Category - DoS

Discord was down due to Cloudflare outage affecting parts of the web
DDoS Attacks Target Multiple Games including Final Fantasy XIV, Assassin?s Creed
Who’s hacking into UK unis? Spies, research-nickers… or rival gamers living in res hall?
DDoS attacks are getting even larger
Your data center?s IT is lock-tight, are the facility?s operations?
Critical infrastructure remains insecure
GDPR: A tool for your enemies?
AppSec in the World of ‘Serverless’
2018: Snapshot of the Most Important Worldwide Cybersecurity Laws, Regulations, Directives and Standards
Hacker-for-hire behind series of attacks identified

Discord was down due to Cloudflare outage affecting parts of the web

Popular chat service Discord experienced issues today due to network problems at Cloudflare and a wider internet issue. The app was inaccessible for its millions of users, and even Discord?s website and status pages were struggling. Discord?s problems could be traced to an outage at Cloudflare, a content delivery network. Cloudflare started experiencing issues at 7:43AM ET, and this caused Discord, Feedly, Crunchyroll, and many other sites that rely on its services to have partial outages.

Cloudflare says it?s working on a ?possible route leak? affecting some of its network, but services like Discord have been inaccessible for nearly 45 minutes now. ?Discord is affected by the general internet outage,? says a Discord statement on the company?s status site. ?Hang tight. Pet your cats.?

?This leak is impacting many internet services including Cloudflare,? says a Cloudflare spokesperson. ?We are continuing to work with the network provider that created this route leak to remove it.? Cloudflare doesn?t name the network involved, but Verizon is also experiencing widespread issues across the East Coast of the US this morning. Cloudflare notes that ?the network responsible for the route leak has now fixed the issue,? so services should start to return to normal shortly.

Cloudfare explained the outage in an additional statement, commenting that ?Earlier today, a widespread BGP routing leak affected a number of Internet services and a portion of traffic to Cloudflare. All of Cloudflare?s systems continued to run normally, but traffic wasn?t getting to us for a portion of our domains. At this point, the network outage has been fixed and traffic levels are returning to normal.?


DDoS Attacks Target Multiple Games including Final Fantasy XIV, Assassin?s Creed

A set of DDoS attacks plagued a series of gaming publishers including Final Fantasy XIV?s creator Square Enix and Assassin?s Creed publisher Ubisoft, respectively on the day of the Assassin?s Creed Odyssey launch on Friday.

Ubisoft began experiencing connectivity issues around Oct. 4 when the officials first tweeted?an alert to users informing them of issues and actual attacks began surfacing around?7:48 am CT on Oct. 5, 2018 and affected Ubisoft games such as?Rainbow Six Siege?and?For Honor.

???We?re currently experiencing a series of DDoS attacks, which unfortunately are a common occurrence for almost all online service providers,? Ubisoft posted on an official forum addressing the incident. ?This may impact connections to our games as well as server latency, and we are taking steps to mitigate this issue.?

Later that day Square Enix announced that it was also fighting off an attack aimed towards its popular MMORPG,?Final Fantasy XIV although it is unclear if the attacks are connected or not.

In response to the high-profile incident, Corero Network Security?s Director of Product Management Sean Newman said it was ?somewhat bemusing why some providers of online gaming platforms appear to still accept a certain air of inevitability when it comes to suffering as the result of DDoS attacks,? Newman said.

?With solutions available which can protect against DDoS automatically, and in real-time, help is at hand to keep games online, avoid lag, and ensure that player confidence and bottom lines, are preserved,? he continued.

Overall, many gamers noted that 2018 has been a relatively peaceful year for the online gaming community compared to previous years that were plauged by rampant DDoS attacks carried out by the?Lizard Squad and other threat actors.




Who’s hacking into UK unis? Spies, research-nickers… or rival gamers living in res hall?

Report fingers students and staff for academic cyber-attacks

Who’s hacking into university systems? Here’s a clue from the UK higher education tech crew at Jisc: the attacks drop dramatically during summer break.

A new study from Jisc (formerly the Joint Information Systems Committee) has suggested that rather than state-backed baddies or common criminals looking to siphon off academic research and personal information, staff or students are often the culprits in attacks against UK higher education institutions.

The non-profit body, which provides among other things internet connectivity to universities, analysed 850 attacks in the 2017-18 academic year and found a consistent pattern that occurred during term time and the UK working day.

Holidays brought with them a sharp reduction in attacks, from a peak 60-plus incidents a week during periods of the autumn term to a low of just one a week at times in the summer. It acknowledged that part of the virtual halt in summer may be down to cops and Feds cracking down on black hat distributed denial-of-service tools in the months prior, however.

Jisc is perhaps better known among Reg readers for providing the Janet network to UK education and research institutions.

Its data covered cyber-attacks against almost 190 universities and colleges and focused on denial-of-service and other large-scale infosec hits rather than phishing frauds and malware.

Staff and students with a grudge or out to cause mischief are more credible suspects in much of this rather than external hackers or spies. More sophisticated hackers might be inclined to use DDoS as some sort of smokescreen.

In a blog post, Jisc security operations centre head John Chapman admitted some of the evidence suggesting staff and students might be behind DDoS attacks is circumstantial. However, he pointed out evidence from law enforcement and detected cyber assaults supported this theory. For example, a four-day DDoS attack the unit was mitigating against was traced back to a university hall of residence ??and turned out to be the result of a feud between two rival gamers.

