Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
DDoS Attacks: Protecting Your Business from Critical DisruptionIn March 2018, developer platform GitHub was struck by the most powerful DDoS (distributed denial-of-service) attack ever recorded. How big? 1.35 terabits of traffic was hitting GitHubeach second. Still, GitHub was not without its defenses. Within 10 minutes of the attack starting, GitHub’s DDoS mitigation service stepped in to combat it. They routed all incoming and outgoing traffic and scrubbed data, blocking all malicious packets responsible. Such decisive action paid off. The attack ended eight minutes after the service took over, and GitHub was able to get back on track after just five minutes of downtime. If GitHub had been without such a fast, effective response, the outcome of the attack might have been much worse. A DDoS attack is a fairly cold-blooded attempt to disrupt a server, service or network’s standard operation by bombarding it with excessive traffic. They incorporate a number of compromised computer systems to mount the attack, essentially overwhelming the target system and affecting genuine traffic. GitHub had been targeted before, with an attack lasting for six days in 2015. A company or organization’s website can be severely affected by a DDoS attack, potentially costing them lots of money in lost business. In fact, the average cost of a DDoS attack for businesses rose to more than $2.5 millionin 2017. Research highlights just how common DDoS disruptions are for many companies. A staggering 849 of 1,010 enterprises questioned had been hit by a DDoS attack. DDoS disruption was estimated to cost target businesses as much as $100,000 per hour. These figures make for disturbing reading, especially for smaller companies on a much tighter budget than their larger competitors. Still, even for global corporations, the risk of a DDoS attack can be incredibly troubling: after all, they may have more to lose. Effective cybersecurity and preparation have never been more vital. Every cent available must be channeled into reinforcing your business against potential threats. Still, this is easier said than done: cybercrime and security can be daunting. To help you understand how best to defend yourself against DDoS attacks, we have explored some of the most effective options below: Get to know the symptomsRecognizing the signs of an incoming DDoS attack can make a significant difference to how you handle it. There is no real warning for a DDoS attack, though. While some hackers may issue threats, there will generally be nothing other than the assault itself. As you might not browse your own website much on a day to day basis, it may not be until customers begin complaining about its performance than the warning bells start to sound. However, certain other clues will tip you off:
The earlier you’re able to spot the warning signs, the sooner you can start to act. Have a planEvery business should have a plan in place for a potential DDoS attack. Once you confirm that your system has been targeted, you can jump to your plan and follow it. Being prepared helps to reduce the likelihood of panic or making mistakes that exacerbate the disruption. Make sure all key players from each department are alerted to the situation and understand how best to handle it at their end. If everyone can work together and focus on damage limitation, you’re more likely to come out of the DDoS attack with minimal impact. Companies that have no preparations for dealing with such a situation could waste valuable time trying to make sense of it. Know how to prioritizeYou will only have limited access to your system during a DDoS attack. Make sure you focus on keeping the most high-value services and applications running to preserve as much ‘normal’ function as possible. Again, this comes down to planning. You should have an immediate idea which areas can be let go and which must be the priority. Pay attention to your network securityConducting security audits on your network on a regular basis is an effective way to keep your system protected. Take a close look at the strength of passwords (particularly for the most vulnerable areas), review which employees have access to key data, and run comprehensive checks on software. Do you have the most up to date versions? Have any known security risks come to light with an application you’re using? A network security audit may not be enough in itself to defend your business against a DDoS attack, but it can play a large part in the process. Incorporate this into ongoing workplace routines: make sure it becomes a habit and is never overlooked. Letting your system go without the proper audits and preparations can leave it vulnerable to attack. Being complacent and assuming your business will escape the attention of cybercriminals is never a smart move. Turn to the professionalsYour system security is paramount to keeping your business up and running. Not only does your entire flow of service depend on effective protection, so too does your customers’ experience. Lengthy downtime can leave buyers with little choice but to start looking elsewhere if you cannot meet their needs. On top of this, they may wonder how safe their personal and financial data are within your company. Hiring a professional cybersecurity firmto defend your system against DDoS attacks can help to take the strain. You will be free to focus on other areas of running your business while the experts handle the heavy lifting. Are you concerned about your company’s vulnerability to DDoS attacks? What steps have you taken to safeguard your system? Share your thoughts and ideas below and contact ustoday to protect your organization. DDoS Attacks: Dangers and Ways to Protect your NetworkDDoS (Distributed Denial of Service) attacks continue to make headlines. In the past week, one such act caused severe traffic issuesduring a key political debate in Mexico, affecting a website opposing presidential candidate Andres Manuel Lopez Obrador. Elections are set to take place on 1 July, and the target domain has been openly critical of his policies. During the attack, 185,000 visits took place in just 15 minutes; the majority originated in China and Russia. This was a blatant attempt to crash the site, and the culprits have yet to be identified. Doing so can be incredibly difficult, as the traffic originates from compromised systems that disrupt sites involuntarily. This isn’t the first time DDoS attacks have disrupted political websites, and countries are taking action to defend themselves. The US Election Assistance Commission has dedicated over $380m in funding for cybersecurity. DDoS attacks definedAs discussed above, DDoS attacks involve flooding the target website with traffic from numerous origin points, possibly numbering in the thousands. As a result, stopping the DDoS attack in its tracks is basically impossible; there’s no single IP address causing the issue, and blocking all traffic will be restricting access for legitimate visitors. They’re different to DoS attacks, which involve just a single computer and IP address working in conjunction to flood a vulnerable system. There are a few common types of DDoS attack, including traffic-based ones. Bandwidth attacks are another danger, which overload the system with overwhelming loads of ‘junk’ data, disrupting network bandwidth. This can cause a total denial of service. Application DDoS attacks use data messages to reduce the application layer’s resources and make the system unable to function as it should. When a website is unable to provide its customers or members with the services they expect, it can damage their reputation and disrupt their revenue. There’s a risk to security too, with consumers left wondering how safe their