Network security and data protection remain at the top of many CIOs and CSOs’ agendas, as increasingly powerful privacy regulations threaten significant fines for breaches and information leaks. Getting security right means protecting the user first, with the added incentive of protecting a company’s revenues.
Dealing with an ever-evolving and increasingly complicated threat landscape, organizations, more than ever need both the right mechanisms and approaches in place and start treating the problem, not just the symptoms.
From millions of records being compromised to well-orchestrated DDoS attacks, 2016 showed just how dangerous the online world has become. In this post, we look at the different types of cyberattacks organizations of all sizes have been facing this year, and what simple steps they can take to prevent them in 2017.
One of the biggest risks CSOs face is the unknown. With businesses reliant on software and network hardware, it’s important to ensure that you’re on top of announced vulnerabilities and available patches.
Asian and African banks were targeted by a zero-day attack that aims to get users to download and open an infected document, that then downloads malware via a commonly-used word processor. It’s not software that’s widely used outside those regions, so may not have had the same security design model as other, more widely used software from larger, more security aware vendors. It’s important to keep on top of the security advisories related to the software you’re using: the popular BIND DNS software has had seven critical vulnerabilities announced so far in 2016, two of which were able to take down a DNS server with a single request.
Just because a zero-day has been revealed doesn’t mean it is no longer dangerous. You’re not safe until you’ve been patched, and the gap between announcement and patch can be more risky, as more attackers will have access to the exploit. Recently, the Fancy Bear hacker group ramped up its phishing-based zero-day attacks after Google revealed the attack method they were using… but before Microsoft and Adobe released patches.
As soon as an attack is announced, lock down possible routes into your systems and switch to another technology until the patch is available and tested. As with DNS, there is usually more than one implementation of common internet services, giving you a choice of fallback options.
Zero-days can be valuable to hacker groups and to nation state attackers: one Windows zero-day exploit was on sale earlier this year for $95,000 (nearly as high as Microsoft’s highest bug bounty). With vulnerabilities that valuable, it’s clear that many won’t be disclosed to vendors, and will instead be exploited by attackers.
Most of this year’s best known zero-day attacks have been on operating systems and web applications, but that doesn’t mean your network hardware is safe. A zero-day can be announced anywhere, and at any time, and be used for months before it’s revealed – so keep an eye on logs for suspicious behaviors.
DDoS attacks require very little infrastructure, taking advantage of exiting botnets (that can be rented by time and attack bandwidth). Over the last few years, there’s been a transition from TCP-based attacks to UDP, including the use of DNS. DDoS attackers have also been increasingly aware of the ability to magnify attack volume by taking advantage of common internet protocols- so when a user visits a site or attempts to use a service under attack, automatic retries can increase the bandwidth of connections flooding a site, anything up to a hundred times the size of the original DDoS attack.
Some of the more notable attacks of the last year have been as follows:
- The European commission suffering from a DDoS attack that flooded its networks with high volumes of traffic all
- A significant number of companies being disrupted via a DDoS on the Dyn cloud DNS service via the Mirai botnet
- The largest ever DDoS attack was on French hosting company OVH
Perhaps one of the more intriguing issues has been the rise of the Mirai botnet; not the newest code, but now targeting home devices running embedded Linux. Able to trigger massive DDoS on-demand attacks, it’s now been found on operated-owned CPE, infecting DSL routers operated by ISPs in the UK and in Germany. This gives ISPs a new route to protecting its users, taking advantage of networking tools and IPAM to segregate infected devices until they’re been disinfected and updated.
According to the Identity Theft Resource Center, there have already been 522 reported breaches as of the middle of July, exposing more than 13 million records (a number which does not include the majority of breaches that did not report number of records affected).
Tesco Bank had multiple accounts breached, with money transferred over a weekend when users weren’t checking accounts. Meanwhile, Yahoo finally announced details of a major breach, putting their merger with Verizon in jeopardy. Other tech giants like LinkedIn saw 167 million of their accounts being compromised. International sports bodies were also attacked in 2016, with spear-phishing emails breaching the World Anti-Doping Agency.
What can you do?
2016 has been a watershed year for Internet security. While traditional firewalls and security tools have locked down the old routes into systems, attackers have found new approaches and new attacks to get around current defenses.
This brings to mind the movie Dirty Harry, where Clint Eastwood’s cop character asks criminals to ask themselves “Do I feel lucky?”. That’s what network attackers are asking us today, as we struggle to defend ourselves with outdated hardware and software.
If you’re not thinking about security in ways that go beyond the firewall, then luck is all you have to defend your network. If you haven’t been breached already, the odds are against you. In order to be secure today, you have to identify new threats quickly and redefine your security accordingly.
That means thinking about security differently. What was good enough in the past is not enough for today and for tomorrow in 2017. It’s a new security landscape out there, and companies must ask themselves: am I ready for tomorrow’s attacks today, and are my users and network protected?