Whoever might be behind them, the number of incidents is growing. Attacks are up 42 per cent to reach this year’s 850; the previous academic year (2016-17) witnessed less than 600 attacks against fewer than 140 institutions.

Matt Lock, director of solutions engineers at Varonis, said: “This report is another reminder that some of the biggest threats facing organisations today do not involve some hoodie-wearing, elusive computer genius.”

Education is targeted more often than even the finance and retail sectors, according to McAfee research (PDF).

Nigel Hawthorn, data privacy expert at McAfee, commented in March:

“The kind of data held by universities (student records/intellectual property) is a valuable commodity for cyber criminals, so it is crucial that the security and education sectors work together to protect it.


DDoS attacks are getting even larger

Average DDoS attack is five times stronger this year, compared to the year before.
The average DDoS attack is five times stronger this year, compared to the year before, and the biggest DDoS attack is four times stronger than last year?s strongest, according to new reports.

Nexusguard?s Q2 2018 Threat Report analysed thousands of DDoS attacks worldwide and came to the conclusion that the average DDoS attack is now bigger than 26 Gbps, and the maximum attack size is now 359 Gbps.

IoT botnets are still largely in use, mostly because of the increasing number of IoT-related malware exploits, as well as the huge growth in large-scale DDoS attacks.

The report says that CSPs and susceptible operations should ?enhance their preparedness to maintain their bandwidth, especially if their infrastructure don?t have full redundancy and failover plans in place?.

?The biggest zero-day risks can stem from various types of home routers, which attackers can exploit to create expansive DDoS attacks against networks and mission-critical services, resulting in jumbo-sized attacks intended to cripple targets during peak revenue-generating hours,? said Juniman Kasman, chief technology officer for Nexusguard. ?Telcos and other communications service providers will need to take extra precautions to guard bandwidth against these supersized attacks to ensure customer service and operations continue uninterrupted.?

Universal datagram protocol, or UDP, is the hacker?s favourite attack tool, with more than 31 per cent of all attacks using this approach. This is a connectionless protocol which helps launch mass-generated botnets.

Top two sources of these attacks are the US and China.


Your data center?s IT is lock-tight, are the facility?s operations?

Data centers are the lifeblood of the enterprise, allowing for scale never before imagined and access to critical information and applications.

Businesses are increasingly migrating to the cloud, making the role of the data center more and more valuable. In 2017 alone, companies and funds invested more than $18 billion in data centers, both a record and nearly double that of 2016. But as much growth as this unparalleled level of computing has given SMBs to the enterprise, a level of risk remains ? and data center operators often aren?t looking in the right places when identifying security threats.

As these data centers evolve, so too do the tools and techniques used by hackers ? both novice and pro. Securing the physical spaces that house these critical facilities is becoming more important by the day, and operators are doing themselves a disservice by solely focusing on IT as the only line of defense against attacks. Often, the physical operation of the building is the wide-open door for a hacker to exploit, and if done correctly, can cause as much devastation as an attack on software.

Even if data center operators think their security operation is lock-tight, there still are several important considerations to ensure a holistic plan is in place. The bottom line? If these important measures haven?t been incorporated as part of a data center?s security plan and ongoing upgrades, there is risk to the entire operation.

Your physical operation is more connected

Smoke detection, CCTV, power management systems and your cooling control are all becoming increasingly more connected. The Internet of Things (IoT) has allowed building management systems to become far more advanced than ever imagined when managing the more industrial side of your operation. But as these once-mechanical and manual systems start talking, there also are far more opportunities for malicious damage.

If they aren?t already, IT and building operations must be in constant contact, updating one another about the most recent changes to either one?s systems. Without this important dialogue, processes and standards change in a vacuum and can leave back doors open for hackers.

Threats are evolving

Your security plan should too. Many times, operators are solely worried about the data inside the servers, and don?t consider external threats. Gaining access to secure and encrypted servers takes an extremely experienced and skilled hacker. However, infrastructure like HVAC or fire control sprinkler systems are far less complicated to access for a less seasoned cyber-criminal.

While a DDoS attack or breach can be dangerous, a cooling operation taken offline or activated fire sprinklers can be downright devastating. Hackers consider this low-hanging fruit, and are almost always looking to do the most damage. Consider updating your security plan with a roadmap of every physical system in place, and sit down with building operations to address potential new areas of weakness.

Consider outside advice to ensure security

No single person can be expected to be an expert on the security of all physical assets. Consulting with a third-party that understands how facilities and IT should be working together within a data center can an extremely valuable investment.

Consider this: Gartner has estimated that a single minute of network downtime costs $5,600 on average. That?s certainly not a huge sum if the interruption is only 10 minutes due to a DDoS attack, but consider the damage if servers catch fire because of a cooling system shutdown. If a data center spends weeks cleaning up physical damage to a poorly secured physical operation, the results could be devastating.

To provide true security, data center operators have to stop assuming hackers can only do damage in the zeros and ones. In reality, as systems become more advanced, true security at data centers is reliant on a close relationship between IT and facilities, making sure they frequently and accurately communicate about changes, upgrades and observations at their operations. Not doing so risks a lot more than a little downtime.


Critical infrastructure remains insecure

Organisations can no longer afford to leave their systems unprotected from increasingly advanced cyber threats.