personal data may be. This is a major concern for today’s more tech-savvy users, who are much more aware of the dangers lax security measures and cyber-attacks pose. Taking action against DDoS attacksHow can you protect your network against DDoS attacks and ensure your business or organization is prepared to handle one if the worst happens? Minimize the potentialMinimizing the surface area that would be vulnerable to attacks is key, as it essentially reduces the number of options available to would-be DDoS attacks. To do this, consider guarding resources with Load Balancers or Content Distribution Networks. You can also place restrictions on traffic reaching vital parts of your system, such as your database servers, for further protection. Create a plan of actionYou need a plan for every major cybersecurity risk threatening your business and customers. With a DDoS plan, the key aspect is determining how you will keep delivering services if an attack manages to disrupt your system. You should make sure everyone within your company is made aware of what a DDoS attack is, how it may manifest, and how their work would be affected. The aim is to make sure your company as a whole would essentially be able to roll with the proverbial punches, to minimize the disruption and get back on track as soon as possible. Get to know the signsIt’s best to learn the warning signs of an impending DDoS attack. While high-volume situations are common and can be damaging, low-volume ones may be triggered by troublemakers as a test of your network’s capabilities. These attacks allow cybercriminals / hackers to identify potential holes within your security. Pay attention to your average traffic patterns. This may help you spot significant changes in geographic sources and volumes, enabling you to take preventative action before the attack is fully underway. Capture the packetWhen you start to notice a DDoS attack is in effect, you should try to spot the key characteristics in order to take action against it. DDoS attacks typically rely on forceful traffic volumes your system simply can’t handle, and while it may be impossible to sort the ‘good’ traffic from the ‘bad’, you can identify telltale similarities between sources. Run a fast packet capture of the attack, and you should be able to find similarities fairly easily as the majority of traffic hitting your website will be part of the attack. Giveaway details might reveal themselves in the user agent or URI, but once you find a pattern you’ll be able to initiate a block via router ACL or firewall. Routers and firewalls can stop specific IP addresses and filter unnecessary protocols, but they’re not a complete defense against high-volume attacks. Firewalls in particular should not be depended on to keep your entire network safe. Again, having a plan in place and being prepared to shift gears is critical to minimize the disruption as much as possible. DDoS attacks are, sadly, not going to go away any time soon. Your business or organization has to take steps necessary to stay as protected as possible and put a contingency plan in place to stop your infrastructure collapsing if an attack takes place. Working with cybersecurity specialists and running a vulnerability assessment of your network can help you prepare. Want to know more about the options available to you? Give our expert team a call! Huawei IoT Exploit Code Meant for DDoS Attack Released to the PublicAnother malware code that’s meant to cause distributed denial-of-service (DDoS) has recently been made public on Pastebin website. The publication of the code of a DDoS threat can’t be taken lightly. Whenever new cyberexploits become publicly available, cybercriminals are quick to add these to their attack arsenal. When the Mirai malware code – another DDoS threat was made public – it unleashed unprecedented DDoS attacks. The newly published malware code is a Mirai variant and particularly targets the vulnerability in Huawei home router model HG532. According to security researchers at NewSky Security, the newly published malware has already been used in cyberattacks, including the Satori DDoS attack. With the release of the full working code of this Mirai variant, security researchers at NewSky Security said that “we expect its usage in more cases by script kiddies and copy-paste botnet masters.” Considering that Huawei retains a significant share of the router market, exploitation of these IoT devices can have a significant effect. According to IDC, Huawei's total router market share increased from 18.9% in the 2nd quarter of 2016 to 25.2% in the 2nd quarter of 2017. What is Satori?Satori is an updated variant of the Mirai malware. It particularly exploits the vulnerability in Huawei home router model HG532. The vulnerability allows remote code execution, enabling attackers to access and make changes to Huawei home routers found in different parts of the world. Unlike the Mirai malware which relies on default usernames and passwords to infect IoT devices, Satori doesn’t need usernames and passwords. Security researchers at Qihoo 360 Netlab said, “The bot [Satori] itself now does NOT rely on loader/scanner mechanism to perform remote planting, instead, bot itself performs the scan activity. This worm like behavior is quite significant.” According to the security researchers at Qihoo 360 Netlab, in December 2017, the Satori malware was able to infect over 280,000 Huawei routers in just 12 hours. In November 2017, security researchers at Check Point reported that hundreds of thousands of Satori exploits have already been found in the wild. Check Point discreetly informed Huawei about the security vulnerability and soon thereafter the company issued a security update. “An authenticated attacker could send malicious packets to port 37215 to launch attacks,” Huawei said in acknowledging the Satori exploit. “Successful exploit could lead to the remote execution of arbitrary code.” What is Mirai?Satori’s code is based on Mirai malware code. In late September 2016, the hacker simply known as “Anna-senpai” made public the Mirai code. What the original Mirai does was used the internet to search for IoT devices (including wireless cameras and routers) with weak security – particularly those with default usernames and passwords, control these devices and use them to attack targets such as other computers and websites. According to Anna-senpai, 380,000 IoT devices were infected with the Mirai malware to stage a DDoS attack against the Krebs on Security website. Barely a month after the Mirai was published online, the DDoS attacks against Dyn happened. Dyn is a domain name service (DNS) provider which many websites rely upon. The DDoS attacks against Dyn resulted in temporarily shutting down popular websites like Amazon, Twitter and Netflix. “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets,” Dyn said in a statement. According to the company, 100,000 IoT devices were infected with the Mirai malware to attack its infrastructure. In early December last year, three men, Paras Jha, Josiah White and Dalton Norman, pleaded guilty in creating and operating the Mirai malware in violation of the US Computer Fraud and Abuse Act. “In the summer and fall of 2016, White, Jha, and Norman created a powerful botnet – a collection of computers infected with malicious software and controlled as a group without the knowledge or permission of the computers’ owners,” the US Department of Justice said in a statement. The US Department of Justice added, “The defendants used the botnet to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers.” Jha, in particular, pleaded guilty in conducting a series of DDoS attacks against networks of Rutgers University from November 2014 to September 2016. The DDoS attack on Rutgers