concoct this story of the DDoS attack. It had also tried to bolster its false claims by suggesting that this wasn?t the first such incident as the FCC had suffered a similar attack in 2014 under the former chairman Tom Wheeler. It had also tried to claim that Wheeler had lied about the true nature of the attack back in 2014 to save the agency from embarrassment. The former Chairman then went on record to call on Pai?s FCC for lying to the public as there was no cyberattack?under his leadership.

Pai throws CIO under the bus; takes no responsibility

And now it appears the FCC was also lying about the true nature of the failure of comment system in 2017. In his statement released today, Pai is once again blaming [PDF] the Obama administration for feeding him inaccurate information.

I am deeply disappointed that the FCC?s former [CIO], who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I?m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn?t feel comfortable communicating their concerns to me or my office.

It remains unclear why the new team that replaced Bray nearly a year ago didn?t debunk what is being called a ?conspiracy theory? and came clean about it.

Some redacted?emails received through?the Freedom of Information Act (FOIA) by the American Oversight had previously revealed that the false theory around 2014 cyberattack in order to justify 2017 attack also appeared in a draft copy of a blog post written on behalf of Pai. That draft was never published online to keep Pai?s hands clean since there was no evidence to support FCC?s claims of a malicious attack. These details were then instead sent out to media through which this narrative was publicized.

?The Inspector General Report tells us what we knew all along: the FCC?s claim that it was the victim of a DDoS attack during the net neutrality proceeding is bogus,? FCC Commissioner Jessica Rosenworce wrote. ?What happened instead is obvious ? millions of Americans overwhelmed our online system because they wanted to tell us how important internet openness is to them and how distressed they were to see the FCC roll back their rights. It?s unfortunate that this agency?s energy and resources needed to be spent debunking this implausible claim.?

Source:?https://wccftech.com/fcc-admits-lied-ddos-ajit-pai-obama/

?SCRAPER? BOTS AND THE SECRET INTERNET ARMS RACE

COMPANIES ARE WAGING an invisible data war online. And your phone might be an unwitting soldier.

Retailers from Amazon and Walmart to tiny startups want to know what their competitors charge. Brick and mortar retailers can send people, sometimes called “mystery shoppers,” to their competitors’ stores to make notes on prices.

Online, there’s no need to send people anywhere. But big retailers can sell millions of products, so it’s not feasible to have workers browse each item and manually adjust prices. Instead, the companies employ software to scan rival websites and collect prices, a process called ?scraping.? From there, the companies can adjust their own prices.

Companies like Amazon and Walmart have internal teams dedicated to scraping, says Alexandr Galkin, CEO of the retail price optimization company Competera. Others turn to companies like his. Competera scrapes pricing data from across the web, for companies ranging from footwear retailer Nine West to industrial outfitter Deelat, and uses machine-learning algorithms to help its customers decide how much to charge for different products.

Walmart didn?t respond to a request for comment. Amazon didn?t answer questions about whether it scrapes other sites. But the founders of Diapers.com, which Amazon acquired in 2010, accused Amazon of using such bots to automatically adjust its prices, according to Brad Stone’s book The Everything Store.

Scraping might sound sinister, but it?s part of how the web works. Google and Bing scrape web pages to index them for their search engines. Academics and journalists use scraping software to gather data. Some of Competera?s customers, including Acer Europe and Panasonic, use the company?s ?brand intelligence? service to see what retailers are charging for their products, to ensure that they are complying with pricing agreements.

For retailers, scraping can be a two-way street, and that?s where things get interesting. Retailers want to see what their rivals are doing, but they want to prevent rivals from snooping on them; retailers also want to protect intellectual property like product photos and descriptions, which can be scraped and reused without permission by others. So many deploy defenses to subvert scraping, says Josh Shaul, vice president of web security at Akamai Technologies. One technique: showing different prices to real people than to bots. A site may show the price as astronomically high or zero to throw off bots collecting data.

?Such defenses create opportunities for new offenses. A company called Luminati helps customers, including Competera, mask bots to avoid detection. One service makes the bots appear to be coming from smartphones.

Luminati?s service can resemble a botnet, a network of computers running malware that hackers use to launch attacks. Rather than covertly take over a device, however, Luminati entices device owners to accept its software alongside another app. Users who download MP3 Cutter from Beka for Android, for example, are given a choice: View ads or allow the app to use “some of your device’s resources (WiFi and very limited cellular data).? If you agree to let the app use your resources, Luminati will use your phone for a few seconds a day when it?s idle to route requests from its customers? bots, and pay the app maker a fee. Beka didn?t respond to a request for comment.

The ongoing battle of bot and mouse raises a question: How do you detect a bot? That?s tricky. Sometimes bots actually tell the sites they?re visiting that they?re bots. When a piece of software accesses a web server, it sends a little information along with its request for the page. Conventional browsers announce themselves as Google Chrome, Microsoft Edge, or another browser. Bots can use this process to tell the server that they?re bots. But they can also lie. One technique for detecting bots is the frequency with which a visitor hits a site. If a visitor makes hundreds of requests per minute, there?s a good chance it?s a bot. Another common practice is to look at a visitor?s internet protocol address. If it comes from a cloud computing service, for example, that?s a hint that it might be a bot and not a regular internet user.