The threat to our critical national infrastructure (CNI) system is at an unprecedented high with reported cyber-attacks from a number of factions, suspected infiltrations from nation states, and the NCSC warning that these systems remain a high-profile target and exceptionally vulnerable.

Earlier this month, researchers found that just four lines of code implanted in a device on a factory floor could identify and list networks, trigger controllers and stop processes and production lines. In fact, responding to Corero?s Freedom of Information requests, 70% of critical infrastructure institutions ? ranging from police forces to NHS trusts, energy suppliers and water authorities ? confirmed they?d experienced service outages in their IT systems within the last two years.

Service outages and cyber-attacks against critical infrastructure have the potential to inflict significant, real-life, disruption by preventing access to essential services such as power, transport and the emergency services. Recognizing the damaging impact they can inflict, malicious actors have started crafting malware specifically to target these systems and many believe the next attack is just around the corner.

With the heightened threat, and possibility of significant fines under the new Networks and Information Systems (NIS) directive which came into effect in early May, it?s crucial that organizations implement security measures before damage is done.

Industrial control systems at risk

In recent months, we have seen a greater number of sophisticated cyber threats against all parts of critical infrastructure. Indeed, last October a DDoS attack on the Swedish Railway took out their train ordering system for two days, causing travel chaos.? Similarly, last May?s Wannacry ransomware attack caused many NHS systems to be unavailable (e.g. access to patients? medical records) causing operations to be cancelled. There is no doubt that a successful attack on the more vulnerable management systems can cause widespread disruption. Moreover, such attacks can result in network downtime, which in turn can have a serious economic impact as it can affect production, impact output, cause physical damage and even put people?s lives in danger.

In a separate Corero study last year, we found that most UK critical infrastructure organizations (51%) are potentially vulnerable, due to failure to detect or mitigate short-duration surgical DDoS attacks on their networks and deploy technology which can detect or mitigate such attacks. Modern DDoS attacks represent a serious security and availability challenge for infrastructure operators, because even a short amount of downtime or latency can significantly impact the delivery of essential services. Indeed, DDoS attacks can disrupt the availability of critical services we use as part of our everyday life, while potentially allowing attackers to plant weaponized malware. Critical infrastructure operators, including energy, transport, communications and emergency services should not be leaving DDoS attack protection to chance.

Attackers are taking advantage of the escalating number of industrial IoT devices, which underscore the growing risk of very large botnet-based DDoS attacks. These devices are transforming industrial sectors by reducing costs and providing better visibility of networks, processes and security. However, despite their benefits, these devices suffer from basic security vulnerabilities and it is precisely this lack of security that makes them such an attractive target for hackers.

NIS Directive introduces changes to critical infrastructure security

Protecting critical infrastructure from cyber-attacks has become a top government priority. The EU?s NIS Directive, adopted into UK law as the NIS Regulation, aims to raise levels of security and resilience of network and information systems. Indeed, now that the legislation is implemented into UK law, critical infrastructure outages will have to be reported to regulators, who have the power to impose financial penalties of up to ?17 million to providers of infrastructure services that fail to protect against cyber-attacks on their networks. Consequently, operators of essential services and industrial control systems need to up their game to be resilient to today?s cyber-threats. However, rather than being seen as just more red-tape, or a financial telling off for non-compliance, the regulation should be seen as a golden opportunity to improve the UK?s cyber-security posture.

Best practices

Despite the huge fines and multiple warnings, 11% of the critical infrastructure organizations that responded to Corero?s 2018 study admitted that they do not always ensure that patches for critical vulnerabilities are routinely implemented within 14 days, as recommended within the Government?s 10 Steps to Cyber Security guidance. Paradoxically, almost all the organizations that responded to the request (98%) are following government advice about network security, by adhering to the Network Security section of the 2012 guidance.

To reduce the risk of a catastrophic outcome that risks public safety, organizations need to ensure their industrial control systems are secure.

Organizations need to take a serious look at their own operating model and ensure that robust protection against cyberthreats are in place. It is not acceptable that service and data loss should be excused, under any circumstances, when the technology and services to provide proper protection is available today.

One of the biggest challenges that organisations running critical infrastructure systems now have, is that they are increasingly connecting those networks to the broader IT infrastructure, for reasons of operational efficiency and effectiveness.? The potential for hackers being able to access these devices from the outside and potentially change settings or, launch DDoS attacks to block local changes taking effect, could be very damaging indeed, depending on the systems being targeted.?Organisations vulnerable to such attacks need to ensure they are putting the right protection in place, including real-time automatic DDoS protection, as even small attacks getting through, for even a short period of time, could have serious implications.

In addition, to avoid smart devices being enslaved into DDoS botnets, organizations need to pay close attention to the network settings for those devices and, where possible, protect them from access to the Internet and to other devices.

Organizations can include IoT devices alongside regular IT asset inventories and adopt basic security measures like changing default credentials and rotating a selection of strong Wi-Fi network passwords regularly.

Businesses can certainly protect their networks from DDoS attacks fueled by IoT-driven botnets by deploying an always-on, automated solution at the network edge, which can detect unusual network activity and eliminate threats from entering a network, in real-time.


GDPR: A tool for your enemies?

Every employee at your organisation should be prepared to deal with right to be forgotten requests.

It?s estimated that 75% of employees will exercise their right to erasure now GDPR (General Data Protection Regulation) has come into effect. However, less than half of organisations believe that they would be able to handle a ?right to be forgotten? (RTBF) request without any impact on day-to-day business.