University, according to the Department of Defense, temporarily shut down the university’s central authentication server, which maintained the gateway portal through which students, faculty and staff deliver assignments and assessments. According to the US Department of Justice, White, Jha and Norman’s involvement with the original Mirai ended in the fall of 2016, when Jha publicly released the source code of Mirai. The Justice Department said, “Since then, other criminal actors have used Mirai variants in a variety of other attacks.” US Acting Assistant Attorney General Cronan said that the Mirai is a powerful reminder that “as we continue on a path of a more interconnected world, we must guard against the threats posed by cybercriminals that can quickly weaponize technological developments to cause vast and varied types of harm.” Since the release of the Mirai code, there has also been a noticeable increase in DDoS-for-hire – a group of cybercriminals that provides paying customers with distributed denial of service (DDoS) attack service to anonymously attack any internet-connected target. Imperva Incapsula reported that in the third quarter of 2017, majority or 90.2% of DDoS attacks were under 10 Mpps and were predominantly the result of DDoS-for-hire activity. DDoS attacks are costly. They can make your organization’s website slow or inaccessible. They can disrupt business activities, prevent customers from accessing online accounts and bring about significant costs in remedying the DDoS effects. PreventionHuawei recommends the following measures to circumvent or prevent your Huawei routers from being infected by Satori malware:
Contact us at The Driz Group if you want more information on how to protect your business from DDoS attacks in under an hour, with no hardware to buy, and no resources or ongoing maintenance. DDoS Threat Landscape in 3rd Quarter of 2017They're getting more powerful and persistent. This is how Imperva Incapsula described the global distributed denial-of-service (DDoS) threat landscape in the 3rd quarter of 2017. In its Global DDoS Threat Landscape Q3 2017, Imperva Incapsula defined DDoS attack as a “persistent, distributed denial of service event” against a particular IP address or domain. Imperva Incapsula considers a DDoS attack as a single attack when it’s conducted at least 60 minutes, held prior to an attack-free period and followed by another attack-free period of the same duration or longer. “In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer,” the United States Computer Emergency Readiness Team (US-CERT) defines DDoS attack. “By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses. The attack is ‘distributed’ because the attacker is using multiple computers, including yours, to launch the denial-of-service attack.” Imperva Incapsula identifies two types of DDoS attacks: network layer attack and application layer attack. Network layer attack is defined as a DDoS attack that causes network saturation by consuming much of the available bandwidth. Attack under this type is measured in million packets per second (Mpps) and gigabits per second (Gbps) – referring to the amount of bandwidth it can consume per second. Application layer attack, meanwhile, is defined as a DDoS attack for the purpose of bringing down a server by exhausting its processing resources – CPU or RAM – with a high number of requests. Attack under this type is measured in requests per second (RPS) – referring to the number of processing tasks initiated per second. Network Layer DDoS AttacksIn terms of network layer attacks, 90.2% were under 10 Mpps, 4.8% between 10-50 Mpps, 2.1% between 50-100 Mpps and 2.9% above 100 Mpps. The largest network layer attack recorded last quarter reached 299 Gbps. According to Imperva Incapsula, attacks under 10 Mpps were mostly the result of DDoS-for-hire activities.
On average, each network layer attack target suffered 17.7 attacks in the span of the quarter, while the most repeatedly attacked victim encountered 714 attacks in the span of the quarter. Top Attacked IndustriesThe Imperva Incapsula report showed that online gambling is the number one industry targeted by network layer DDoS attackers (34.5%), followed by gaming (14.4%), internet services (10.8%), financials (10.1%), retail (5.8%), IT and software (5.8%), media and publishing (5.8%), cryptocurrency or bitcoin platforms (3.6%), transportation (2.2%) and telecom (1.4%). The following reasons were put forward why over a third of the network layer DDoS attacks were targeted on gambling sites and related services:
The report also found that 3 out of 4 of bitcoin sites were attacked in the last quarter. The relatively high number of DDoS attacks on cryptocurrency exchanges and services observed in the 3rd quarter of 2017 was attributed to the recent staggering spike in the price of bitcoin, which more than doubled in the period of the quarter. Top Attacked CountriesHong Kong was the most targeted with 31% of the total global network layer DDoS attack, followed by the US (19%), Germany (12.8%), Philippines (7.6%), China (7.2%), Taiwan (7.1%), Singapore (4.4%), Malaysia (3.9%), Japan (0.8%) and Canada (0.8%). Almost a third of the network layer DDoS attacks last quarter went to Hong Kong as a result of a large-scale campaign against a Hong Kong-based hosting service provider. Taiwan and the Philippines also made it to the top 10 list as a result of large campaigns targeting gambling websites in these countries. Application Layer DDoS AttacksIn terms of application layer DDoS attacks, on average, each victim suffered 17.7 attacks in the span of the quarter, while the most repeatedly attacked victim encountered 714 attacks in the span of the quarter. The US ranked as the most targeted country in terms of application layer DDoS attack (53.3%), followed by Netherlands (8.8%), Singapore (6.3%), Belgium (5%), Italy (4.4%), Germany (3.9%), Russia (3.1%), Japan (3.1%), Hong Kong (1.8%) and Australia (1.5%). DDoS BOTNETImperva Incapsula’s global DDoS threat report for the 3rd quarter of 2017 showed that attackers use botnet – a group of malware-infected IoT devices – in carrying out DDoS attacks. These malware-infected IoT devices are remotely controlled by attackers and device owners have no knowledge that their devices are used for DDoS attacks. In terms of attack requests, 16.9% came from China, 7.6% from Vietnam, 7.2% from Turkey, 5.7% from the US and 4% from India. Meanwhile, in terms of the number of attacking devices, 42.5% came from China, 11.1% from the US, 5.4% from Vietnam, 2.9% from India and 2.2% from Turkey. DDoS Mitigating MeasuresThe main distinction between network layer DDoS attack and application layer DDoS attack is that they target different resources. A network layer DDoS attack tries to clog the network, for instance, consuming much of the available bandwidth, while application DDoS layer attempts to drain resources like CPU and memory. As these 2 types of DDoS attacks target different resources, the attacks are also executed differently. Considering that these 2 types of DDoS attacks target different resources and are executed differently, mitigating each of these DDoS threats needs a substantially different set of security methods. It’s also important to take into consideration the difference between Gbps and Mpps for mitigation purposes. Gbps is defined as the measure of the total load placed on a network, also known as throughput, while Mpps is defined as a measure of the rate at which packets are delivered, also known as forwarding rate. For instance, if your organization’s DDoS mitigation solution has the capability to handle 100 Gbps and process packets at a rate of 20 Mpps, a 50 Gbps DDoS attack at a rate of 40 Mpps can still bring down your organization’s network.