Shaul says that techniques like disguising bot traffic has made it ?almost useless? to rely on an internet address. Captchas can help, but they create an inconvenience for legitimate users. So Akamai is trying something different. Instead of simply looking for the common behaviors of bots, it’s looking for the common behaviors of humans and lets those users through.

When you tap a button on your phone, you move the phone ever so slightly. That movement can be detected by the phone’s accelerometer and gyroscope, and sent to Akamai’s servers. The presence of minute movement data is a clue that the user is human, and its absence is a clue that the user might be a bot.

Luminati CEO Ofer Vilenski says the company doesn’t offer a way around this yet, because it’s a relatively uncommon practice. But Shaul thinks it’s only a matter of time before bot makers catch on. Then it will be time for another round of innovations. So goes the internet bot arms race.

Good Bots and Bad Bots

One big challenge for Akamai and others trying to manage bot-related traffic is the need to allow some, but not all, bots to scrape a site. If websites blocked bots entirely, they wouldn’t show up in search results. Retailers also generally want their pricing and items to appear on shopping comparison sites like Google Shopping, Price Grabber, and Shopify.

“There’s really a lot of different scenarios where scraping is used on the internet for good, bad, or somewhere in the middle,” Shaul says. “We have a ton of customers at Akamai who have come to us to help us manage the overall problem of robots, rather than humans, visiting their site.”

Some companies scrape their own sites. Andrew Fogg is the co-founder of a company called Import.io, which offers web-based tools to scrape data. Fogg says one of Import.io’s customers is a large retailer that has two inventory systems, one for its warehouse operations and one for its e-commerce site. But the two systems are frequently out of sync. So the company scrapes its own website to look for discrepancies. The company could integrate its databases more closely, but scraping the data is more cost effective, at least in the short term.

Other scrapers live in a gray area. Shaul points to the airline industry as an example. Travel price-comparison sites can send business to airlines, and airlines want their flights to show up in the search results for those sites. But many airlines rely on outside companies like Amadeus IT and Sabre to manage their booking systems. When you look up flight information through those airlines, the airline sometimes must pay a fee to the booking system. Those fees can add up if a large number of bots are constantly checking an airline?s seat and pricing information.

?Shaul says Akamai helps solve this problem for some airline customers by showing bots cached pricing information, so that the airlines aren?t querying outside companies every time a bot checks prices and availability. The bots won?t get the most up-to-date information, but they?ll get reasonably fresh data without costing the airlines much.

Other traffic, however, is clearly problematic, such as distributed denial-of-service, or DDoS, attacks, which aim to overwhelm a site by flooding it with traffic. Amazon, for example, doesn?t block bots outright, including price scrapers, a spokesperson says. But the company does ?prioritize humans over bots when needed to ensure we are providing the shopping experience our customers expect from Amazon.?

Fogg says Import.io doesn’t get blocked much. The company tries to be a “good citizen” by keeping its software from hitting servers too often or otherwise using a lot of resources.

Vilenski says Luminati’s clients have good reasons to pretend not to be bots. Some publishers, for example, want to make sure advertisers are showing a site?s viewers the same ads that they show to the publishers.

Still, the company’s business model raised eyebrows in 2015 when a similar service from its sister company, Hola VPN, was used to launch a DDoS attack on the website 8chan. Earlier this month, Hola VPN?s Chrome extension was accused of being used to steal passwords of users of the cryptocurrency service MyEtherWallet. In a blog post, Hola VPN said its Google Chrome Store account was compromised, allowing attackers to add malware to its extension. Vilenski says the company carefully vets its customers, including a video call and steps to verify the potential customer?s identity. He declined to comment on alleged malicious uses of Luminati?s service. Controversial or not, Vilenski says the company’s business has tripled in the past year.

Source:?https://www.wired.com/story/scraper-bots-and-the-secret-internet-arms-race/

Cyberespionage Campaign in Ukraine Uses Free and Custom RATs

Security researchers have been tracking a sustained cyberespionage campaign against Ukrainian government institutions that uses a combination of free and custom-made remote access Trojans (RATs).

The malware programs involved in the years-long campaign are Quasar RAT, Sobaken RAT and Vermin and have been documented before, either as standalone threats or together. However, security researchers from ESET have now established clear links between the attacks in Ukraine that use these tools, which could suggest that a single group is behind them.

?Even though these threat actors don?t seem to possess advanced skills or access to 0-day vulnerabilities, they have been quite successful in using social engineering to both distribute their malware and fly under the radar for extended periods of time,? the ESET researchers said in a paper. ?We were able to trace attacker activity back to October 2015; however, it is possible that the attackers have been active even longer.?