These findings highlight the underlying issues we?re seeing in the post-GDPR era and how the new regulations put businesses at risk of being non-compliant. What is also worrying, is that there are wider repercussions for organisations not being prepared to handle RTBF requests.

No matter how well business is conducted, there is always the possibility of someone who holds a grudge against the company and wants to cause disruption to daily operations. One way to do this, without resorting to a standard cyber-attack, is through inundating an organisation with RTBF requests. Especially when the company struggles to complete one request, this can drain a company?s resources and grind the business to a halt. In addition to this, failing to comply with the requests in a timely manner can result in a non-compliance issue ? a double whammy.

An unfortunate consequence of the new GDPR regulations is that the right to erasure is free to submit, meaning it is more likely customers or those with a grudge will request to have their data removed. There are two ways this can be requested. The first is a simple opt-out, to remove the name ? usually an email address ? from marketing campaigns. The other is a more time consuming, complex discovery and removal of all applicable data. It is this second type of request where there is a potential for hacktivists, be-grudged customers, or other cyber-attackers to weaponise the regulation requirement.

One RTBF request is relatively easy to handle ? as long as the company knows where its data is stored of course ? and the organisation actually has a month to complete the request from the day it was received. However, if a company is inundated with requests coming in on the same or consecutive days, it becomes difficult to manage and has the potential to heavily impact daily operations. This kind of attack is comparable to Distributed Denial of Service (DDoS) attacks ? for example the attack on the UK National Lottery last year which saw its entire online and mobile capabilities knocked out for hours because cyber criminals flooded the site with traffic ? with companies becoming overloaded with so many requests that it has to stop their services entirely.

When preparing for a flood of RTBF requests, it is essential that all organisations have a plan in place that streamlines processes for discovery and deletion of customer data, making it as easy as possible to complete multiple requests simultaneously.

Don?t let your weakest link be your downfall

The first thing to consider is whether or not the workforce is actually aware of what to do should a RTBF request come in (let alone hundreds). Educating all employees on what to do should a request be made ? including who in the company to notify and how to respond to the request ? is essential in guaranteeing an organisation is prepared. It will mean that any RTBF request is dealt with both correctly and in a timely manner. The process must also have clearly defined responsibilities and actions able to be audited. For companies with a DPO (Data Protection Officer) or someone who fulfils that role, this is the place to begin this process.

Discovering data is the best defence

The key to efficiency in responding to RTBF requests is discovering the data. This means the team responsible for the completion of requests is fully aware of where all the data for the organisation is stored. Therefore, a complete list of where the data can be found ? and how to find it ? is crucial. While data in structured storage such as a database or email is relatively simple to locate and action, it is the unstructured data, such as reports and files, which is difficult to find and is the biggest culprit of draining time and resources.

Running a ?data discovery? exercise is invaluable in helping organisations achieve an awareness of where data is located, as it finds data on every system and device from laptops and workstations to servers and cloud drives. Only when you know where all critical data is located, can a team assess its ability to delete it and, where applicable, remove all traces of a customer. Repeating the exercise will highlight any gaps and help indicate where additional tools may be required to address the request. Data-At-Rest scanning is frequently found as one part of a Data Loss Prevention (DLP) solution.

Stray data ? a ticking time bomb

Knowing where data is stored within the organisation isn?t the end of the journey however. The constant sharing of information with partners and suppliers also has to be taken into account ? and for this, understanding the data flow into and out of the company is important. Shared responsibility clauses within GDPR rules means that all partners involved with critical data are liable should a breach happen or a RTBF request cannot be completed. If critical data sitting with a partner is not tracked by the company that received the RTBF request, it makes it impossible to truly complete it and the organisation could face fines of up to 20 million EUR (or 4% of their global turnover). Therefore, it?s even more important to know how and where critical data is moving at all times, minimising the sharing of information to only those who really need to know.

While there is no silver bullet to prevent stray data, there are a number of technologies which can help to control the data which is sent both in and out of a company. Implementing automated solutions, such as Adaptive Redaction and document sanitisation, will ensure that no recipient receives unauthorised critical data. This will build a level of confidence around the security of critical data for both the organisation and the customer.

With the proper processes and technologies in place, dealing with RTBF requests is a straightforward process, whether it is a legitimate request, or an attempt by hacktivists or disgruntled customers to wreak havoc on an organisation. Streamlining data discovery processes and controlling the data flowing in and out of the company will be integral in allowing a business to complete a RTBF request and ultimately defend the organisation against a malicious use of GDPR.


AppSec in the World of ‘Serverless’

The term ‘application security’ still applies to ‘serverless’ technology, but the line where application settings start and infrastructure ends is blurring.

“Serverless” computing is essentially an application deconstructed to its atomic unit: a function. Function-as-a-Service (FaaS) would actually be a better name, but the whole XaaS naming scheme is a bit, shall I say, PaaS?. (Oops, couldn’t resist!) So, instead, we have “serverless” to drive home the idea that application developers don’t need to think about servers any longer. They can focus their energies on creating countless glorious functions ? and in the cloud, no less.

In concept, this continues the industry trend of making a starker separation in software delivery services, as well as extending the micro-services trend to the next stage of decomposition, or the breaking down of monolith applications. Here are some key concepts to understand about serverless in the context of application security (AppSec) and infrastructure.