Adding a guaranteed DDoS mitigation to your application or network does not have to be complicated, and does not require an upfront investment. Connect with us today to better understand all available option, and secure your web applications and networks.
11/18/2017 Beware of DDoS-for-HireBeware of DDoS-for-HireDistributed-denial-of-service (DDoS) attacks have become a public menace.DDoS was once a tool used by hactivists to further their social or political ends. In recent years, DDoS has become a toll for purely financial gain and for utter destruction. DDoS-for-hire services, also known as stressers or booters, have grown in recent years. One DDoS-for-hire organization offers its DDoS service for a monthly fee of $7. A simple online search using the keyword “stressers” or “booters” will yield a number of organizations offering DDoS services for a fee. One DDoS mobile app even showed up on Google Play but this one was immediately pulled out. Many of these DDoS-for-hire services openly advertise their services on the guise of offering a legitimate DDoS service. The reality is that it’s not illegal to conduct a DDoS attack or stress test on a website, for instance, to test the capacity of the site to receive high volume of traffic or to test how to deflect unwanted volume of traffic. The question of legitimacy comes on whether or not the owner of the website authorizes the stress test. According to the FBI, the hiring of stresser or booter service to carry out a DDoS attack to take down a website is punishable under the US law called “Computer Fraud and Abuse Act” and this may result in any one or a combination of the following: seizure of computers and other electronic devices, arrest and criminal prosecution, significant prison sentence, penalty or fine. “Booter and stresser services are a form of DDoS-for-hire – advertised in forum communications and available on Dark Web marketplaces – offering malicious actors the ability to anonymously attack any Internet-connected target,” the FBI said. “These services are obtained through a monetary transaction, usually in the form of online payment services and virtual currency.” What Can a DDoS-for-Hire Service Actually Do?To understand what a DDoS-for-hire service can actually do, let’s take a look at the Gammel case and the Dyn case. Gammel CaseThe Gammel case is the first Minnesota case to address the DDoS-for-hire cybercrime. In April of this year, in a criminal complaint filed before the US District Court of Minnesota, the Federal Bureau of Investigation (FBI) alleged that Gammel, a former employee of Washburn Computer Group – a Minnesota-based company – paid several DDoS-for-hire services to bring down 3 websites of Washburn in a more than one-year-long DDoS campaign. According to the FBI, the first 2 websites of Washburn were knocked down several times as a result of the DDoS attacks paid by Gammel. The FBI also alleged that the 3rd website – the one that replaced the 2 other sites of Washburn – was knocked down several times as well a result of the DDoS orchestrated by Gammel. Washburn claimed that the DDoS attacks resulted in a minimum of $15,000 in loss. In the criminal complaint, the FBI defined DDoS attack as "an attempt to make a machine or network resource unavailable to its intended users, such as by temporarily or indefinitely interrupting or suspending services of a host connected to the Internet, usually by shutting down a website or websites connected to target of the DDoS attack.” Dyn CaseThe DDoS attacks against Dyn – a domain name service (DNS) provider to which many websites rely on – was considered as one of the largest. Because of the DDoS attacks against Dyn, 80 widely used websites like Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix were rendered temporarily inaccessible to the public. “The [Dyn] attack used a booter service and was attributed to infected Internet of Things (IoT) devices like routers, digital video recorders, and Webcams/security cameras to execute the DDoS attack,” the FBI said. According to the FBI source, the DNS provider lost approximately 8% of its customers following the DDoS attacks. How a DDoS Attack Works?In the Dyn case, the company itself confirmed that the Mirai botnet was the primary source of DDoS attacks although it won't comment about the motivation or the identity of the attackers. According to Dyn, on October 21, 2016, it observed a high volume of traffic on 2 occasions in its Managed DNS platform in the Asia Pacific, South America, Eastern Europe and US-West regions. The company said that the 2 major DDoS attacks on its Managed DNS platform involved 100,000 compromised IoT devices originating from different parts of the globe that were infected by the Mirai botnet. The Mirai botnet works by infecting IoT devices with weak security – those that use default usernames and passwords – and turned them into bots or robots that can be ordered around, in this case, to conduct DDoS attacks. The effects of malicious and unauthorized DDoS attacks are immediate. They render targeted websites inaccessible or slow. As experienced by Washburn and Dyn, DDoS attacks proved to be costly and can cause businesses to lose customers. Availability of DDoS ToolsThe danger of DDoS attacks is the tools for this cybermenace aren’t just available from the DDoS-for-hire services themselves but from public sources. For instance, one can conduct a DDoS attack on his or her own using the Mirai botnet as the source code of this was made available in September of this year to the public by someone who calls himself or herself “Anna-senpai”. DDoS tools are also evolving. Just days after the online publication of the Mirai source code, a new DDoS tool called “Reaper” emerged. This DDoS tool hasn’t attacked yet as it’s still in the process of infecting vulnerable IoT devices. The stark difference between the 2 DDoS tools is that while the Mirai infected 100,000 IoT devices, the Reaper has infected over half a million IoT devices. This means that this new botnet is much more powerful. While it’s cheap to hire malicious cyberactors to conduct DDoS attacks, it’s equally affordable to hire professionals to prevent DDoS attacks. Contact us today if your company is currently burdened by this cybermenace or if your organization simply wants to be proactive in stopping DDoS attacks. Top 5 Cloud Computing Security Concerns
A Birmingham, Alabama-based healthcare company publicly acknowledged that it was a victim of a recent security breach.
