Stop DDoS Archive

A recent OpenVPN survey discovered 25 percent of employees, reuse the same password for everything. And 23 percent of employees admit to very frequently clicking on links before verifying they lead to a website they intended to visit.

Sabotaging corporate security initiatives

Whether accidental or intentional, an employee’s online activities can make or break a company’s cybersecurity strategy. Take password usage as one example. Employees create passwords they can easily remember, but this usually results in weak security that hackers can bypass with brute force attacks. Similarly, individuals who use the same password to protect multiple portals — like their bank account, email and social media — risk compromising both their personal and work information.

To reinforce strong password habits, some employers have adopted biometric passwords, combining ease-of-use with security. A reported 77 percent of employees trust biometric passwords, and 62 percent believe they are stronger than traditional alphanumeric codes. But even among those who trust things like fingerprint scans and facial recognition, user adoption is lagging — just a little more than half of employees (55 percent) use biometric passwords.

Convenience also plays a factor in determining how employees approach cybersecurity behaviors. Unfortunately, some individuals are unwilling to trade the convenience of basic passwords and certain technologies for secure cyber habits. Employees are reluctant to abandon things like voice-activated assistants, for example, even though 24 percent of them believe it has the potential to be hacked.

In fact, only 3 percent of employees have actually stopped using their Alexas and Google Homes out of fear of being hacked. This signals to employers that even when employees know the security risks associated with a certain technology, they will ignore the warning signs and continue to use it because of its convenience.

Developing safe cyber hygiene practices

Employers have a responsibility to teach their employees good cyber habits to protect themselves and business operations from malicious actors. Simply telling people to avoid visiting infected websites isn’t enough — more than half (57%) of Millennials admit to frequently clicking on links before verifying they lead to a website they were intending to visit.

Unlike traditional approaches to cybersecurity, a cyber hygiene routine encourages employees to proactively think about the choices they make on the internet. In addition to thorough security education and clear communications, employers can implement the following tips to help employees develop good cyber habits.

Promote positive reinforcement when employees make smart decisions

Employees may be a company’s first line of security, but many fail to report cyber attacks out of fear of retribution. Instead of employing fear tactics to scare employees off weak passwords and phishing schemes, employers should consider rewarding or acknowledging individuals who embrace good cyber strategies. Employees are less likely to shy away from security training and are more incentivized to change their approach to cybersecurity when they are sent encouraging messages for safe internet behavior.

Offer continuous training on best practices. Hackers work year round to catch companies off guard, using tools like phishing to man-in-the-middle to DDoS attacks to breach defense mechanisms in place. While employers can’t predict what they will face next, they can offer routine training to employees to keep them up-to-date with the latest security threats. This can help employees recognize and deal with evolving threats like smishing, a fairly recent scam targeting individuals with smartphones and other mobile devices.

Building a work culture centered around good cyber hygiene takes time, but will ultimately protect companies in the long run from online threats. When smart online habits become second nature, both employers and employees can better prevent hackers from taking advantage of otherwise stagnant security environments.

Source: https://www.helpnetsecurity.com/2018/06/12/employee-behavior-impacts-cybersecurity-effectiveness/

As DDoS attacks grow more frequent, more powerful, and more sophisticated, many organizations turn to DDoS mitigation providers to protect themselves against attack.

Before evaluating DDoS protection solutions, it is important to assess the needs, objectives, and constraints of the organization, network and applications. These factors will define the criteria for selecting the optimal solution.

Below are eight questions to ask when considering DDoS protection:

  1. What are my data center plans? Many organizations are migrating their data center workloads to cloud-based deployments. The decision of whether to invest in new equipment or to use to a cloud service depends heavily on this consideration. Organizations that are planning to downscale (or completely eliminate) their data centers might consider a cloud service. However, if you know for sure that you are planning to maintain your physical data center for the foreseeable future, then investing in a DDoS mitigation appliance could be worthwhile.
  2. What is my threat profile? Which protection model is best for you also depends heavily on the company’s threat profile. If a company is constantly attacked with a stream of non-volumetric DDoS attacks, then a premise-based solution might be an effective solution. However, if they face large-scale volumetric attacks, then a cloud-based or a hybrid solution would be better.
  3. Are my applications mission-critical? Some DDoS protection models offer faster response (and protection) time than others. Most applications can absorb short periods of interruption without causing major harm. However, if your service cannot afford even a moment of downtime, that should factor heavily into the decision-making process.
  4. How sensitive are my applications to latency? Another key consideration is the sensitivity of the organization and its applications to latency. Cloud-based services tend to add latency to application traffic, so if latency is a big issue, then an on-premise solution – either deployed inline or out-of-path – might be relevant.
  5. Am I in a regulated industry? Some organizations are within regulated industries that handle sensitive user data. As a result, they’re prevented from – or prefer not to – migrate services/data to the cloud.
  6. How important is control for me? Some organizations place a big emphasis on control, while others prefer that others handle the burden. A physical device will provide you with more control, but will also require additional overhead. Others, however, might prefer the lower overhead usually offered by cloud services.
  7. OPEX vs. CAPEX? Solutions which include hardware devices (such as a premise-based DDoS appliance) are usually accounted for as a capital expenditure (CAPEX), whereas ongoing subscription services (such as cloud DDoS protection services) are considered operating expenses (OPEX). Depending on accounting and procurement processes, some organizations may have a preference for one type over the other.
  8. What is my budget? Finally, when selecting a DDoS protection solution, many times the decision comes down to costs and available funds. That’s why it is important to be cognizant of the total cost of ownership (TCO), including added overhead, infrastructure, support, staff and training.