Code Still Matters
A serverless function is a piece of application code. As such, little changes when it comes to AppSec fundamentals ? for example, defending against injection attacks. Query strings and string concatenation of file names are still bad. Not paying attention to encoding is bad. Serialization attacks still occur, and so on. Similarly, applications still use third-party libraries, which could have known vulnerabilities and should be vetted. Serverless doesn’t make those problems go away. (For an excellent talk, see “Serverless Security: What’s Left To Protect,” by Guy Podjarny.)

On the other hand, because security practitioners have placed a great deal of attention on infrastructure settings and services, the line where application settings start and infrastructure ends is now blurry.

Infrastructure Shift
Because serverless extends what the infrastructure provides, it shifts the shared security model. Just as in the case of cloud computing, where the provider takes responsibility for the security “of the cloud” (hardware, network, compute, storage, etc.) while leaving the customer responsible solely for security “in the cloud” (operating system, authentication, data, etc.), serverless reduces the responsibility of the customer further.

Serverless infrastructure eliminates the need for operations to constantly update OS patches. Further, the execution environment is in an ephemeral container, with a read-only file system and highly restrictive permissioning. Controls like these greatly improve inherent security. But they also have their own limitations, such as /tmp being writable, and “ephemeral” doesn?t strictly mean a repaved instance between each invocation.

Most attacks against serverless applications succeed through a combination of the aforementioned limitations (which are still significant improvements over typical containerized instances), app-level exploits, and taking advantage of services in the cloud infrastructure, such as poorly configured AWS IAM. (The talk “Gone in 60 Milliseconds,”?by Rich Jones, outlines chaining examples.) It’s highly instructive to understand the anatomy of such attacks. My main takeaway: The road to hell is paved with default settings.

Greater dependency on infrastructure also mutates some of the threats. In the case of DDoS attacks, the infrastructure can scale to meet the demands; hence, DDoS effectiveness is diminished. However, it’s not the sky that?s the limit but your wallet. Major cloud providers simply do not put utilization caps in place for many reasons. One reason? They don’t want to be held responsible for an involuntary shutdown of service based on a monetary threshold. The most you can do is set up billing alerts ? and thus was born the “denial of wallet” attack.

The Threat of Serverless Sprawl
Fundamentally, the above concerns present few unique risks not shared by customers with apps running on plain EC2 instances. However, managing sprawl does present a novel challenge for serverless. The reason: Serverless functions are like tribbles. They start out small and cute, but then they proliferate, and you end up neck-deep in them. Suddenly, what was meant to be simple is simple no longer.

As the number of functions multiply without a means of easily managing the access controls of serverless functions, the application security posture is greatly threatened. For instance, the principle of least privilege is easy with few functions, but as functions proliferate, often with ill-defined requirements, maintaining secure settings rapidly becomes harder.

Fighting Fire with Fire
Serverless provides a way to scale, so why not use it to scale serverless security? When it comes to the “three R?s of security”?(rotate, repave, repair), serverless functions provide an excellent mechanism to build security into deployment. For instance, AWS already provides a means to rotate keys using Lambda functions. Moreover, serverless functions are basically in continuously repaved containers, and practitioners have been writing lambdas to automatically fix security mistakes. In fact, there?s a lot of untapped potential in No. 10 on the OWASP Top Ten: Insufficient Logging and Monitoring. Lambda functions that operate on CloudTrail logs to identify threats and perform automatic remediation have intriguing potential.

Serverless is neither the end-all and be-all, nor does it make irrelevant lessons learned from AppSec. It nonetheless provides an exciting opportunity to build more secure apps in the cloud (serverless or otherwise), with some pitfalls to beware of along the way.

The Future?
Vendors, tools, and processes will need to evolve to fit naturally into the structure of serverless application construction. Some solutions, such as host/container security tools, may become less relevant in some respects due to the shift in responsibility. But those that can manage security concerns on the functional level (both build and run times) and manage infrastructure at scale will enable serverless to fulfill its goal of providing a more secure means of delivering cloud applications.


2018: Snapshot of the Most Important Worldwide Cybersecurity Laws, Regulations, Directives and Standards

Are you out of breath from the breakneck pace of cyberattacks since the start of 2018? Throughout the world, nearly daily news reports have been filed detailing the results of incredibly effective cyberattacks ranging from small companies to nation-states. The sum total of these attacks has permanently and dramatically changed the information security threat landscape. ?This change hasn?t gone unnoticed with the regulators and now, depending on where your business operates, you have accrued even more work to demonstrate your diligence to these threats.

Among the numerous lessons drawn from this carnage is that cyberattacks have become an existential threat to many countries as the attacks, on financial services to power generation facilities, threaten the fidelity and integrity of numerous industrial segments. As a result, regulators throughout the world are stepping in to try and drive meaningful action where they believe it is required.? Normally these early efforts are the harbingers of future legislation and give birth to standard approaches and forums to debate the efficacy in approaches.