According to the healthcare company, its cloud hosting and server management provider suffered a security breach at its facility. Information which may have been accessed as a result of the security breach at the cloud provider’s facility includes patient's name, address, telephone number, email address, Social Security number, medical record number, patient ID, physician name and health plan/insurance number. This recent security breach at a cloud provider’s facility shows the vulnerability of some cloud providers. Cloud Adoption
According to Gartner, Inc., the worldwide cloud services market is projected to grow by 18% in 2017 to total $246.8 billion, from $209.2 billion in 2016.
"While some organizations are still figuring out where cloud actually fits in their overall IT strategy, an effort to cost optimize and bring forth the path to transformation holds strong promise and results for IT outsourcing (ITO) buyers,” Sid Nag, research director at Gartner, said. Nag added that cloud adoption strategies will influence more than 50% of IT outsourcing deals through 2020. The 2016 Global Cloud Data Security Study conducted by the Ponemon Institute found that 73% of IT professionals said cloud computing applications and platform solutions are important or very important to business operations today. The IT professionals surveyed by Ponemon Institute estimated that 36% of their organizations’ total IT and data processing needs are met by cloud resources. According to Cloud Security Alliance (PDF), beyond the handful large cloud providers, the reality is that there are tens of thousands of unique cloud providers. Cloud Security Alliance (CSA) is a nonprofit organization that promotes best practices for securing cloud computing. A January 2016 CSA survey found that only 65% of the survey respondents were confident that the cloud had greater or equal security than internal IT systems. “Cloud provider security is uneven overall, with some providers having excellent security programs and others leaving much to be desired,” the CSA said in its 2016 state of cloud security report. Here are the top 5 security concerns for cloud-based services: 1. Data Security Breach The recent data breach at the cloud hosting and server management provider’s facility and the resulting unauthorized access of sensitive data of the Birmingham, Alabama-based healthcare company shows the security vulnerability of cloud providers. Based on the Ponemon Institute study, the data that organizations move to the cloud is also the information that’s most at risk. Sixty percent of the Ponemon Institute’s 2016 global cloud data security study said it’s more difficult to protect confidential or sensitive information in the cloud. 2. Cloud Account Hijacking Cloud hijacking refers to the breaking or taking over of a cloud account of an individual or organization. In 2010, Amazon encountered a cross-site scripting bug that allowed attackers to steal user login credentials. In 2014, the cloud hijacking threat called “Man in the Cloud” (PDF) enables an attacker to access synchronization services (such as GoogleDrive and Dropbox) account without compromising the victim’s user name or password. 3. Insider Threat A malicious insider is defined by the CERT Insider Threat Center as a “current or former employee, contractor, or other business partner who has or had authorized access to an organizations network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organizations information or information systems”. In the study "Insider Threats to Cloud Computing: Directions for New Research Challenges", Carnegie Mellon University researchers named 3 types of cloud-related insider threats: A. Cloud Insider as a Rogue Administrator According to the Carnegie Mellon University researchers, the threat of rogue administrators is layered differently for a cloud platform compared to a standard enterprise environment, with at least four levels of administrators to consider in the cloud, including hosting company administrators, virtual image administrators, system administrators and application administrators. B. Insider Who Exploits a Cloud-Related Vulnerability to Steal Information from a Cloud System According to the Carnegie Mellon University researchers, this second type of cloud-related insider threat refers to an insider within the organization who exploits, whether malicious or accidental, vulnerabilities exposed by the use of cloud services to gain unauthorized access to organization systems or data. An example of this second type of cloud-related insider threat is when an employee of the victim organization is tricked by a malicious outsider into opening a document infected with malicious software. C. Insider Who Uses Cloud Systems to Carry Out an Attack on an Employer’s Local Resources This third type of cloud-related insider, according to the Carnegie Mellon University researchers, is different from the previous type of insider as this “third type of insider uses the cloud as the tool to carry out the attack on systems or data targeted that are not necessarily associated with cloud-based systems”. An example of this third type of insider is when an insider who plans to leave the company leverages cloud storage to steal sensitive information to take to a new job with a competitor. 4. Denial of Service Attacks Another attack path that has been used to adversely affect cloud services is the distributed denial of service (DDoS) attack. A DNS amplification attack is an example of DDoS tactic in which the attacker delivers traffic to a victim and reflects it off to a third party to conceal the origin of the attack. According to Microsoft, even a small DDoS attack – the size of 30 Mbps – if left unchecked could affect the availability of the cloud service. “Even if the service itself remains available for users, the bandwidth users rely on to get to the service can be starved, resulting in slow, intermittent, or unreliable service, or rendering the service unreachable,” Microsoft said. 5. Malware Injection In the study “Security Threats on Cloud Computing Vulnerabilities”, East Carolina University researchers found that an attacker can create malicious software and inject it to target cloud service models. “Once the injection is completed, the malicious module is executed as one of the valid instances running in the cloud; then, the hacker can do whatever s/he desires such as eavesdropping, data manipulation, and data theft,” the East Carolina University researchers said.
