Tag Archives: stop ddos attacks

Final Fantasy 14 is experiencing DDoS attacks

Trouble logging in? It may be due to hackers Final Fantasy 14’s servers have been under intense strain this past weekend. It now seems that these issues are the direct result of distributed denial-of-service attacks, Square Enix stated today. The attacks have apparently been going on since June 16, the first day that the game’s second expansion, Stormblood, went live for early access. This past weekend, early adopters were met with congested servers that were filled to capacity. Some queues just to log in surpassed 6,000 users. In the game proper, overwhelmed servers have lead to increased load times and made some quests impossible to complete. Stormblood was officially released yesterday and as of today, massive amounts of access requests due to the alleged hack are continuing to occur. Square Enix has stated that its technicians are doing all they can to defend against the attacks, but they are “continuing to take place by changing their methods at every moment.” The company also assured players that character data and private information associated with accounts have not been affected. Source: https://www.polygon.com/2017/6/21/15845898/final-fantasy-14-stormblood-servers-ddos-attack

View the original here:
Final Fantasy 14 is experiencing DDoS attacks

Risk Management Pros Say an IoT Security Incident Could Be Catastrophic

A recent survey by the Ponemon Insitute and the Shared Assessments Program of 553 people with a role in risk management in their organizations found that 94 percent of those surveyed said a security incident related to unsecured IoT devices or applications could be catastrophic. Still, just 44 percent of respondents said their organization has the ability to protect their network or enterprise systems from risky IoT devices, and only 25 percent said their boards require assurances that IoT risks are being appropriately assessed, managed and monitored. Additionally, 77 percent of respondents said they don’t consider IoT-related risks in their third party due diligence, and 67 percent don’t evaluate IoT security and privacy practices before engaging in a business relationship. Just 30 percent of respondents said managing third-party IoT risks is a priority in their organization. “Ready or not, IoT third party risk is here,” Shared Assessments senior vice president Charlie Miller said in a statement. “Given the proliferation of connected devices, today’s cyber climate is evolving and organizations have to shift their focus to the security of external parties, now more than ever.” “In order to avoid becoming the next big headline, our security tactics have to evolve along with the threats,” Miller added. “New technology and practices are needed to ensure security, and this starts by communicating the risks to the right people and acknowledging potential devastating outcomes when engaging with a third party. Avoiding these problems can no longer be the solution.” Preventative Measures In response, the report urges organizations to take the following key steps: Ensure inclusion of third-party and IoT risks occurs at all governance levels including the board. Update asset management processes and inventory systems to include IoT devices, and understand the security characteristics of all inventoried devices. When devices are found to have inadequate security controls, replace them. Continue to leverage and enhance contracts and policies and expand scope to include IoT specific requirements. Expand third-party assessment techniques and processes to ensure presence and effectiveness of controls specific to IoT devices. Develop specific sourcing and procurement requirements to ensure only IoT devices that are designed with security functions included and enabled are considered for product selection or acquisition. Devise new strategies, technologies and tactics directed specifically at reducing threats posed by IoT devices. Collaborate with industry experts, peers, associations and regulators to ensure IoT risk management best practices are devised, communicated and implemented. Include IoT in communication, awareness and training at all levels: board, executive, corporate, business unit and third-party. Recognize the increasing dependence on technology to support the business and the risk posed by this dependence. Embrace new technologies and innovations, but not at the expense of security, and ensure security controls are included as fundamental and core requirements. Seventy-two percent of respondents said the pace of innovation in IoT and the varying standards for security make it hard to ensure the security of IoT devices and applications, and 65 percent said the drive for innovation in the IoT ecosystem requires new approaches to IT strategies and tactics. Breaches and DDoS Attacks Strikingly, 78 percent of respondents said a data breach involving an unsecured IoT device is likely to occur within the next two years, and 76 percent said the same of a DDoS attack involving an unsecured IoT device. The concerns come as DDoS attacks become more and more frequent — according to Nexusguard’s Q1 2017 DDoS Threat Report, DDoS attack frequency surged by 380 percent in the first quarter of 2017, compared to the same time period the previous year. The percentage of days with attacks larger than 10 Gbps rose significantly between January 2017 (48.39 percent) and March 2017 (64.29 percent). Radware vice president of security Carl Herberger told eSecurity Planet by email that the rapid proliferation of unsecured IoT devices is driving the increase in DDoS attacks. “The Mirai attack made headlines last year, but it should not be considered a one-off,” he said. “Instead, this event was a predictor of what is to come.” “Hackers are constantly developing new ways to leverage connected devices with little to no security protections to form larger and larger botnets that are able to execute dangerous and sizable DDoS attacks,” Herberger added. “We’ve seen various botnets appear over the last year, including Hajime, BricketBot and Persirai, demonstrating that IoT devices have become a new battleground for hackers.” “Until manufacturers, the government, and consumers take a hard look at IoT security, the threat of bigger, more frequent IoT-fueled DDoS attacks will only loom larger,” Herberger said. Source: http://www.esecurityplanet.com/network-security/risk-management-pros-say-an-iot-security-incident-could-be-catastrophic.html