Since 2014 there have been 10 noteworthy efforts:

  • Effort#1: National Institute of Standards and Technology?s Cybersecurity Framework (U.S.)
  • Effort#2: Office of the Superintendent of Financial Institutions?(OSFI) Memorandum (Canada)
  • Effort #3: Federal Financial Institution?s Examiner Council (FFIEC) Joint Statement on DDoS Cyber Attacks, Risk Mitigation and Additional Resources (U.S.)
  • Effort #4: Securities & Exchange Commission Cyber Exams (U.S.)
  • Effort #5: Office of the Comptroller of the Currency (OCC) Guidance (U.S.)
  • Effort #6: National Credit Union Administration (NCUA) Risk Alert (U.S.)
  • Effort #7: EU?s NIS Directive (EU)
  • Effort #8: EU?s GDPR (EU)
  • Effort #9: EU?s Regulation Against Geo-IP-based blocking of EU member countries or economies (EU)
  • Effort #10: Growth of Country Specific Cybersecurity Laws such as Korean Cyber Laws (KOREA)

Each of these efforts has taken different approaches but seem to have similar ethos.? Let?s explore each in a little more depth:

National Institute of Standards and Technology?s (NIST) Cybersecurity Framework

In response to a presidential directive, on Oct.22nd the U.S. National Institute of Standards and Technology (NIST) released the?latest version of its cybersecurity framework?which aims to better secure U.S. companies and government agencies. The new draft goes into significantly greater detail than the version released Aug. 28th, which laid out higher level principles of the framework, including items referred to as ?pillars.? The NIST laid out three central pillars to the framework which are designed to provide industry and government alike with common cybersecurity taxonomy, establish goals, intended targets, identify and prioritize opportunities for improvement, assess progress and improve communication among stakeholders. The final framework was announced in February of 2014. Many thought this framework was viewed as the seed which would spawn numerous industrial requirements throughout the U.S.

Office of the Superintendent of Financial Institutions (OFSI) DDoS Memorandum

Earlier this year, large Canadian-based banks were hit by cyberattacks?whereby one or more hackers used a brute force ?denial-of-service? attack to disable some bank?s websites and mobile applications. Attacks such as these were reminiscent of Operation Ababil, which began in September 2012 and focused on attacking the websites of large U.S.-based banks. Those attacks were similar to the Canadian attacks and slowed down website operations and caused many bank sites to be inoperative for a significant portion of their customers. Mindful of this very real threat and the need to manage risk, on October 28, 2013, the Office of the Superintendent of Financial Institutions (OSFI) released a memorandum to federally-regulated Canadian financial institutions (FRFIs) discussing the measures that FRFIs should be taking to prevent, manage and remediate cyberattacks. The memorandum states that cybersecurity is growing in importance because: (i) FRFIs increasingly rely on technology; (ii) the financial sector is interconnected; and (iii) FRFIs play a critical role in our economy. As part of this memorandum, OSFI has required all FRFIs to conduct a self-assessment of the risks and take actions against those risks. OSFI also will be reviewing the fidelity of the assessment and the corresponding risk mitigation steps.

Back in 2005, the OSFI established the Canadian Cyber Incident Response Centre (CCIRC) with a mandate to collaborate with the private sector in responding to the threat of cyberattack.

Last year, however, a report from the country?s auditor general showed that the government had made only limited progress, with gaps in protection, especially at the CCIRC which at the time was only open during business hours, limiting its ability to provide timely information for stakeholders. OSFI suggests in its cybersecurity self-assessment that financial firms should work with the CCIRC, which had its hours extended.

FFIEC Joint Statement:?Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources (US)

The Federal Financial Institutions Examination Council (FFIEC) members are issuing statements to notify financial institutions of the risks associated with cyberattacks on Automated Teller Machine (ATM) and card authorization systems and the continued distributed denial-of-service (DDoS) attacks on public-facing websites. The statements describe steps the members could expect institutions to take to address these attacks and highlight resources institutions can use to help mitigate the risks posed by such attacks.

The members also expect financial institutions to address DDoS readiness as part of their ongoing information security and incident plans. More specifically, each institution is expected to monitor incoming traffic to its public website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate.

Specifically, the FFIEC is guiding its members to do the following:

  1. Maintain an ongoing program to assess information security risks that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
  2. Monitor internet traffic to the institution?s website to detect attacks;
  3. Activate incident response plans and notify service providers, including internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
  4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the internet-based traffic flow. Identify how the institution?s ISP can assist in responding to and mitigating an attack;
  5. Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly, and sharing the information can help institutions to identify and mitigate new threats and tactics; and
  6. Evaluate any gaps in the institution?s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.

Securities and Exchange Commission Cyber Exams (U.S.)

The SEC announced inaugural exams of member companies along with a list of questions they will use.

If you are not aware, the SEC governs most of the financial services which do not fall under the FFIEC jurisdiction.?So, all mutual funds, wealth management and hedge funds (among many others) are regulated NOT by FFIEC guidelines, but rather SEC guidelines.?Unlike the FFIEC and their regulatory arms (OCC, FDIC, OTS, & NCUA), up to this point the SEC did conduct ad-hoc reviews, however routine security reviews were maintained.

Office of the Comptroller of the Currency Guidance (U.S.)

In December 2012, the Office of the Comptroller of the Currency (OCC) notified it?s member financial institutions that DDoS attacks are on the rise and that they expect their members to take steps to identify the risks associated with the attacks and to provide notification to the OCC and others if they are under attack.? The guidance reads as follows:

?Recently, various sophisticated groups launched distributed denial of service (DDoS) attacks directed at national banks and federal savings associations (collectively, banks). Each of the groups had different objectives for conducting these attacks ranging from garnering public attention to diverting bank resources while simultaneous online attacks were under way and intended to enable fraud or steal proprietary information. This alert provides a general description of the attacks, along with risk mitigation information and sources of related risk management guidance. The alert also reiterates the Office of the Comptroller of the Currency?s (OCC) expectations that banks should have risk management programs to identify and appropriately consider new and evolving threats to online accounts and to adjust their customer authentication, layered security, and other controls as appropriate in response to changing levels of risk.