How Bad Internet Bots Can Hurt Your Business
Over 50% of website visitors aren’t humans. According to Imperva Incapsula, 51.8% of the website traffic in 2016 came from bots, also known as web robots, internet bots or botnets.
What is a Bot
A bot is a computer program that performs automated and repetitive tasks over the internet. Using a bot over the internet enables one to do things fast and on a grand scale.
Imperva Incapsula’s “Bot Traffic Report 2016” examined over 16.7 billion visits to 100,000 randomly-selected websites on the Incapsula network. The report showed that 48.2% of the online traffic in 2016 came from humans, while the 51.8% came from bots. Of the 51.8% bots traffic, 22.9% came from good bots and 28.9% came from bad bots. The Good Bots
Good bots are software programs that do positive things for your site. Four types of good bots dominate the internet today. These include feed fetchers, search engines, commercial crawlers and monitoring bots.
Feed Fetchers
Feed fetchers are good bots that allow website content to be shown on mobile and web applications. They comprised 12.2% of the bots that crawl the internet today.
Search Engines
Search engine bots refer to good bots that regularly collect information from millions of websites and index the data collected into search result pages. Examples of these search engine bots are those bots from Google, Bing and Baidu. They comprised 6.6% of the bots that crawl the internet today.
Commercial Crawlers
Commercial crawlers are good bots that are used for authorized data extractions – typically meant as a digital marketing tool. They comprised 2.9% of the bots that crawl the internet today.
Monitoring Bots
Monitoring bots refer to good bots that monitor the availability of the website and the proper functioning of the different website features. They comprised 1.2% of the bots that crawl the internet today.
The Bad Bots
Bad bots are malicious software programs that can do damage to your site. The four types of bad bots that dominate the internet today are the impersonators, scrapers, spammers and hacker tools.
Impersonators
Impersonators are bad bots that assume false identities to bypass security systems. They are frequently used for Distributed Denial of Service (DDoS) attacks. They comprised 24.3% of the bots that crawl the internet today.
DDoS assaults are carried out by a botnet, referring to a group of hijacked computers – in many cases, Internet of Things (IoT) like CCTV cameras. By taking advantage of the security vulnerabilities of these internet-connected devices, cyber attackers remotely control these hijacked devices (unknown to the owners) and send huge volume of data to a victim website. In September 2016, the website of security blogger Brian Krebs was targeted by a massive DDoS attack, exceeding 620 gigabits per second (Gbps). If your website is a victim of a DDoS attack, your legitimate human visitors won’t be able to access your website. When your legitimate visitor types your website address into a browser, he or she sends a request to the website's server to view the site. Your site’s server can only process a certain number of requests at once. So, when the DDoS attackers overload your site’s server with huge volume of requests, it can't process the massive requests, resulting in “denial of service” of your legitimate visitors. When no one can access your website as a result of a DDoS assault, this can result in the following: 1. Revenue Loss The average cost of downtime is $5,600 per minute, this according to an industry survey. 2. Productivity Loss If your company is highly dependent on your web presence, a few minutes, hours or days of downtime can mean work stoppage for some of your staff. 3. Theft DDoS attackers are getting sophisticated. Some DDoS assaults are used as “smokescreen” to hide the real intention, which could be to steal funds, steal customer data or steal intellectual property. 4. Reputation Damage If your customer can’t access your website or if the DDoS attack resulted to breach of data of your customers, this can hurt your company’s brand. Hacker Tools
Hacker tools are malicious bots that look for vulnerable websites that can be exploited for data theft and malware injection. They comprised 2.6% of the bots that crawl the internet today. An example of these hacker tools is the SQL injection.
According to the Open Web Application Security Project, “SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.” Scrapers
Scrapers are malicious bots used for unauthorized data extraction. These bots collect the entire database of your website, including original content and prices of the products you’re selling. They comprised 1.7% of the bots that crawl the internet today. When attackers scrape your entire website, this can result in a drop of your site’s competitive edge.
Spammers
Spammers are malicious bots that inject spam links into your website, specifically into forums and comment sections. They comprised 0.3% of the bots that crawl the internet today. This type of malicious bots can cause long-term SEO damage to your website. According to Google, “If a site has been affected by a spam action, it may no longer show up in results on Google.com or on any of Google's partner sites.”
Based on Imperva Incapsula’s Bot Traffic Report 2016, every third website visitor for the last five years was an attack or malicious bot. “Often, these assaults are the result of cybercriminals casting a wide net with automated attacks targeting thousands of domains at a time,” Imperva Incapsula said. “While these indiscriminate assaults are not nearly as dangerous as targeted attacks, they still have the potential to compromise numerous unprotected websites. Ironically, the owners of these websites tend to ignore the danger of bots the most, wrongfully thinking that their website is too ‘small’ to be attacked.” Vulnerable IoT Devices Used to Carry out DDoS Attacks
A Briton man admitted in court this week that he carried out a cyber attack on Deutsche Telekom last year. He claimed that he was paid $10,000 by a competitor of the telecom company to do the job.
In November last year, Deutsche Telekom publicly acknowledged that internet access of its nearly 1 million customers was disrupted as a result of a cyber attack. “We saw attacks from the Mirai botnet that targeted customer routers globally,” Telekom Thomas Tschersich, head of IT security at Deutsche, said in a video message posted on Twitter. “The attack led to the devices crashing.” DDoS, IoT and Botnets Explained
Distributed Denial of Service attacks (DDoS) is one of the most significant cyber threats to businesses today. In a DDoS attack, a cyber criminal infects hundreds of thousands of computers or Internet of Things (IoT) devices with a malicious software and turned them without the knowledge of their owners into “botnet”, also known as “zombie army”, that’s capable of launching powerful DDoS attacks against a particular website or email.
The attack is “distributed”, according to the CISA, because the attacker is using multiple computers to launch the denial of service attack. Vulnerability of IoT Devices
IoT devices, which include webcams, routers, CCTV cameras and smart TVs, are emerging devices that are connected to one another via the internet. “IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks,” US-CERT said.