Depending on the answers to those questions, organizations can define the criteria for what’s important for them in a DDoS solutions, and base their choice based on that.

  • Typically, for organizations seeking data center protection, or have mission critical and latency-sensitive applications they need to protect, a hybrid solution will provide optimal protection.

Hybrid DDoS protection combines both premise-based and cloud-based components. It provides both low latency and uninterrupted protection, as well as the high capacity required to mitigate large-scale volumetric DDoS attacks.

  • For organizations looking to protect applications hosted on public cloud providers (such as AWS or Azure), or customers who frequently come under attack, an cloud-based always-on solution will usually be best.

Always-On cloud service provides constant, uninterrupted cloud-based DDoS protection. However, since all traffic is routed through the provider’s scrubbing network, it may add latency to requests.

  • Finally, for customers who are infrequently attacked, or otherwise have a limited budget, a cloud-based on-demand solution will usually suffice.

On-Demand cloud service is activated only when organizations come under DDoS attack. However, detection and diversion usually take longer than in other models, meaning that the customer may be exposed for longer periods.

The parameters of the optimal DDoS solution will inevitably vary from organization to organization. Use these questions to help guide you to the solution that is best for you.

Source: https://securityboulevard.com/2018/06/8-questions-to-ask-in-ddos-protection/

There have been two notable evolutions made by hackers recently in the DDoS arena. First, there’s been an expansion of botnets. They’ve moved beyond PCs to compromised Internet of things (IoT) devices and cloud services. That’s vastly expanded the possible sources of attacks.

The second has been the use of highly distributed attack patterns, commonly referred to as carpet-bombing. The two are connected and reflect a sophisticated understanding by the attackers of the limitations of current DDoS defensive technologies.

Most DDoS defenses rely on a simple baseline model to identify ‘abnormal’ surges in traffic towards a specific target. This is an imprecise identification that lacks context, resulting in a lot of false positives. Suspect traffic is routed by a backhaul link to a mitigation appliance; however, much of the re-routed traffic can actually be legitimate. Thus, the process is resource intensive and costly

It also lacks the network-wide visibility to map attacks back to actual user experience, making it difficult to keep affected (and poor quality-intolerant) customers appraised of the situation.

In the age of IoT and cloud, it’s getting worse for these traditional defenses. Because the botnets that carry out the attacks have vastly expanded, it is now possible to carry out terabit-level attacks from hundreds of thousands and — not too far off — even millions of compromised devices. Traditional defenses have a harder time dealing with so many flows coming from so many different directions. They are not good at multi-vector attacks.

For example, the attack on the DNS provider DYN, back in October 2016, caused the entire network that DYN was on to suffer massive slow-down. Carried out by the Mirai botnet, which had hundreds of thousands of badly secured IoT devices and compromised cloud servers enslaved, it affected thousands of users. Although it had been initiated by a single attacker, the attack took down the entire infrastructure for a number of hours.

The challenge, if you’re a DNS provider like DYN, is that this DNS-based attack traffic looks like all the other traffic on your network — the perfect diversion. So while you struggle to find out what’s going on with your DNS service, the hijacked cloud servers come into play delivering a high impact, high-bandwidth TCP attack that takes the servers out altogether.

This combination of different attack sources and different attack vectors created the most impactful attack that we have ever seen.

An example of the other side of the coin is a carpet-bomb attack that often results in false negatives. As a method of attack, it evades the “big surge” method of detection. It doesn’t just affect a single target, although a single organization may, in the end, be the target. It affects tens of thousands of users and makes it harder to see who the target actually is.