DDOS Attacks on the Rise

Distributed Denial of Service (DDoS) attacks leverage compromised devices to generate a flood of traffic, overwhelming online services and rendering them unresponsive. DDoS services are widely available on the internet, with research by Trend Micro finding that the small cost of US$150 can buy a DDoS attack for a week. (It also brings organised crime into your life – but that’s a different point!) The latest statistics from Cisco reveal that the number of DDoS attacks grew by 172% in 2016. Combine this with an average DDoS attack size of 1.2Gbps, capable of taking most organisations offline, and there is real cause for concern among cyber security experts. It is hard to trace DDoS attacks to their proprietors, as the majority of devices used in attacks belong to innocent users. Organisations must understand the risk and impact posed by DDoS attacks, and implement mitigation strategies that promote business continuity in the face of these attacks. Industry peers must share knowledge where appropriate, and keep government agencies adequately informed, to deter hackers from launching a DDoS attack. Cisco expects that the number of DDoS attacks in the future will only get worse, with 3.1 million predicted attacks in 2021 globally. Source: http://www.natlawreview.com/article/ddos-attacks-rise

See the original article here:
DDOS Attacks on the Rise

Bigger & smaller – DDoS threats here to stay with conflicting trends

The noise created by distributed denial of service attacks is higher than ever – with vendors and attackers complicating the picture – but what do enterprises need to worry about? Distributed Denial of Service (DDoS) attacks were one of the most talked about threats at InfoSecurity Europe 2017. One of the things vendors couldn’t agree on however, is the trend for their size and thus whether we should be defending against increasing numbers of small attacks or more frequent mega-attacks. Corero Network Security, who met with SC during the conference, said in a press release that, “the greatest DDoS risk for organisations is the barrage of short, low volume attacks which mask more serious network intrusions”. Research from the firm says that “despite several headline-dominating, high-volume DDoS attacks over the past year, the vast majority (98 percent) of the DDoS attack attempts against Corero customers during Q1 2017 were less than 10 Gbps per second in volume.” It added: “they are just disruptive enough to knock a firewall or intrusion prevention system (IPS) offline so that the hackers can target, map and infiltrate a network to install malware and engage data exfiltration activity.” Ashley Stephenson, CEO at Corero Network Security, explains: “Short DDoS attacks might seem harmless, in that they don’t cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions. Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander – in this case, a flicker of internet outage – while hiding their more sinister motives.” DDoS protection has traditionally been something that major enterprises were able to deploy by having their traffic run through a supplier network at huge cost. The alternative was to switch traffic over to their DDoS protection provider in the event of an attack – but this could cause a delay of about 20 minutes while the company under attack found who to call and explain what was happening, the whole time that the attack was escalating. Instead, Laurent Gil, co-founder at Zenedge, explained to SC Media UK how his company’s approach to DDoS protection is different. “We have an always-on monitoring system on the cloud so there is nothing to install for the customer, it’s the same SSL as an ‘always on’ solution, but always on in the cloud for monitoring and analysing of traffic patterns and when the early signs of an attack are spotted, we automatically re-route traffic to our scrubbing centre within 60 seconds – down from the 20 minutes it takes non-automated systems,” Gil told SC. He added that because the traffic only switched on demand, when there is an attack, it is less cost than if it had to be handled all the time and with a 60 second response, it still mitigated