DDoS Attack Specialist Archive

Despite increasing threats, many organizations continue to run with only token cybersecurity and resilience.

According to Ernst & Young’s Global Information Security Survey 2018-19, over half of organizations fail to make organizational protection a key part of their strategic plans. After soliciting the opinions of approximately 1,400 C-suite leaders, EY concludes that larger firms are somewhat more prone to fall short in this area than smaller ones (58% versus 54%).

Overall, EY reports, a solid 77% of organizations still operate with only lackluster cybersecurity and resilience. They may even lack a clear idea of what their most critical information assets are and where they’re located, never mind having adequate safeguards in place to protect them.

Fortunately, cybersecurity budgets are increasing, though bigger firms are more likely to increase their investments in 2019 (63%) and 2020 (67%) than smaller companies (50% and 66%).

System Outages
Whether it’s because of the convergence of operational technology (OT) and IP-based IT networks or the growing use of cloud computing, corporate reliance on the availability of global IT infrastructure is ballooning. And the consequences are rising as well.

Cyberattacks to disrupt the business are now ranked as the third-biggest threat, after phishing (No. 1) and malware (No. 2). This comes as no surprise because distributed denial-of-service (DDoS) attacks, for instance, can trigger a major service interruption that will bring the business to a standstill. Outages have always been painful, but given the trend toward moving workloads and applications off-premises, and operating revenue-critical platforms, business operations virtually come to a stop if the IP network collapses.

“Importantly, more organizations are now beginning to recognize the broad nature of the threat,” says Richard Watson, EY’s Asia-Pacific cybersecurity head. “One thing that has changed for the better over the past 12 months, partly because of some of those big cyberattacks we’ve seen at a global level, is a growing realization that security is also about maintaining the continuity of business operations — and not only about the security of data and privacy.”

No Room for Russian Roulette
Given this reality, it’s jaw-dropping that many organizations seem to think they shouldn’t beef up their cybersecurity practices or dedicate more money to IT unless they’re hit by a major security incident.

For 63% of organizations, a security breach that results in no harm wouldn’t lead to higher spending (although, typically, seemingly innocuous breaches can cause harm that doesn’t manifest until later). Still, many organizations are unclear about whether they’re successfully identifying breaches and incidents.

These firms are playing with fire. As noted in the EY report, the Ponemon Institute estimates the average cost of a security breach to be $3.62 million per incident.

Tackling Corporate Governance
A mere 18% of organizations say that information security has a regular bearing on business strategic plans, a finding that reveals a basic disconnect between cybersecurity and the C-suite. Over half of the EY survey respondents say that information security only somewhat or does not influence their business strategy.

Today, when the digital age and cybercrime is in full bloom, this is somewhere between unwise and unacceptable. In fact, cybersecurity and business strategy must go hand-in-hand and be a continuing agenda item for all executive and non-executive boards, as many of board decisions will influence how well the organization is positioned to deal with a prospective cyberattack.

That said, increasingly, the ultimate responsibility for information security lies with the people at the top levels of the company. For 40% of organizations, the CIO assumes this responsibility. However, in 60% of organizations, the person directly responsible for information security does not sit on the board.

Some 70% of organizations report that their senior leaders have a thorough grasp of security or are taking positive steps to better their knowledge of it. Without question, this trend will increase as security becomes a key driver of growth. Right now, smaller organizations are better at keeping their board informed about information security matters than larger organizations. That said, larger organizations have made more progress: 73% have at least a limited understanding of information security, compared with 68% of their smaller counterparts.

Swinging in the Dark
Less than one in 10 organizations says its information security function fully meets its needs, and many are concerned that much-needed improvements are not yet underway. Seventy-eight percent of larger organizations say their information security function is at least partially meeting their needs, but that number drops to just 65% among their smaller counterparts.

Overall, 92% of organizations are concerned about their information security capabilities in certain important areas. For instance, resources: 30% of organizations are grappling with skills shortages, while 25% report that their budgets are constrained. Smaller firms are particularly worried; 28% of them say their information security function does not currently meet their needs or must be improved. Just over half (56%) report skills shortages or budget constraints.

A paltry 15% of firms say their information security reporting fully meets their expectations. Among those that suffered an incident in the past year, less than a third say their security team discovered the breach. Smaller companies will need to move particularly quickly to address the security reporting issue: almost a quarter (23%) don’t produce information security reports, in contrast with 16% of larger organizations. Only 5% describe the financial implications of each breach.