The OCC expects banks that are victims of or adversely affected by a DDoS attack to report this information to law enforcement authorities and to notify their supervisory office. Additionally, banks should voluntarily file a Suspicious Activity Report (SAR) if the DDoS attack affects critical information of the institution including customer account information, or damages, disables or otherwise affects critical systems of the bank.?

National Credit Union Administration Risk Alert (U.S.)

In February, 2013, the National Credit Union Administration (NCUA) issued a Risk Alert to member credit union institutions on ?Mitigating Distributed Denial-of-Service Attacks.??? The alert included the following verbiage:

?The increasing frequency of cyber-terror attacks on depository institutions heightens the need for credit unions to maintain strong information security protocols. Recent incidents have included distributed denial-of-service (DDoS) attacks, which cause internet-based service outages by overloading network bandwidth or system resources. DDoS attacks do not directly attempt to steal funds or sensitive personal information, but they may be coupled with such attempts to distract attention and/or disable alerting systems.?

Clearly the sense of urgency and ferocity of the attacks came through in the alert and provided for an understanding of the issues being broader than the availability of credit union systems.

No one can say for certain how all of this will play out, however given the increased frequency, directed attacks, and effectiveness of the techniques, we can safely assume that regulators and government legislators will take head from public calls-to-action and will continue to drive prescriptive steps for all relevant organizations to follow.

European Union Security of Network Information Systems (NIS) Directive 2016/ 2018

In July 2016, the European Parliament set into policy the?Directive on Security of Network and Information Systems?(the?NIS Directive).

The directive went into effect in August 2016, and all member states of the European Union were given 21 months to incorporate the directive?s regulations into their own national laws. ?The aim of the NIS Directive is to create an overall higher level of cybersecurity in the EU. The directive significantly affects digital service providers (DSPs) and operators of essential services (OESs). Operators of essential services include any organizations whose operations would be greatly affected in the case of a security breach if they engage in critical societal or economic activities. Both DSPs and OES are now held accountable for reporting major security incidents to Computer Security Incident Response Teams (CSIRT).?While DSPs are not held to as stringent regulations as operators of essential services, DSPs that are not set up in the EU but still operate in the EU still face regulations. Even if DSPs and OES outsource the maintenance of their information systems to third parties, the NIS Directive still holds them accountable for any security incidents.

The member states of the EU are required to create a NIS directive strategy, which includes the CSIRTs, in addition to National Competent Authorities (NCAs) and Single Points of Contact (SPOCs). Such resources are given the responsibility of handling cybersecurity breaches in a way that minimizes impact. In addition, all member states of the EU are encouraged to share cyber security information.[23]

Security requirements include technical measures that manage the risks of cybersecurity breaches in a preventative manner. Both DSP and OES must provide information that allows for an in-depth assessment of their information systems and security policies. All significant incidents must be notified to the CSIRTs. Significant cybersecurity incidents are determined by the number of users affected by the security breach as well as the longevity of the incident and the geographical reach of the incident.

European Union General Protection Regulation (GDPR)?

The EU?General Data Protection Regulation?(GDPR) went into effect on May 25th, 2018.?The GDPR aims to bring a single standard for data protection among all member states in the EU. Changes include the redefining of geographical borders. It applies to entities that operate in the EU or deal with the data of any resident of the EU. Regardless of where the data is processed, if an EU citizen?s data is being processed, the entity is now subject to the GDPR.

Fines are also much more stringent under the GDPR and can total ?20 million euros or 4% of an entity?s annual turnover, whichever is higher.?In addition, like in previous regulations, all data breaches that effect the rights and freedoms of individuals residing in the EU must be disclosed within 72 hours.

The overarching board, the EU Data Protection Board, EDP, is in charge of all oversight set by the GDPR.

Consent plays a major role in the GDPR. Companies that hold data in regards to EU citizens must now also offer to them the right to back out of sharing data just as easily as when they consented to sharing data.

In addition, citizens can also restrict processing of the data stored on them and can choose to allow companies to store their data but not process it, which creates a clear differentiation. Unlike previous regulations, the GDPR also restricts the transfer of a citizen?s data outside of the EU or to a third party without a citizen?s prior consent.

What Does It Mean for Online Business and Cloud Service Providers?

For online businesses and cloud service providers, GDPR compliance means adherence to the principles of ?Privacy by Design? and ?Data Protection by Design? during the design, development, implementation and deployment of web applications or services and any components or services associated with them. With the rapid adoption of cloud services, there is a heightened concern with regard to the readiness of these applications and services. A recent study conducted by Symantec/Bluecoat shows that 98% of today?s cloud applications do not even come close to being GDPR-ready.

WAF, DDoS and the GDPR

Based on recital 39 of the GDPR, personal data should be processed in a manner that ensures appropriate security and confidentiality, including preventing unauthorized access to or use of personal data and the equipment used for the processing. Recital 49 goes further by requiring the ability of a network or an information system to resist accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems. The recital literally says ?This could, for example, include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping ?denial of service? attacks and damage to computer and electronic communication systems.? This would include brute force login attempts and automated mitigation techniques outlined in the OWASP Top 10 requirement for PCI compliance.