According to Symantec, IoT devices are being targeted due to the following reasons: 1. Poor Security Many of today’s IoT devices use default usernames and default passwords, making it easy for cyber criminals to infect the device with malware. In addition, the Universal Plug and Play (UPnP) – a feature that opens a port on a router to allow it to be accessible to the internet – makes it an easy target for cyber criminals. 2. Processing Power Limitations Many IoT devices use basic operating systems. This means that a lot of these devices don’t have advanced security features. Most of these devices are simply plugged in and owners don’t bother to apply security updates. IoT Botnets: Zombie Armies of Cyber Criminals
Cisco, in its 2017 midyear cyber security report, cited 3 common features of IoT botnets:
1. Fast and Easy Setup The setup can be completed within an hour. 2. Rapid Distribution Cyber criminals can have a botnet of more than 100,000 infected IoT devices in just 24 hours. This rapid distribution results in exponential growth in the size of the botnet. 3. Low Detection Rate It’s hard to get samples of an IoT botnet as the malicious code survives in the device’s memory. Once the infected device is restarted, this botnet is wiped out. Mirai Botnet
In late 2016, IoT devices have been used by the Mirai botnet to carry out crippling DDoS attacks.
In September 2016, Mirai botnet was used to carry out a DDoS attack – the size of 665 Gbps – on the website of cyber security blogger Brian Krebs. On the same month, shortly after the attack on Krebs’ website, Mirai was used to attack the web hosting operation of the French company OVH at a bigger attack size of 1-TBps. On September 30, 2016, the attacker known as “Anna-senpai” publicly released the source code of Mirai. In October last year, Mirai waged its biggest attack on DynDNS – a DNS provider that’s used by a number of major websites. The DDoS attack on DynDNS caused an outage on hundreds of popular websites including PayPal, Twitter and Spotify. "We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet,” DynDNS said in a statement. “We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack." In November last year, Mirai once again tried to infect IoT devices, this time the routers of Deutsche Telekom. The telecom company said that internet access of over 900,000 customers – out of its 20 million customers – was disrupted. “The attack attempted to infect routers with a malware [Mirai] but failed which caused crashes or restrictions for four to five percent of all routers,” the telecom company said. “This led to a restricted use of Deutsche Telekom services for affected customers.” According to Cisco, Mirai works by connecting to an IoT device using over 60 factory default usernames and passwords. Once the device is infected, it locks itself against additional botnets. The malware then sends the compromised IP and credentials to a centralized ScanListen service. After which, the infected device then helps in harvesting new bots, producing a self-replicating pattern. According to Imperva Incapsula, unique IP addresses which hosted Mirai-infected devices were mostly CCTV cameras. Other Mirai-compromised IoT devices included DVRs and routers. Incapsula added that IP addresses of Mirai-infected devices were seen in 164 countries, appearing even in remote locations such as Somalia, Tajikistan and Montenegro. DDoS against Small Businesses
DDoS attacks aren’t limited to big companies. Sucuri reported about a DDoS attack that went on for days on the website of a small brick and mortar company. Similar to Mirai, the attacker uses infected CCTV cameras to launch a DDoS attack on the site of this small company. According to Sucuri, the attacker used compromised CCTV cameras from 105 countries.
How to Prevent the Spread of IoT Botnets
“With over a quarter billion CCTV cameras around the world alone, as well as the continued growth of other IoT devices, basic security practices … should become the new norm,” Imperva Incapsula said.
Basic security practices to prevent the spread of IoT botnets include:
You business must be protected against DDoS attacks. We offer a simple solution that can be deployed without the need to purchase software or hardware. In fact, your websites and web applications can be protected in 10-minutes. Call us today for more information of visit the solution page.
Choosing the Right DDoS Protection ServiceDistributed denial of service (DDoS) attack is rising in scale as well as in sophistication, emerging as one of the top tools used by cybercriminals. Is your business protected from DDoS attacks?What is a Distributed Denial of Service (DDoS) Attack
A DDoS attack is an attempt to overwhelm an online service with too much data or damage it in some other way for the purpose of preventing legitimate users’ access. Public and private sectors alike are targets of DDoS attacks.
On May 8, 2017, the U.S. Federal Communications Commission (FCC) became a victim of this attack. “These (multiple DDoS attacks) were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host,” FCC said in a statement. “These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC.” The 11th Annual Worldwide Infrastructure Security Report of Arbor Networks revealed that from July 2014 to June 2015, an individual or organization calling itself “DD4BC”, which stands for DDoS for Bitcoin, had been bombarding financial institutions like banks, payment acquirers and trading platforms across the United States, Europe, Asia, Australia and New Zealand with DDoS attacks for its extortion attempts. According to Arbor Networks, DD4BC’s victims typically experience an outage on their website. After the initial attack, the attackers then issue an initial extortion email to the victims. If the target doesn’t pay the ransom, a larger DDoS attack causing serious outage is deployed by the attackers. One of the ways that cybercriminals launch their DDoS attack is by using CCTV devices as the source of their attack botnet. In one DDoS attack, Sucuri found that the IP addresses generating the DDoS attack came from compromised or hacked CCTV devices from 105 countries around the world. The top 10 countries targeted by DDoS attackers in 2016, according to Arbor Networks, are the United States (32.2%), China (10.5%), France (6.4%), South Korea (6.3%), Switzerland (4.9%), Great Britain (4.2%), Canada (4%), Germany (3.9%), Malaysia (3.7%) and Australia (2.8%). Types of DDoS Attacks
While there are thousands of different ways that cybercriminals carry out DDoS attacks, these attacks fall into three broad categories:
1) Volumetric Attack This is an attempt to consume the bandwidth of a website. 2) TCP State-Exhaustion Attack This is an attempt to consume the connection of infrastructure components such as server, load-balancer and firewall. 3) Application Layer Attack This is an attempt to target the weaknesses of an application with the purpose of exhausting the processes and transactions. Some attackers are combining volumetric, TCP state-exhaustion and application layer attacks into a single, yet sustained attack. Cybercriminals likewise launch DDoS attacks to distract security teams and at the same time introducing a malware into the computer system with the purpose of stealing critical customer or financial information. 5 Things to Consider in Choosing the Right DDoS Protection Service
According to Frost & Sullivan, because of the growing scale and sophistication of DDoS attacks, the use of a DDoS protection service has gained traction among businesses of all sizes. Frost & Sullivan finds that the Global DDoS mitigation market’s earned revenue in 2013 was $354 million and is estimated to reach $929.5 million by 2018.