Quasar RAT is the oldest and most well-known of the three programs because it is open source and available on GitHub. Sobaken is a heavily modified and improved version of Quasar, while Vermin is a custom-made backdoor that first appeared sometime in 2016.

All three programs are written in .NET and are actively used by this group of attackers against different targets at the same time. ESET has identified a few hundred victims in different organizations in Ukraine and established that the malware samples associated with this campaign share parts of their infrastructure and command-and-control servers.

Vermin, which is the newest and most sophisticated of the three RATs, supports 24 main commands and has several optional components that add functionality such as audio recording, keylogging and password stealing.

The attackers have implemented sandbox detection methods and obfuscate their malware?s code using .NET code protection tools such as .NET Reactor or ConfuserEx. Their RATs refuse to run on systems that don?t have Russian or Ukrainian keyboard layouts installed or an IP address from those countries.

What?s interesting about this group is its success despite an apparent lack of sophistication. The distribution campaigns use basic right-to-left text override tricks to obscure the real extension of malicious email attachments, self-extracting RAR archives and, in rare cases, Word documents carrying known exploits.

?These attackers haven?t received much public attention compared to others who target high-profile organizations in Ukraine,? the ESET researchers said in a blog post. ?However, they have proved that with clever social engineering tricks, cyberespionage attacks can succeed even without using sophisticated malware. This underscores the need for training staff in cybersecurity awareness, on top of having a quality security solution in place.?

Creator of Remote Administration Tool Admits It Was Really a Trojan

A Kentucky man admitted to creating and distributing a remote access Trojan called LuminosityLink that was used by thousands of users from around the world to access other people?s computers without authorization.

According to the guilty plea, the man, named Colton Grubbs, marketed LuminosityLink as a tool for system administrators and sold it to more than 6,000 customers for $39.99.

Developing and selling remote administration tools is not illegal. However, Grubbs also used the handle ?KFC Watermelon? to advertise the program on HackForums.net, a well-known cybercriminal forum, and actively assisted buyers to access computers without authorization.

?Defendant claimed that LuminosityLink was a legitimate tool for systems administrators, but knew that many customers were using his software to remotely access and control computers without their victims? knowledge or permission,? the plea agreement reads. ?Defendant?s marketing emphasized these malicious features of LuminosityLink, including that it could be remotely installed without notification, record the keys that a victim pressed on their keyboard, surveil victims using their computer cameras and microphones, view and download the computer?s files, steal names and passwords used to access websites, mine and earn virtual currency using victim computers and electricity, use victim computers to launch DDoS attacks against other computers, and prevent anti-malware software from detecting and removing LuminosityLink.?

The practice of Trojan developers marketing their creations as legitimate tools to avoid responsibility for how they?re used is not new. In February, Taylor Huddleston, 27, of Hot Springs, Arkansas, was sentenced to 33 months in prison for creating a RAT called NanoCore. He, too, initially claimed the program was a legitimate remote administration tool, but later admitted that he marketed it on Hack Forums and knew that some buyers intended to use it for malicious purposes.

Source: https://securityboulevard.com/2018/07/cyberespionage-campaign-in-ukraine-uses-free-and-custom-rats/

DDoS Attacks Get Bigger, Smarter and More Diverse

DDoS attacks are relentless. New techniques, new targets and a new class of attackers continue to reinvigorate one of the internet?s oldest nemeses.

Distributed denial of service attacks, bent on taking websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses of all stripes. Being knocked offline impacts revenue, customer service and basic business functions ? and worryingly, the bad actors behind these attacks are honing their approaches to become ever more successful over time.

Several new themes are emerging in the 2018 distributed denial of service (DDoS) threat landscape, including a shift in tactics to reach new heights in volumetric campaigns, attacks that rely on a sheer wall of large amounts of packet traffic to overwhelm the capacity of a website and take it town.

However, while these traditional, opportunistic brute-force DDoS attacks remain a menace has emerged. These DDoS threats are more sophisticated and micro-targeted attacks.?They take aim at, say, a specific application rather than a whole website. These type DDoS attacks are a rapidly growing threat, as are ?low and slow? stealthier offensives. At the same time, bot herders are working on expanding their largely IoT-based botnet creations, by any means possible, often to accommodate demand from the DDoS-as-a-service offerings that have created a flood of new participants in the DDoS scene. Those new entrants are all competing for attack resources, creating a demand that criminals are all too happy to fulfill.

?Attacks are getting larger, longer and more complex, as [the tools used to carry out attacks] are becoming more available,? said Donny Chong, product director at Nexusguard. ?DDoS used to be a special occurrence, but now it?s really a commonplace thing ? and the landscape is moving quickly.?