against the attack ramping up. “It’s a tectonic shift in the market,” says Gil, adding, “We we can onboard many more enterprises, without them spending millions of dollars, which is what’s needed for a for mid-market enterprise. DDoS protection did not exist for these companies because they couldn’t afford it. It’s not that the traditional prime protection providers are losing revenues, but the market is much wider now than it was previously.” In contrast to Corero, veteran vendor Imperva, hosted sessions which could be misconstrued as ‘humble-brags’ named “how we stopped a 650Gbps DDoS attack over lunch”. Imperva points out that the source code of the Mirai botnet going open source has meant that the Tools, Tactics and Procedures (TTP) of botnet criminals have taken a step up. And naturally, it is prepared to protect against this threat with one of it’s “behemoth” data centre appliances. Imperva’s Robert Hamilton, director of product marketing, hosted the sessions and said “DDoS attacks aren’t going away anytime soon”. Raj Samani, chief scientist of Mcafee told SC: “The number is completely subjective. When we saw the beginnings of DDoS as an extortion tactic it was brushed off since the throughput wasn’t significant enough to worry most enterprises, then all of a sudden the firepower increased to in excess of 50Gbps. Whilst this number for many organisations can be easily managed (as we saw with DDoS providers withstanding 620Gbps attacks), the reality is that the firepower of DDoS attacks are on the up. What is the magic number that will cause concern? Well, it will be whatever hasn’t been tested against!” That may be the case, but then Akamai, another DDoS protection giant says in its Q1 2017 State of the Internet report that “the mega attacks are outliers that represent the limits enterprises must be prepared to defend against. However, the overwhelming number of smaller attacks means that these mega attacks have little impact on the trend lines that defend the median attack size, which is a better indicator of what an organisation is most likely to see.” Akamai raises another important point: the rise in use of IoT devices which are compromised for malicious use – such as using an “internet-enabled toaster to mine bitcoins” – are likely to end up contributing to harsher DDoS attacks as these devices are eventually recruited into the mega-botnets which carry out such attacks. A new report from Kaspersky Lab, also released after InfoSec, shows that when organisations are attacked by a DDoS, “customer-facing resources suffer more in banking, than in any other sector.” “For example, 49 per cent of banks that have suffered a DDoS attack have had their public website affected (compared to 41 percent of non-financial institutions) and 48 percent have had their online banking affected when they’ve been targeted by DDoS.” “Recovering from DDoS is also more expensive for banks than non-financial organisations. The report shows that a DDoS incident can cost a financial institution US$ 1,172,000 (£917,427) to recover from, compared to US$ 952,000 (£745,000) for businesses in other sectors.” Kirill Ilganaev, head of Kaspersky DDoS Protection, Kaspersky Lab said in a press release, “In the banking sector reputation is everything, and security goes hand-in-hand with this. If a bank’s online services come under attack, it is very difficult for customers to trust that bank with their money, so it’s easy to see why an attack could be so crippling. If banks are to protect themselves effectively from the price tag of an online banking cybersecurity incident, they first need to become more prepared for the dangers DDoS attacks pose to their online banking services. This threat should be featuring higher on banks’ security priorities.” Kaspersky Lab is encouraging financial institutions to share security intelligence to be better prepared for dealing with the threat of an attack on their online banking services. Source: https://www.scmagazineuk.com/bigger-smaller–ddos-threats-here-to-stay-with-conflicting-trends/article/668725/

Read this article:
Bigger & smaller – DDoS threats here to stay with conflicting trends