Fortunately, as we’ve said, there are innovations on the defensive side that can help. We have identified five principles of the new approach to fighting DDoS:

  1. Global-level monitoring: use information about the entire internet and network to understand the context of what is occurring. For instance, is the surge just an AWS file transfer or an attack? If you have an accurate, global database of IP endpoints, you can know what the source is and whether it’s reliable, thus minimizing false positives.
  2. Ratio-based detection: as opposed to big surge detection, this method of identification takes a holistic view of the network. It looks for patterns of attack or signatures. For instance, an imbalance between SYN and SYN ACK, which is the telling signature of a SYN flood attack, will trigger an alert, even if no baseline trigger caused an alert.
  3. Use your routers: mitigation appliances or scrubbers are expensive solutions and inherently limited; routers are already in place and can easily block multiple attack vectors without taking a performance hit. If through global detection you understand all the endpoints from which the attack is coming, you simply create ACLs to drop this traffic at your peering routers.
  4. Protect your network out of the box: most DDoS defense solutions today are an afterthought. Layer in a defensive approach from the beginning. Build holistic network intelligence into your architecture and then use your routers to provide the first layer of blocking or re-routing. This will deal with a majority of the nuisance traffic and reserve the scrubbers for the attacks that require more stateful analysis.
  5. Map it back to quality of experience (QoE):  The key point for network operators is that there is no reasonable amount of poor quality streaming, according to the customer. They don’t care why they have been receiving SD video for 40 minutes, they just want it to improve or they’ll complain.

Quality issues like this are a large driver for customer churn, so visualizing and remediating the attack quickly is of utmost importance.

These are some of the principles that can help prepare us for the next level of battle with the ever-imaginative hacker communities. The costs of DDoS attacks are many. Make sure you’re fully prepared with a multi-dimensional, holistic approach to security.

Source: https://www.infosecurity-magazine.com/opinions/protecting-network-attacks/

A potentially highly destructive malware is estimated to have infected at least 500,000 networking devices in at least 54 countries since as far back as 2016, in what could be the prelude to a massive attack potentially capable of cutting off the internet from hundreds of thousands around the world.

Researchers from Cisco Systems’ Talos threat intelligence unit warn that the newly discovered malware, dubbed VPNFilter, has overlapping code with BlackEnergy, an APT trojan capable of DDoS attacks, information wiping, and cyber espionage that Russia allegedly used in past cyberattacks to disable the Ukrainian power grid.

The campaign’s connection to BlackEnergy, combined with its heavy emphasis on infecting Ukrainian hosts using a command-and-control infrastructure specifically dedicated to that country, leads Talos experts to believe Ukraine may again be the primary target of an imminent cyber assault.

Talos observed markedly heavy infection activity in Ukraine on May 8 and again on May 17. Meanwhile, Symantec, posted its own take on the threat, informing SC Media in emailed comments that while VPNFilter has spread widely, honeypot and sensor data seem to indicate that it is not scanning and infecting indiscriminately.

The malware compromises devices so that attackers can potentially spy on and collect their network traffic (including website credentials) and monitor Modbus supervisory control and data acquisition (SCADA) protocols used with industrial control systems.

It can even “brick” devices — individually or, far worse, en masse –rendering them unusable by overwriting a portion of the firmware and forcing a reboot. “In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” the Talos blog post explains.

“This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware,” the post continues. “If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor’s purposes.

Affected products include Linksys, MikroTik, NETGEAR and TP-Link small and home office networking equipment, and QNAP NAS devices.

“The type of devices targeted by this actor are difficult to defend, They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package,” Talos warns in its blog post. “We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.”

The modular malware is comprised of three stages. The first stage, which establishes persistence, is unique among IoT malware programs in that it can survive a reboot. It also uses multiple redundant command-and-control mechanisms to discover the current stage-two deployment server’s IP address.

Stage two is in charge of file collection, command execution, data exfiltration and device management, and also possesses the “kill” function” that can brick devices. Stage three acts as a plug-in that provides the remaining known capabilities. “The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways,” Talos reports.

“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend,” warns Talos, which does suggest several mitigation techniques in its report. “Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks.”

In a security advisory, NETGEAR has advised running the latest firmware on routers, changing default admin passwords and ensuring that remote management is turned off.

“Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboots their home routers and NAS devices one time,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, in emailed comments. “This will remove any second- and third-stage malware from their devices, since the malware does not have persistence capabilities. It will leave the first stage in place, which will try to download the second stage again, but with law enforcement’s efforts to take down the known command-and-control infrastructure and the efforts by security vendors who provide equipment to internet service providers, the threat should be partially mitigated.”

Derek Manky, global security strategist at Fortinet, said in emailed comments that VPNFilter reminds him of a BrickerBot, a wormable IoT malware capable of knocking unsecured IoT devices offline.

“Last year we talked about while the BrickerBot was not a worm with mass adoption yet, it was a precursor of things to come,” said Manky. Forward to today, VPNFilter is the real deal, in the wild, and in full force, which makes it a much larger threat and quite concerning. This is a true brick, overwriting the first 5,000 bytes of memory,” resulting in a “dead state.”