Given that DDoS attacks have potentially devastating consequences on your business, it’s critical to choose the right DDoS protection service. Here are the top 5 things to consider in choosing the right DDoS protection service: 1. Capacity to Stop Varied Attack Sizes
The size of DDoS attacks continues to increase. Arbor Networks’ 12th Annual Worldwide Infrastructure Security Report showed that the largest DDoS attack reported in 2016 was 800 gigabits per second (Gbps), a 60% increase over 2015’s largest attack of 500 Gbps.
In choosing a DDoS protection service, find out if it can mitigate or stop large DDoS attacks. In particular, your DDoS protection service should be able to provide protection in the Cloud to stop high-volume attacks, which are exceeding 800 Gbps. Your company’s DDoS protection service should also be able to detect small but continuous attacks as these too can have devastating effects on your business. 2. Far-reaching DDoS Protection
In choosing a DDoS protection service, it’s important that such service will be able to protect your business, not just from one type of DDoS attack but from different types of DDoS attacks.
It’s critical that your DDoS protection service should be able to provide on-premise protection against sneaky application layer attacks, and attacks against existing infrastructure devices like firewall. It should also be able to stop attackers from injecting malwares into your computer system. 3. Non-disruption of Business Operation
Businesses today rely on the internet and web-based applications and services in the same way as they rely on electricity. Organizations rely on them to manage daily operations and for customer relationship management.
Customers have no patience with websites that are down or slow, or web-applications that are unavailable. The effects of the breakdown of your business’ online services are immediate: angry customers, brand damage and loss of revenue. “With the importance of internet access and web services in businesses increasing, high volume network-based attacks, combined with application-layer attacks, represent an effective threat against any online business,” said Frost & Sullivan Network Security Senior Industry Analyst Chris Rodriguez. In choosing a DDoS protection service, it’s important that your company’s usual business operation shouldn’t be disrupted by DDoS attempts. 4. 24/7 Managed Security Service
In choosing a DDoS protection service, it’s important as well that your company can contact the protection team at any time of the day as attacks don’t have regard to business hours. Always ask for automated DDoS protection based on clearly defined service levels.
5. Affordable Protection
Hiring a DDoS protection experts saves money. Your company doesn’t need to invest in expensive hardware, software solutions and technical resources for this security measure. Some DDoS protection services, however, are asking for exorbitant fees. Look for a firm that offers not only quality service, but at the same time offers a reasonable price.
Call us today to learn more about truly affordable, Guaranteed DDoS protection.
4 Reasons Why Having A DDoS Attack Program is So Important TodayDDoS (distributed denial of service) attacks are not only growing in size in recent years, they are also becoming more and more sophisticated. And, if you're in business in an increasingly menacing online world, having a DDoS attack program is right up there with breathing in terms of its importance. DDOS Attack ProgramWe are all incredibly aware of just how much the internet has revolutionized the world. For businesses and customers alike, it has totally changed the game in terms of what we expect and even how we live. But, unfortunately, as the web rapidly evolves, so too does the number of DDoS attacks across the world. For businesses of all shapes and sizes, remaining vigilant to potential malicious attacks and fending off existing ones isn't simply an option anymore, it's a necessity. And as DDoS attacks become more refined and treacherous, having an adequate DDoS attack program is now more important than ever. Let's take a deeper dive. 4 Reasons Why Having A DDoS Attack Program is So Important Today1. DDoS Attacks Have More Than One Attack SourceIf you have a DDoS attack program you may think you are safe from attacks. The reality is that you are not. This is because a DDoS attack is focused on making an entire network unavailable for users. It attacks from multiple sources - often using hundreds and even thousands of IP addresses, all at once. This forces the target to fold under intolerable pressure. Because there is more than one attack source, anything other than guaranteed 27/7 DDoS protection leaves you vulnerable. 2. Attacks Can Last DaysDDoS attacks are increasingly lasting days, not mere hours. A serious DDoS attack can last for hundreds of hours, and today, more attacks than ever are lasting 150 hours and more. Can any business or organization afford that kind of downtime? 3. Reputational DamageToday, if a popular website is down for even a nanosecond, people have plenty to say. Bad news spreads like wildfire across social media and no business can afford the kind of reputational damage that malicious attacks can produce. A DDoS attack will have an affect on your bottom line for sure, but it may also take its toll on customer loyalty and employee morale to boot. 4. It's Often Too Late After An AttackDefending your business against an attack is so much more preferable to trying to react to an existing one. Often, the damage may be done long before you try to ward off an attack. And, while DDoS attacks cannot be entirely prevented, if you have a good DDoS attack program in place, you will severely limit the harm that can be done. Making it harder for would-be attackers to destroy your network is now an essential aspect of business planning in every conceivable niche. Defending Your Business From a DDoS AttackAs malicious attackers become more sophisticated, businesses have no option but to ramp up their defenses in response. Having a good DDoS attack program is a vital element in that response, affording you the practical help and the peace of mind you need. Got any questions or wondering about your website vulnerabilities? Reach out and talk to us. We're here to help.
|
AuthorSteve E. Driz, I.S.P., ITCP Archives
April 2024
Categories
All
|
7/12/2018
0 Comments