Most businesses will face the urgent need for increasing protection on published applications and services on all topics and purposes of data leak prevention, access control, web-based attack prevention and denial of service prevention. Leading providers of cloud and on-premise web application and API protection services as well as on-demand, always-on cloud and hybrid denial of service mitigation services do provide an adequate solution for this acute need. A fully managed WAF and DDoS Cloud service provides a fast route to check off one of the regulatory compliance boxes and a worry-free GDPR compliance strategy.

European Union Ban on Geo-IP Blocking of Member States 2018

In February 2018, The European Council adopted a regulation to ban unjustified geo-blocking in the internal market. The European Council has emphasized repeatedly the importance of the digital single market strategy and called for the speeding up of the implementation of the strategy, which includes the removal of remaining barriers to the free circulation of goods and services sold online and for tackling unjustified discrimination on the grounds of geographic location.

EU declared geo-blocking as a discriminatory practice that prevents online customers from accessing and purchasing products or services from a website based in another member state.

The new law will remove barriers to e-commerce by avoiding discrimination based on customers? nationality, place of residence or place of establishment.

The end of geo-blocking of internet addresses of EU countries will significantly disrupt many mainline cyber defense strategies of many companies and countries. Moreover, this new complication is not well understood and alternatives are not always easy to implement.

The EU regulation goes into full effect in December 2018.

Payment transactions whereby:

Unjustified discrimination of customers in relation to payment methods will be forbidden. Therefore, traders will not be allowed to apply different payment conditions for customers for reasons of nationality, place of residence or place of establishment.

Non-discrimination for e-commerce website access whereby:

Traders will not be allowed to block or limit customers? access to their online interface for reasons of nationality or place of residence.? A clear explanation will have to be provided if a trader blocks or limits access or redirects customers to a different version of the online interface.

On the positive side, the EU believes that the end of geo-blocking will mean wider choice and consequently better deals for consumers and more opportunities for businesses.

Growth of Country-Specific Cybersecurity Regulations such as Korean Cyber Laws

In Korea, there are various laws, regulations and guidelines that promote cybersecurity: two general laws (the Network Act and the Personal Information Protection Act (PIPA)) and other laws targeting specific areas, as discussed below.

The Act on the Promotion of IT Network Use and Information Protection (the Network Act) plays an important part in promoting cybersecurity in terms of protecting personal information and enhancing data security in the context of IT networks. The Network Act also prohibits any unauthorized access to a network system by means of a transfer or distribution of a program that may damage, destroy, alter or corrupt the network system, or its data or programs.? Under the Network Act it is prohibited to cause disruption of a ICN by intentionally disturbing network operations with large volumes of signal / data or superfluous requests.? Any violation shall be subject to imprisonment of not more than five years or a penalty of not more than KRW 50 Million.

There are additional targeted statutes, such as the Electronic Financial Transactions Act (EFTA), which includes provisions prohibiting electronic intrusion into the network systems of financial companies, and data protection is mandated for financial companies in the Regulation on Supervision of Electronic Financial Activities (the RSEFA), which is an administrative regulation subordinate to the EFTA.? Under the EFTA, any attacks on financial systems using programs such as viruses, logic or email bombs, with the intention of destroying or disrupting financial systems shall be subject to imprisonment of not more than 10 years or a penalty of not more than KRW 100 Million.

In contrast with the laws mentioned above, which are more focused on the protection of data, the Protection of Information and Communications Infrastructure Act (PICIA) is more engaged with the protection of information and communications infrastructure against ?electronic intrusion?, which is defined as an act of attacking information and communications infrastructure by hacking, computer viruses, logic bombs, email bombs, denial of service, high-power electromagnetic waves and other means.


Hacker-for-hire behind series of attacks identified

CYBERCRIMINAL:Data extracted from his computer showed that Chung carried out more than 20,000 DDoS cyberattacks on networks worldwide, officials said.

A young man, surnamed Chung (?), has been identified as the alleged hacker behind a series of attacks on the Ministry of Justice?s Investigation Bureau, the Presidential Office, Chunghwa Telecom Co (????) and the central bank, the bureau said yesterday.

Investigators believe Chung has launched distributed denial-of-service (DDoS) attacks and uploaded the videos of those attacks to YouTube, the bureau?s Taipei office said.

Chung?s motive is apparently to advertise his hacker-for-hire Web site,, which he set up with Poland-based hackers in February and has since attracted more than 2,000 members, the bureau said.

The Web site bills itself as the most powerful DDoS attack service provider in the nation, and performs cyberattacks and stress testing for users who pay with bitcoin, the bureau said.

On Monday, investigators questioned Chung at his residence and seized an unspecified number of devices, the bureau said.

Data extracted from his computer showed that Chung has carried out more than 20,000 attacks on networks worldwide, including government offices, online gambling firms and financial holding companies, the bureau said.

Since many of the attacks were staged as proof of ability, they tended to occur late at night and the duration was less than a minute, it said.

As a result, many institutions allegedly targeted by Chung were unaware that their network services had been disrupted, it added.

Five people are being investigated on suspicion that they hired Chung to carry out cyberattacks, it said.

The bureau urged government agencies and private companies to improve their protection against DDoS attacks.


Copyright © 2013. Created by Meks. Powered by WordPress.