Source: https://www.scmagazine.com/malware-with-bricking-capabilities-poses-major-threat-after-infecting-500000-networking-devices/article/768231/

Device manufacturers can no longer afford to take a back seat when it comes to IoT security.

The use of Internet of Things (IoT) technology is growing rapidly as more consumers and businesses recognise the benefits offered by smart devices. The range of IoT hardware available is huge, including everything from smart doorbells and connected kettles to children’s toys. What’s more, this is not only limited to smart home tech for consumers. IoT sensors are being increasingly used by businesses of all sizes across numerous industries including healthcare and manufacturing. However, despite its life-enhancing and cost-saving benefits, the IoT is a security minefield. So, is it even possible to secure the IoT?

This was one of the themes discussed at this year’s Mobile World Congress (MWC). IoT technology featured heavily at the trade show, with connected items ranging from a passenger drone to the next generation of smart city technology, and IoT security taking centre stage. One session focused on how blockchain might help to secure IoT devices in the future. Best known as the backbone of cryptocurrency Bitcoin, blockchain is a shared ledger where data is automatically stored across multiple locations. The indisputable digital paper trail makes it ideal for financial applications, but it could also be applied to IoT.

IoT devices increase the amount of entry points into a home or business network, which in turn could give hackers access to devices such as computers that contain sensitive data. Using blockchain technology could reduce the risk of IoT devices being put at risk by a security breach at a single point. By getting rid of a central authority in IoT networks, blockchain would enable device networks to validate and protect themselves. For example, devices in a common group could potentially stop or alert the user if asked to carry out tasks that appear unusual, such as being commandeered by hackers to carry out Distributed Denial of Service (DDoS) attacks.

IoT security and drones

Also highlighted at MWC was the importance of securing IoT technology for use by drones. Drone technology is a rapidly emerging sector within IoT and the risk of hacking could not only cause a data breach, it could also pose a major risk to public safety. Thanks to their versatile application and access to real-time data, commercial drones are used across a wide variety of sectors including agriculture, military, construction and have even been used to deliver packages, while consumer drones have also grown in popularity in recent years. However, as with many IoT devices, security is often an afterthought leaving many drones vulnerable to hackers.

If a drone’s own telemetry data is accessed, hackers could take control of it while in the air. This could place people in physical danger if the drone was purposely crashed or hijacked to carry harmful substances such as explosives or chemical agents. A hacked drone could also be used for spying through on-board cameras, or malware could be installed enabling hackers to strip out sensitive data collected by the drone, including pictures and video.

While there is an increasing amount of drone legislation being introduced, much of the focus is on air space and where drones are allowed to fly. However, the importance of securing the network that drones submit data on should not be underestimated.

Why is securing IoT technology such a big challenge?

Securing IoT devices is challenging for a number of reasons. A rapidly increasing number of gadgets are being turned into smart devices and as manufacturers roll out new products more quickly, little priority is given to security. Eventually we could see almost every home device connected to the Internet, not necessarily with any consumer benefit but instead geared towards data collection, which is incredibly valuable for manufacturers. A lack of awareness among consumers and businesses is also a major obstacle to security, with the convenience and cost-saving benefits of IoT tech appearing to outweigh the potential risks.

Another challenge is securing not only the IoT devices but also the networks over which their data is transferred. In the past, businesses haven’t always focused on building end-to-end security into the network. This is set to change as attitudes evolve, with 46 per cent of organisations ranking ‘securing IoT within the organisation’ as a high priority for 2018, according to the Hiscox Cyber Readiness Report.

What happens next?

So, is it really impossible to secure the Internet of Things? While it’s certainly a challenge, the industry is developing new ways to protect IoT devices from increasingly sophisticated hackers, and there will be significant opportunities for those working in the IoT security space. Blockchain may well be part of the solution, though a group effort will be needed to ensure that IoT technology evolves in a way that is both beneficial to consumers and businesses and secure from hackers.

Education is also key and makers of IoT devices, ISPs and the government must play a vital role in boosting awareness of IoT security among consumers and businesses. At a government level, it may also be necessary to provide education to boost the digital literacy of policymakers. More regulation and standardisation is needed to ensure that IoT devices adhere to a certain level of security, while manufacturers must develop clear privacy policies for their IoT devices and ensure that consumers know how to adjust the security settings. Even simple steps such as not setting default passcodes as ‘0000’ or ‘1234’ could help keep devices more secure in the future.

While security has too often taken a back seat in the development of IoT technology, manufacturers must begin to build protection into their devices. Network providers can also help address the IoT security threat by creating end-to-end infrastructure that meets industry-wide standards. Providers that offer a secure network will have a competitive advantage in the long run.

Source: https://www.itproportal.com/features/is-the-internet-of-things-impossible-to-secure/