Addressing the Skills Challenge
Although the right personnel are critical to solving information security challenges, recruiting said personnel is easier said than done. The ongoing and global IT security skills shortage won’t go away anytime soon. Estimates project a worldwide shortfall of about 1.8 million security professionals by 2024 — some studies even predict as much as 3.5 million cyber vacancies. At least the shortfall is democratic: Everyone across the board is running into trouble finding the expertise they need, even in the most well-resourced sectors. Take financial services. “The best graduates no longer want to work in the industry, which is hampering efforts to recruit across the sector,” says Jeremy Pizzala, EY Global Financial Services cybersecurity leader.

The upshot is that depending on an in-house team to deal with IT security is probably an exercise in futility. Today, firms must think laterally and place much more emphasis on machine learning, automation, and AI to either replace or complement external service providers.

Source: https://www.darkreading.com/risk/most-organizations-lack-cyber-resilience/a/d-id/1335149

Cloudflare, the backbone of many of the web’s biggest sites, experienced a global outage that left many wondering what could have happened.

The fragility of the internet was exposed yesterday (2 July) when users across the world came across many websites displaying the error message ‘502 Bad Gateway’. Shortly after, social media was flooded with questions as to what caused such an outage across seemingly unconnected sites.

Soon after, Cloudflare, a content delivery and DDoS protection provider, said an error on its part was behind the massive outage. A quick look at the company’s systems status page showed that almost every major city in the world was affected in some way, including Dublin.

23 minutes after Cloudflare confirmed that it was experiencing issues, it announced that it had “implemented a fix”. 35 minutes later, it revealed the cause of the outage.

“We saw a massive spike in CPU that caused primary and secondary systems to fall over,” a statement said. “We shut down the process that was causing the CPU spike. Service restored to normal within ~30 minutes.”

Soon after, it announced that normal operations had resumed. So what could have caused such a major outage so soon after another one that occurred on 24 June?

Testing processes were ‘insufficient in this case’

In a blogpost, Cloudflare CTO John Graham-Cumming was able to reveal that the CPU spike was the result of “bad software deploy that was rolled back”. He stressed that this was not the result of a well-crafted DDoS attack.

“The cause of this outage was deployment of a single misconfigured rule within the Cloudflare Web Application Firewall (WAF) during a routine deployment of new Cloudflare WAF managed rules,” Graham-Cumming said.

“We make software deployments constantly across the network and have automated systems to run test suites, and a procedure for deploying progressively to prevent incidents. Unfortunately, these WAF rules were deployed globally in one go and caused today’s outage.”

He went on to admit that such an outage was “very painful” for customers and that the company’s testing processes were “insufficient in this case”.

This outage was different to the one that occurred on 24 June, which Cloudflare described as the internet having “a small heart attack”. It was revealed that network provider Verizon directed a significant portion of the internet’s traffic to a small company in the US state of Pennsylvania, resulting in a major information pile-up.

Source: https://www.siliconrepublic.com/enterprise/cloudflare-outage-502-bad-gateway-explained

‘DerpTrolling’ group also attacked Dota 2, Battle.net

Another hacker behind attacks on Daybreak Game Company, then known as Sony Online Entertainment, is going to prison. Austin Thompson of Utah will be behind bars for the next 27 months, the U.S. Attorney’s Office for the Southern District of California announced Tuesday.

Thompson, 23, pleaded guilty in November (official charge: “Damage to a Protected Computer”) in connection with attacks in late 2013 against SOE; his group, “DerpTrolling,” was allegedly behind several denial-of-service attacks on online service for several SOE games, plus Battle.net, League of Legends, and Dota 2 in late 2013.

Thompson’s attacks preceded by about six months those of a group calling itself Lizard Squad, which targeted SOE and even made a bomb threat that forced a flight carrying its then-president to land. Thompson was not involved in those crimes.

In early January 2014, whoever was running DerpTrolling’s Twitter account said that federal agents had shown up at their home, but they had escaped through the bathroom. Thompson’s plea agreement said he was in charge of that account.

“Thompson typically used the Twitter account @DerpTrolling to announce that an attack was imminent and then posted ‘scalps’ (screenshots or other photos showing that victims’ servers had been taken down) after the attack,” prosecutors said in a statement.

Thompson will begin serving his sentence Aug. 23. He was also ordered to pay $95,000 in restitution to Daybreak Game Company.

Although unrelated, prosecutors in the United States and Finland also secured convictions for two members of Lizard Squad for their roles in attacks on the same target over the 2014 holidays. Zachary Buchta, then 20, of Maryland, received three months in federal prison and was ordered to pay $350,000 in restitution after his guilty plea in late 2017. And Julius Kivimaki was convicted in Finland in July 2015, receiving a two-year suspended prison sentence for his actions.