DDoS attacks continue to morph

According to Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks, while reflection and amplification techniques have come to characterise a large number of complex, multi-vector DDoS attacks, the latest approach is to use reflection to exploit connection-less lightweight directory access protocols (CLDAPs). Traditionally, large attacks based on reflection or amplification were the likes of NTP, DNS, SNMP, SSDP, SQL RS or Chargen. “But this new trend has now been discovered ‘in the wild’, with the force to generate highly efficient and destructive results,” he says. What is CLDAP? CLDAP is essentially a computer networking protocol designed for legitimate users to query and modify stored data on X.500 directory systems. It is typically used on Windows Exchange servers and domain controllers. By providing directory and access control, one can use CLDAP to locate printers on a network, find a phone number of an employee, or see the security groups a user belongs to, for instance. The modus operandi involves the attacker spoofing the source of a connectionless protocol, pinging the server with ultra-small queries. The server then responds to the victim with a far larger response. Initial findings suggest that this approach can amplify the initial response in the region of 46 to 55 times the size. “This makes CLDAP attacks highly efficient. A well-orchestrated attack that exploits an organisation’s vulnerabilities could very quickly achieve massive total attack size, and bring down the digital systems of all but the largest and best-protected organisations.” Primary targets Reports* from cloud giant Akamai show that the largest example of CLDAP reflection as the sole vector resulted in a payload of 52 bytes, amplified to as much as 70 times in this case – creating an attack data payload of 3,662 bytes, a peak bandwidth of 24Gbps, and 2 million packets per second. CLDAP attacks have primarily targeted the software and technology industry. Other industries targeted include internet and telecom, media and entertainment, education, retail and consumer goods, and financial services. Fighting back To effectively resist this type of DDoS attack, organisations need to thoroughly address the potential threat at a network level, by covering a number of bases: Prevent abuse: Ensure that you have anti-spoofing deployed at the edges of your networks. Detect attacks: Leverage flow telemetry exported from all network edges to Arbor technology, to automatically detect, classify, traceback, and alert on DDoS attacks. Ready mitigation techniques: Deploy network infrastructure-based reaction/ mitigation techniques such as Source-Based Remotely-Triggered Blackholing (S/RTBH) and flowspec at all network edges. Mitigate attacks: Deploy intelligent DDoS mitigation systems at strategic points within your network. Minimise damage: Deploy Quality-of-Service (QoS) mechanisms at all network edges to police CLDAP traffic down to an appropriate level. Remediate CLDAP services: Proactively scan for and remediate abusable CLDAP services on the ISP and customer networks to reduce the number of abusable CLDAP servers. “Like many other reflection techniques, organisations must always have ingress filtering in place. Unless there is a real need for your firm to have CLDAP available over the internet, you shouldn’t expose this protocol,” concludes Hamman. Source: http://www.bizcommunity.com/Article/196/661/163351.html

Excerpt from:
DDoS attacks continue to morph

US Blames North Korea For Series Of DDoS Attacks

The Department of Homeland Security and the Federal Bureau of Investigation issued a rare cybersecurity bulletin linking North Korea to a series of attacks that have targeted global businesses and critical infrastructure since 2009. The alert focuses on a malware strain called DeltaCharlie, which DHS and FBI say was used by the North Korean government to launch distributed denial of service attacks. DDoS attacks use floods of web traffic from compromised devices to knock websites or services offline. North Korea targeted “the media, aerospace, financial, and critical infrastructure sectors in the United States and globally,” the alert says. The US government refers to North Korea’s hacking team as Hidden Cobra, but cybersecurity firms often use the slightly less sinister name Lazarus Group. The North Koreans have also been linked to the WannaCry ransomware that spread virally in May and shut down hospitals and businesses. WannaCry primarily targeted unpatched Windows machines, and it sounds like the Lazarus Group’s DDoS malware is also primarily exploiting devices that run old versions of Windows. “The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation,” the alert notes. Windows typically stops issuing patches for older operating systems after they have been retired, but the company today released patches that thwart WannaCry on outdated devices, ZDNet reports. Although DHS and FBI released data that will help detect and mitigate Lazarus Group attacks, the agencies said more research is necessary to “understand the full breadth” of the group’s capabilities. Source: https://www.gizmodo.com.au/2017/06/us-blames-north-korea-for-series-of-ddos-attacks/