Terabit Era Dawns

One of the most notable evolutions in the DDoS landscape is the growth in the peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks. Notably however, in February the world saw a 1.3 Tbps DDoS attack against GitHub?setting a record for volume (it was twice the size of the previous largest attack on record) and demonstrating that new amplification techniques can give unprecedented power to cybercriminals. Just five days later, an even larger attack launched, reaching 1.7 Tbps. These showed that DDoS attackers are more than able to keep up with the growing size of bandwidth pipes being used by businesses.

The technique used in February and March made use of misconfigured Memcached servers accessible via the public internet. Memcached servers are used to bolster responsiveness of database-driven websites by improving the memory caching system. Unfortunately, many of them have been deployed using a default insecure configuration, which has opened the door to DDoS attacks that use User Datagram Protocol (UDP) packets amplified by these servers ? by as much as 51,200x. That in turn means that malefactors can use fewer resources. ?For example, they can send out only a small amount of traffic (around 200 Mbps) and still end up with a massive attack.

The good news is that even as the peaks get larger, volumetric attacks are quickly dealt with.

?These are big and obvious and relatively easy to mitigate,? said Chong. ?Blocking Memcached attacks is as simple as doing ISP filtering and blocking the signature ? it just goes away. So, it?s not as scary as it seems.?

However, criminals are almost certainly looking for the next major reflector source.

?Expect a huge attack, then the good guys to come in and shut some of those resources down on) the bad guys,? said Martin McKeay, global security advocate at Akamai. ?This is cyclical. We saw it happen with NTP, DNS and now Memcached, and it will happen again.?

He added that the implications of being able to reach such dizzying attack heights could be profound going forward.

?The undersea cable between Europe and the U.S. is 3.2 terabits,? said McKeay. ?If you try to send that amount of traffic through that pipe, you?re going to gum up the works for a very long time, for a lot of companies. A lot of countries don?t even have 1.3 terabits coming in in total, so we?re starting to look at attacks that can take whole countries offline for a good amount of time.?

This kind of doomsday scenario is not without precedent: In 2016, a Mirai botnet variant known as Botnet 14 spent seven days continually attacking the west African nation of Liberia, flooding the two companies that co-own the only fiber going into the country with 600 Gbps flows ? easily overwhelming the fiber?s capacity and knocking the country offline.

Rising Sophistication

While big, splashy volumetric attacks make headlines, the reality is that smaller, more sophisticated attacks are perhaps the greater concern.

?DDoS has historically been pretty unsophisticated ? it doesn?t require a closed-loop response where you steal data and need to get it back to you,? said Sean Newman, director of product management at Corero Network Security. ?Typically, you just send out the traffic to a pipe with the goal of filling it up. But, what we?ve seen recently is that those very large unsophisticated attacks [now] represent a small proportion of the [campaigns] that go on. Across all the DDoS efforts that we see, the majority, just over 70 percent, are [now] less than 1 GB in size. And that?s because the attackers are moving away from using simplistic brute force, to using more sophisticated techniques. Modern DDoS toolkits can launch both infrastructure-based (i.e., volumetric) and application-based payloads; application-layer attacks in particular are sneakier and can be very targeted, researchers said.

Rather than just look to overwhelm a company?s broadband connection or DNS infrastructure, as was the norm in the past, application-layer attacks focus on one aspect of the target?s communications, such as, say, a VoIP server. These look to exhaust specific server resources by monopolizing processes and transactions.

?Attacks use just enough traffic to be successful,? Chong explained. ?Most of the enterprises out there in the market have around 100 Mbps of bandwidth coming into their location, so you don?t need a 1-terabit attack to be effective. These are small, specially crafted campaigns where threat actors first examine where a service is hosted, such as a data center, in the cloud or at a hosting provider ? and then they launch a small attack that just overwhelms the limits of the target?s bandwidth. This approach is much more precise and effective, requires fewer resources, and often flies under the radar because the bad traffic?s volume is close in size to the normal traffic going into that enterprise.?

An example of this is the attacks mounted during protests in the wake of the 2009 Iranian presidential election. That?s when several high-impact and relatively low bandwidth efforts were launched against Iranian government-run sites. Since then, the method has gained popularity. Meanwhile, the large, ?big-bang? efforts that still make up 30 percent of the campaigns seen in the wild are sometimes used as a distraction, Chong added, acting as a smokescreen to mask other activities, such as a data exfiltration effort. F5 for example noted last year that almost 50 percent of attacks fell into this category.

To carry this out, higher-end threat actors can use partial link saturation, designed to leave just enough bandwidth available for a secondary attack. In this scenario, a distracting DDoS attack consumes resources in enough security layers to allow a targeted malware attack through. Often the IT staff is so busy dealing with the DDoS attack, which causes damage to revenue and reputation on its own, to notice that another intrusion is taking place through other channels.

IoT Factor

While both volumes and sophistication are on the rise, the impact of DDoS botnets that are built from tens of thousands of compromised internet-of-things (IoT) devices remains perhaps the biggest story in this particular crime sector, representing a rapidly expanding threat surface.