Source: https://www.polygon.com/2019/7/3/20680975/soe-hacker-sentenced-derptrolling-austin-thompson-utah

An internal Cloudflare problem caused websites to fall bringing some parts of the internet to a crawl.

Global internet services provider Cloudflarehad trouble, and when it has problems, the internet has trouble, too. For about an hour, websites around the globe went down with 502 error messages.

The problem has now been fixed, and the service appears to be normally running. It’s still not entirely clear what happened.

In a short blog post, Cloudflare CTO John Graham-Cumming explained:

“For about 30 minutes today, visitors to Cloudflare sites received 502 errors caused by a massive spike in CPU utilization on our network. This CPU spike was caused by a bad software deploy that was rolled back. Once rolled back the service returned to normal operation and all domains using Cloudflare returned to normal traffic levels.”

Cloudflare CEO Matthew Prince subsequently explained the failure happened because:

“[A] bug on our side caused Firewall process to consume excessive CPU. Initially appeared like an attack. We were able to shut down process and get systems restored to normal. Putting in place systems so never happens again.”

Both Graham-Cumming and Prince emphasized this service disruption was not caused by an attack. Nor, Prince tweeted, was this a repeat of the Verizon Border Gateway Protocol network problem, which troubled Cloudflare and the internet last week.

How could this simple mistake cause so many problems? Cloudflare operates an extremely popular content delivery network (CDN). When it works right, its services protect website owners from peak loads, comment spam attacks, and Distributed Denial of Service (DDoS) attacks. When it doesn’t work right, well, we get problems like this one.

Cloudflare CDN works by optimizing the delivery of your website resources to your visitors. Cloudflare does this by delivering visitors to your website’s static from its global data centers. Your web server only delivers dynamic content. In addition, generally speaking, Cloudflare’s global network provides a faster route to your site than a visitor going directly to your site.

Its CDN is the most popular such service with 34.55% of the market. Amazon CloudFront is second with 28.84%. With over 16 million Cloudflare-protected sites, including BuzzFeed, Sling TV, Pinterest, and Dropbox, when Cloudflare has trouble, many of these websites are knocked off the internet.

Prince admitted this problem was the biggest ever internal Cloudflare problem. Prince tweeted:

“This was unique in that it impacted primary and all fail-over systems in a way we haven’t seen before. Will ensure better isolation and backstops in the future. Still getting to the bottom of the root cause.”

The problem also affected Cloudflare’s DNS service and its CDN.

To Cloudflare’s credit, the company is taking the blame and being transparent about what went wrong. At the same time, the episode emphasizes how much the internet now depends on a few important companies instead of many peer-to-peer businesses and institutions.

Source: https://www.zdnet.com/article/cloudflare-stutters-and-the-internet-stumbles/

Check out the top five cybersecurity vulnerabilities and find out how to prevent data loss or exposure, whether the problem is end-user gullibility, inadequate network monitoring or poor endpoint security defenses.

The threat landscape gets progressively worse by the day. Cross-site scripting, SQL injection, exploits of sensitive data, phishing and denial of service (DDoS) attacks are far too common. More and more sophisticated attacks are being spotted, and security teams are scrambling to keep up. Faced with many new types of issues — including advanced phishing attacks that are all too successful, and ransomware attacks that many seem helpless to prevent — endpoint security strategies are evolving rapidly. In the SANS “Endpoint Protection and Response” survey from 2018, 42% of respondents indicated at least one of their endpoints had been compromised, and 20% didn’t know if any endpoints had been compromised at all.

How are hackers able to wreak havoc on enterprisesand cause sensitive data loss and exposure? The answer is through a variety of cybersecurity vulnerabilities in processes, technical controls and user behaviors that allow hackers to perform malicious actions. Many different vulnerabilities exist, including code flaws in operating systems and applications, systems and services misconfiguration, poor or immature processes and technology implementations, and end user susceptibility to attack.

Some of the most common attacks that resulted in data breaches and outages included phishing, the use of stolen credentials, advanced malware, ransomware and privilege abuse, as well as backdoors and command and control channels on the network set up to allow continued access to and control over compromised assets, according to the Verizon “2019 Data Breach Investigations Report,” or Verizon DBIR.

What are the major types of cybersecurity vulnerabilities that could lead to successful attacks and data breaches and how can we ideally mitigate them? Check out the top five most common vulnerabilities organizations should work toward preventing or remediating as soon as possible to avoid potentially significant cybersecurity incidents.

1. Poor endpoint security defenses

Most enterprise organizations have some sort of endpoint protection in place, usually antivirus tools. But zero-day exploits are becoming more common and many of the endpoint security defenses in place have proved inadequate to combat advanced malware and intrusions targeting end users and server platforms.