?The explosion of IoT devices is an attack vector that?s going to be around and of interest for a long while,? said Newman. ?Consumers and businesses are buying these devices for the coolness factor and the ability to automate your life. And vendors are much more incentivized to get the latest thing to market ASAP instead of spending time on security.?

Elias Bou-Harb, research assistant professor at Florida Atlantic University and a cyber-threat researcher, added: ?While the focus was on functionality and accessibility, security is and continue to be an afterthought. Vendors should be vigilant about this and emphasize security in their design, early on. This is especially factual if those IoT devices are deployed and being operated in critical infrastructure.?Meanwhile, for many consumer and business IoT users, security remains low on the list of concerns, making for little pressure on vendors to clean up their act. That?s because owners of compromised IoT devices rarely end up feeling like victims, Newman added.

?The small amount of traffic being requested from each device may be only 1 megabit each, and you?re unlikely to feel that on your home network in terms of performance degradation,? Newman explained. For that reason, IoT botnets continue to be responsible for widespread infections, which can be easily marshalled for DDoS attacks.

?IoT is kind of the sweet spot for DDoS botnets, because these devices are prevalent, but no one really controls them ? they?re almost unmanaged,? said Jeremy Kennelly, manager of threat intelligence analysis at FireEye. ?Cameras and routers and things are just left out there, not being updated, and meanwhile the non-expert population gets used to what they think are just glitches ? they don?t think they might be compromised.?

While Mirai kicked off the era of the IoT botnet on 2016, two of the latest events on the bot scene include the rise of the Satori botnet, which infected more than 100,000 internet-connected D-Link routers in just 12 hours, and the VPNFilter IoT botnet, which infected almost a million consumer-grade internet routers (i.e., Linksys, MikroTik, Netgear, and TP-Link) in more than 50 countries in a very short amount of time. VPNFilter is particularly nasty, capable of DDoS as well as delivering malware and stealing data.

Others meanwhile are appearing all the time.

?Very recently, June 18-June 22, we tracked a botnet (which was never reported before) composed of more than 50,000 IoT bots, distributed over 170 countries and hosted in more than 30 business sectors,? said Bou-Harb. ?We are seeing excessive IoT exploitations targeting home and business routers, storage devices, cameras, voice over IP phones and more.?

Bot herders are also in a race to expand their IoT infrastructure ? something that?s all too easy. IoT botnets are either built through simplistic compromises involving common, hard-coded, default passwords for devices that are easy to search for on the internet; or via the exploit of known vulnerabilities.

?The recent compromise of GPON home routers came down to a couple of specific vulnerabilities in the code that were never patched,? Newman said.

Code-reuse is also rife in IoT devices, meaning that putting effort into exploiting vulnerabilities can be a valuable vector with a lot of payoff. The Satori botnet for example was created by exploiting a known buffer overflow technique in generic code, Newman added.

Beyond existing IoT, the actors behind botnets are always looking to also commandeer new classes of devices from which to carry out attacks. In the future, things such as sensor networks or devices for smart-city applications could vastly expand the attack infrastructure.

?We haven?t seen the peak of what IoT botnets are capable of yet, and you can be sure there are more pools of resources out there to be found,? McKeay. ?For instance, we?re not monitoring IPv6 as closely as we should ? and I wouldn?t be surprised if there?s something lurking there that can be harnessed for this.?

All of the bad actors? frenetic expansion activity is driven by basic market economics. ?We continue to see competition for the infrastructure,? said Kennelly. ?That?s one of the reasons that the peak sizes for DDoS are decreasing. The bad guys are all competing for the same set of resources. As members of the community trade tips and exploit code, certain botnets become more popularized, and they start competing for access to it. As the resources are consumed, peak sizes level out.?

Motivations

DDoS is traditionally seen as a tool used by politically and religiously motivated hacktivists to make a point. However, DDoS intentions are evolving, particularly with the advent of DDoS-as-a-service.?Put simply, IoT botnets have paved the way for a new generation of cheap on-demand services. These dramatically lower the barriers to entry for attackers by eliminating the requirement to have technical knowledge to carry out an offensive.

?Anyone with a PayPal account can make a quick purchase on a WebStresser-like site,? said McKeay. ?You could be a 12-year-old that saw a tutorial on a YouTube channel ? there?s not a huge amount of technical skills needed to DDoS someone.?

This low bar to entry has given rise to new actors with new kinds of motivations behind attacks. For instance, as with most things in cybercrime, there?s an emerging financial aspect to attacks thanks to the fantastic ROI that some campaigns can offer.

?We are starting to see ransom-driven attacks shifting to DDoS,? explained Newman. ?For $10 an hour you can cause enough damage to take a website down. So, you craft a few ransom emails from an anonymous account and ask for Bitcoin in exchange for sparing the target a DDoS attack. You have nothing to lose, really. In the likelihood you get a good hit rate ? say one in 1,000, even one in 10,000 ? you can be making good money as an individual on the back of that.?

Some DDoS-as-a-service providers even have a ?try before you buy? function. As a consequence, person-to-person attacks are also on the rise.

?Many of these are gaming attacks,? explained Darren Anstee, CTO NETSCOUT Arbor. ?If I?m a serious player of game X and I want to slow down gameplay for opponents, it?s easy to launch a small, short-lived attack for no money. A lot of people will use it for a social-media beef or gaming issue, or really any personal slight.?

Winning Poker Network CEO Phil Nagy for instance in September 2017 said that his site was hit with a series of 26 separate DDoS attacks over three days ? he said they were being carried out by a rival poker room. However, on the other end of the spectrum adaptive adversaries have appeared. Those type bad guys are capable of turning a DDoS attack into something akin to a game of chess.

?In a recent campaign we looked at incoming traffic and identified unique strings and started blocking it ? but then we saw the attacker to change the type of traffic, or change the strings, essentially adapting to the defenses,? said McKeay. ?The attackers finally started hitting the DNS server?and if you take that offline then you?ve taken the company offline.?

The level of sophistication indicated a different type of opponent as well.

?Reflection tactics and botnets make attribution almost impossible,? McKeay said. ?But someone modifying code and traffic on the fly like that is probably organized crime or a nation-state actor, demonstrating training and skills that aren?t everyday things in the DDoS world. They?re doing stuff with the code and reconfiguring tools as time goes by?across a multi-day project.?

That?s not to say that hacktivism doesn?t still play an important role in fomenting DDoS. NETSCOUT Arbor?s 2017 Worldwide Infrastructure Security Report showed that vandalism together with political and ideological disputes were among the top three motivators of DDoS attacks.

In the build up to Mexico?s presidential elections, for instance, the website of the country?s National Action Party was hit by DDoS after it published documents critical of the leading candidate. NETSCOUT Arbor saw more than 300 attacks per day in Mexico during the period of June 12 and 13, which was 50 percent higher than the normal frequency in the country.

Whether we discuss tactics, motivation or sheer capability, the DDoS threat landscape is becoming more sophisticated and varied over time. And, thanks to the rise of the IoT botnet phenomenon, it?s not an area that?s shrinking in terms of the dangers it poses to both businesses and consumers. The good news is that effective mitigations exist, from basic security awareness on the part of consumers (i.e., change those default passwords), to higher-end traffic inspection and in-stream cleaning functions for enterprises; better collaboration between researchers and law enforcement and the emergence of ISPs getting into the filtering act are also helping.

Source: https://threatpost.com/ddos-attacks-get-bigger-smarter-and-more-diverse/134028/

 

GDPR Hurts Security but Publicity Might Help

A survey of 900 security professionals conducted by AlienVault at Infosecurity Europe found that spending on GDPR compliance efforts has hindered threat detection but cybersecurity publicity might actually benefit the industry. Additionally, the survey reflected the strong belief that cybersecurity is becoming entrenched in politics.

Of the professionals that participated in the survey, 51% said the additional resources their organization are spending on GDPR compliance takes vital resources away from detecting threats.

In addition, the report noted that not all security publicity is bad. An overwhelming majority (84%) of respondents said that the increased cyber-threat publicity has been very useful. Without offering reasons as to how all of the press coverage is useful, the report stated, ?It is likely that large public breaches raise awareness for the need of cybersecurity.?

A majority?(56%), believe cybersecurity has become a political pawn, with only 17% disagreeing with that perception. ?It?s easy to see why many professionals feel this way. Encryption, in particular, finds itself at the forefront of many discussions, polarizing opinion as to whether or not law enforcement should have ?back doors? or other means of accessing communication to crack down on crime,? the report wrote.

Cloud security threats will be the most concerning external threat moving forward, followed by distributed denial-of-service (DDoS) attacks and the international threat landscape, including threats of nation-state attacks.

Phishing is the most concerning internal threat, with 55% of respondents expressing concern that their organization will fall victim to a phishing attack. Ransomware came in at a close second, with 45% of participants ranking it as the most concerning internal threats.

Respondents were asked to select their top threat concerns. More than a quarter (29%) of respondents worry about a shortage of skilled staff, and 27% are concerned about nonmalicious insider mistakes. Less than a quarter (23%) of security professionals fear social media threats.

?The human element of phishing is what makes it attractive to attackers?and [a] concern for security departments. No single control can defend against a phishing attack, and ultimately, humans make mistakes. In fact, human error can be traced back to the root cause of many breaches,? the report stated.

AlienVault said user awareness and education are important?but don?t go far enough in preparing for these types of attacks. To fortify their overall security posture, companies should create a layered defense comprising of people, technology and process, according to the report.

Source: https://www.infosecurity-magazine.com/news/gdpr-hurts-security-but-publicity/

Your IoT Is Probably Not A-OK

A few weeks ago, major retailers stopped selling toys from the company CloudPets after more than 2 million recorded messages were leaked in a major security breach. Internet of things (IoT) security breaches are as prevalent as they?re varied. From medical devices and traffic lights to automobiles and toys, each hitherto unconnected device that now joins the big bad world wide web brings additional security mysteries to the fore. And with over 20 billion connected devices projected to be in use by 2020, these are mysteries we must unravel.