Causes. Many factors can lead to inadequate endpoint security defenses that become vulnerabilities. First, standard signature-based antivirus systems are no longer considered good enough, as many savvy attackers can easily bypass the signatures. Second, smart attackers may only be caught through unusual or unexpected behaviors at the endpoint, which many tools don’t monitor. Finally, many endpoint security defenses haven’t offered security teams the ability to dynamically respond to or investigate endpoints, particularly on a large scale.

How to fix it. More organizations need to invest in modern endpoint detection and response tools that incorporate next-generation antivirus, behavioral analysis and actual response capabilities. These tools provide more comprehensive analysis of malicious behavior, along with more flexible prevention and detection options. If you’re still using traditional antivirus tools, consider an upgrade to incorporate more behavioral inspection, more detailed forensic details and compromise indicators, as well as real-time response capabilities.

2. Poor data backup and recovery

With the recent threat of ransomware looming large, along with traditional disasters and other failures, organizations have a pressing need to back up and recover data. Unfortunately, many organizations don’t excel in this area due to a lack of sound backup and recovery options.

Causes. Many organizations neglect one or more facets of backup and recovery, including database replication, storage synchronization or end-user storage archival and backup.

How to fix it. Most organizations need a multi-pronged backup and recovery strategy. This should include data center storage snapshots and replication, database storage, tape or disk backups, and end user storage (often cloud-based). Look for enterprise-class tools that can accommodate granular backup and recovery metrics and reporting.

3. Poor network segmentation and monitoring

Many attackers rely on weak network segmentation and monitoring to gain full access to systems in a network subnet once they’ve gained initial access. This huge cybersecurity vulnerability has been common in many large enterprise networks for many years. It has led to significant persistence in attackers compromising new systems and maintaining access longer.

Causes. A lack of subnet monitoring is a major root cause of this vulnerability, as is a lack of monitoring outbound activity that could indicate command and control traffic. Especially in large organizations, this can be a challenging initiative, as hundreds or thousands of systems may be communicating simultaneously within the network and sending outbound traffic.

How to fix it. Organizations should focus on carefully controlling network access among systems within subnets, and building better detection and alerting strategies for lateral movement between systems that have no business communicating with one another. They should focus on odd DNS lookups, system-to-system communication with no apparent use, and odd behavioral trends in network traffic. Proxies, firewalls and microsegmentation tools may help create more restrictive policies for traffic and systems communications.

4. Weak authentication and credential management

One of the most common causes of compromise and breaches for this cybersecurity vulnerability is a lack of sound credential management. People use the same password over and over, and many systems and services support weak authentication practices. This is one of the major causes of related attack vectors listed in the Verizon DBIR.

Causes. In many cases, weak authentication and credential management is due to lack of governance and oversight of credential lifecycle and policy. This includes user access, password policies, authentication interfaces and controls, and privilege escalation to systems and services that shouldn’t be available or accessible in many cases.

How to fix it. For most organizations, implementing stringent password controls can help. This may consist of longer passwords, more complex passwords, more frequent password changes or some combination of these principles. In practice, longer passwords that aren’t rotated often are safer than shorter passwords that are. For any sensitive access, users should also be required to use multifactor authentication for accessing sensitive data or sites, often with the aid of multifactor authentication tools.

5. Poor security awareness

Much has been written about the susceptibility of end users to social engineering, but it continues to be a major issue that plagues organizations. The 2019 Verizon DBIR states that end user error is the top threat action in breaches. Many organizations find the initial point of attack is through targeted social engineering, most commonly phishing.

Causes. The most common cause of successful phishing, pretexting and other social engineering attacks is a lack of sound security awareness training and end-user validation. Organizations are still struggling with how to train users to look for social engineering attempts and report them.

How to fix it. More organizations need to conduct regular training exercises, including phishing tests, pretexting and additional social engineering as needed. Many training programs are available to help reinforce security awareness concepts; the training needs to be contextual and relevant to employees’ job functions whenever possible. Track users’ success or failure rates on testing, as well as “live fire” tests with phishing emails and other tactics. For users who don’t improve, look at remediation measures appropriate for your organization.

While other major cybersecurity vulnerabilities can be spotted in the wild, the issues addressed here are some of the most common seen by enterprise security teams everywhere. Look for opportunities to implement more effective processes and controls in your organization to more effectively prevent these issues from being realized.

Source: https://searchsecurity.techtarget.com/feature/How-to-fix-the-top-5-cybersecurity-vulnerabilities