There are plenty of reasons for the current gaps in IoT security including a lack of regulation, market failures and stakeholder indifference, although none of these are insurmountable. Even considering these challenges, there are concrete steps that we can take to avoid future IoT mishaps and eventual attacks by an animatronic locust swarm.

IoT Security Challenges

Square Pegs In Round Holes

It?s difficult for organizations to achieve competence in multiple fields. Whenever product companies make an IoT-enabled device, they struggle to reconcile their expertise in their original industry with their unfamiliarity in internet connectivity and security. This results in manufacturers having outdated (if at all) OS and patching features on their products, being lax with password protection and changes and having no regular software update mechanisms to communicate to their customers.

Moreover, many physical products have complex supply chains with outsourced production, cost-saving exercises and clearly defined team structures. It?s an expensive and ? from the companies? point of view ? unnecessary undertaking to weave device security into the process when there?s no requirement for it.

And there?s no requirement because of?

Lack Of Regulation

There have been welcome strides in IoT security regulation in recent years. While the IoT Cybersecurity Improvement Act of 2017 is a good start, the industry still lacks a unifying, robust piece of legislation that puts the onus on vendors to comply with requirements or face consequences. And it?s understandable why that?s the case: with IoT still an evolving field, most innovation is carried out by startups that would be hamstrung by having to comply with labyrinthine regulations from the get-go.

Additionally, since IoT sits at the intersection of technology and a bevy of other industries, it?s a challenge to enact legislation that intersects across these industries and doesn?t impose unfair restrictions?but also doesn?t leave requirements too lax to make any difference.

Attack By Proxy

In 2016, major websites experienced outages because of a large DDoS (Distributed Denial of Service) attack. This happened because their domain name provider, Dyn, was forced offline by a botnet that included traditional computing devices as well as IoT devices like webcams and digital video recorders. This incident set a dangerous precedent for how innocuous devices could be “recruited” by attackers and used for malicious purposes without the device owners ever knowing about it.

The range of dangers posed by IoT hacks is so great because of their interconnected and dual nature. Because the devices serve an “offline” purpose (like a TV or fridge) but are also connected to the internet, they can be compromised without affecting their original purpose, making the compromise harder to spot. And because they?re interconnected, one loose stone can quickly lead to an avalanche.

What Can We Do?

Network Segmentation

It?s vital to protect and secure the networks connecting IoT devices to the wilderness of the internet. Because IoT network security is a greater challenge owing to the multitude of protocols, standards and device capabilities at play, its implementation is often incomplete and thus draws the eyes of attackers. A combination of traditional endpoint security features like antivirus software as well as firewalls/IPS features will go a long way toward deterring the use of IoT devices as attack entry points.

Stakeholder Proactivity

Consumers have been trained to care about the security of their computing devices (relatively), but it?s easy for them to forget updating the OS on their toaster, to everyone?s detriment. IoT device users should be proactive in changing passwords from their default (and changing them afterward as well), checking that patches and updates are regularly installed and report unusual activities to the relevant authorities immediately.

For their part, IoT device manufacturers should comply with the IoT Cybersecurity Improvement Act by regularly patching software on their devices, providing users the option to change default passwords and communicating with their users about other security best practices as and when they come to light.

Authentication And Encryption

IoT communication often doesn?t have a human in the loop with machine-to-machine “conversations” taking place in the back-end. In this scenario, it becomes vital for the data to be strongly encrypted (along with full key life cycle management) while in transit between devices. Even if the devices themselves are secure, a stray credential key on the public domain can be sniffed out by attackers and become the keyhole they need to jimmy the door.

Automate For Fast Response

Following the “hope for the best, prepare for the worst” adage, enterprises need to be prepared for an IoT breach to occur. Key tools needed here would be a SIEM/detection platform that identifies any anomalies that occur with IoT device behavior, and a security orchestration platform that weaves together data and actions from multiple products to automate incident response.

Platforms that can connect to on-premise security tools, as well as IoT devices through APIs, can make it easier for security teams to recognize the root cause of the attack and execute actions on the IoT devices directly.

Source: https://www.forbes.com/sites/forbestechcouncil/2018/07/16/your-iot-is-probably-not-a-ok/#3268d52d763d

Critical infrastructure remains insecure

Organisations can no longer afford to leave their systems unprotected from increasingly advanced cyber threats.

The threat to our critical national infrastructure (CNI) system is at an unprecedented high with reported cyber-attacks from a number of factions, suspected infiltrations from nation states, and the NCSC warning that these systems remain a high-profile target and exceptionally vulnerable.

Earlier this month, researchers found that just four lines of code implanted in a device on a factory floor could identify and list networks, trigger controllers and stop processes and production lines. In fact, responding to Corero?s Freedom of Information requests, 70% of critical infrastructure institutions ? ranging from police forces to NHS trusts, energy suppliers and water authorities ? confirmed they?d experienced service outages in their IT systems within the last two years.

Service outages and cyber-attacks against critical infrastructure have the potential to inflict significant, real-life, disruption by preventing access to essential services such as power, transport and the emergency services. Recognizing the damaging impact they can inflict, malicious actors have started crafting malware specifically to target these systems and many believe the next attack is just around the corner.

With the heightened threat, and possibility of significant fines under the new Networks and Information Systems (NIS) directive which came into effect in early May, it?s crucial that organizations implement security measures before damage is done.

Industrial control systems at risk

In recent months, we have seen a greater number of sophisticated cyber threats against all parts of critical infrastructure. Indeed, last October a DDoS attack on the Swedish Railway took out their train ordering system for two days, causing travel chaos.? Similarly, last May?s Wannacry ransomware attack caused many NHS systems to be unavailable (e.g. access to patients? medical records) causing operations to be cancelled. There is no doubt that a successful attack on the more vulnerable management systems can cause widespread disruption. Moreover, such attacks can result in network downtime, which in turn can have a serious economic impact as it can affect production, impact output, cause physical damage and even put people?s lives in danger.

In a separate Corero study last year, we found that most UK critical infrastructure organizations (51%) are potentially vulnerable, due to failure to detect or mitigate short-duration surgical DDoS attacks on their networks and deploy technology which can detect or mitigate such attacks. Modern DDoS attacks represent a serious security and availability challenge for infrastructure operators, because even a short amount of downtime or latency can significantly impact the delivery of essential services. Indeed, DDoS attacks can disrupt the availability of critical services we use as part of our everyday life, while potentially allowing attackers to plant weaponized malware. Critical infrastructure operators, including energy, transport, communications and emergency services should not be leaving DDoS attack protection to chance.

Attackers are taking advantage of the escalating number of industrial IoT devices, which underscore the growing risk of very large botnet-based DDoS attacks. These devices are transforming industrial sectors by reducing costs and providing better visibility of networks, processes and security. However, despite their benefits, these devices suffer from basic security vulnerabilities and it is precisely this lack of security that makes them such an attractive target for hackers.

NIS Directive introduces changes to critical infrastructure security

Protecting critical infrastructure from cyber-attacks has become a top government priority. The EU?s NIS Directive, adopted into UK law as the NIS Regulation, aims to raise levels of security and resilience of network and information systems. Indeed, now that the legislation is implemented into UK law, critical infrastructure outages will have to be reported to regulators, who have the power to impose financial penalties of up to ?17 million to providers of infrastructure services that fail to protect against cyber-attacks on their networks. Consequently, operators of essential services and industrial control systems need to up their game to be resilient to today?s cyber-threats. However, rather than being seen as just more red-tape, or a financial telling off for non-compliance, the regulation should be seen as a golden opportunity to improve the UK?s cyber-security posture.

Best practices

Despite the huge fines and multiple warnings, 11% of the critical infrastructure organizations that responded to Corero?s 2018 study admitted that they do not always ensure that patches for critical vulnerabilities are routinely implemented within 14 days, as recommended within the Government?s 10 Steps to Cyber Security guidance. Paradoxically, almost all the organizations that responded to the request (98%) are following government advice about network security, by adhering to the Network Security section of the 2012 guidance.

To reduce the risk of a catastrophic outcome that risks public safety, organizations need to ensure their industrial control systems are secure.

Organizations need to take a serious look at their own operating model and ensure that robust protection against cyberthreats are in place. It is not acceptable that service and data loss should be excused, under any circumstances, when the technology and services to provide proper protection is available today.

One of the biggest challenges that organisations running critical infrastructure systems now have, is that they are increasingly connecting those networks to the broader IT infrastructure, for reasons of operational efficiency and effectiveness.? The potential for hackers being able to access these devices from the outside and potentially change settings or, launch DDoS attacks to block local changes taking effect, could be very damaging indeed, depending on the systems being targeted.?Organisations vulnerable to such attacks need to ensure they are putting the right protection in place, including real-time automatic DDoS protection, as even small attacks getting through, for even a short period of time, could have serious implications.

In addition, to avoid smart devices being enslaved into DDoS botnets, organizations need to pay close attention to the network settings for those devices and, where possible, protect them from access to the Internet and to other devices.

Organizations can include IoT devices alongside regular IT asset inventories and adopt basic security measures like changing default credentials and rotating a selection of strong Wi-Fi network passwords regularly.

Businesses can certainly protect their networks from DDoS attacks fueled by IoT-driven botnets by deploying an always-on, automated solution at the network edge, which can detect unusual network activity and eliminate threats from entering a network, in real-time.

Source: https://www.itproportal.com/features/critical-infrastructure-remains-insecure/

Copyright © 2013. Created by Meks. Powered by WordPress.