More:
US Blames North Korea For Series Of DDoS Attacks

Ten steps for combating DDoS in real time

To the uninitiated, a distributed denial-of-service (DDoS) attack can be a scary, stressful ordeal. But don’t panic. Follow these steps by David Holmes, senior technical marketing manager: Security, F5 Networks, to successfully fight an attack: If you appear to be suffering a volumetric attack, it helps to have a historical sense of your own traffic patterns. Keep a baseline of normal traffic patterns to compare against. If you have determined that you are under a DDoS attack, record the estimated start time in your attack log. Monitor volumetric attacks. Remember to keep a monitoring web page open to indicate when the attack may be over (or mitigated). You will need to follow (up to) 10 steps for your DDoS mitigation: Step 1: Verify the attack Not all outages are caused by a DDoS attack. DNS misconfiguration, upstream routing issues, and human error are also common causes of network outages. You must first rule out these types of non-DDoS attacks and distinguish the attack from a common outage. · Rule out common outages: The faster you can verify the outage is a DDoS attack, the faster you can respond. Even if the outage was not caused by a misconfiguration or other human error, there may still be other explanations that resemble a DDoS attack. · Check outbound connectivity: Is there outbound connectivity? If not, then the attack is so severe that it is congesting all inbound and outbound traffic. Check with your usual diagnostic tools (such as traceroute, ping, and dig) and rule out all such possibilities. · Rule out global issues: Check Internet weather reports, such as Internet Health Report and the Internet Traffic Report, to determine if the attack is a global issue. · Check external network access: Attempt to access your application from an external network. Services and products that can perform this kind of monitoring include: Keynote testing and monitoring, HP SiteScope agentless monitoring, SolarWinds NetFlow Traffic Analyzer, and Downforeveryoneorjustme.com. · Confirm DNS response: Check to see if DNS is responding for your website. The following UNIX command resolves a name against the OpenDNS project server: % dig @208.67.222.222 yourdomain.com Step 2: Contact team leads. Once the attack is verified, contact the leads of the relevant teams. If you have not filled out any quick reference sheets or a contact list, create one now or use our templates. When an outage occurs, your organisation may hold a formal conference call including various operations and applications teams. If your company has such a process in place, use the meeting to officially confirm the DDoS attack with team leads. · Contact your bandwidth service provider: One of the most important calls you can make is to the bandwidth service provider. List the number for your service provider in your contact sheet. The service provider can likely confirm your attack, provide information about other customers who might be under attack, and sometimes offer remediation. · Contact your fraud team: It is especially important to invoke the fraud team as soon as the attack is verified. DDoS attacks can be used as cover to hide an infiltration. Logs that would normally show a penetration may get lost during a DDoS attack. This is why high-speed, off-box logging is so important. Step 3: Triage applications Once the attack is confirmed, triage your applications. When faced with an intense DDoS attack and limited resources, organisations have to make triage decisions. High-value assets typically generate high-value online revenue. These are the applications you will want to keep alive. Low-value applications, regardless of the level of legitimate traffic, should be purposefully disabled so their CPU and network resources can be put to the aid of higher-value applications. You may need the input of team leads to do this. Ultimately, these are financial decisions. Make them appropriately. Create an application triage list; it takes only a few minutes to fill one out, and will greatly assist in making tough application decisions while combating an actual DDoS event. Decide which applications are low priority and can be disabled during the attack. This may include internal applications. Step 4: Protect partners and remote users. · Whitelist partner addresses: Very likely you have trusted partners who must have access to your applications or network. If you have not already done so, collect the IP addresses that must always be allowed access and maintain that list. You may have to populate the whitelist in several places throughout the network, including at the firewall, the Application Delivery Controller (ADC), and perhaps even with the service provider, to guarantee that traffic to and from those addresses is unhindered. · Protect VPN users: Modern organisations will whitelist or provide quality-of-service for remote SSL VPN users. Typically this is done at an integrated firewall/ VPN server, which can be important if you have a significant number of remote employees. Step 5: Identify the attack Now is the time to gather technical intelligence about the attack. The first question you need to answer is “What are the attack vectors?” There are four types of DDoS attack types, these are · Volumetric: flood-based attacks that can be at layers 3, 4, or 7; · Asymmetric: designed to invoke timeouts or session-state changes; · Computational: designed to consume CPU and memory; and · Vulnerability-based: designed to exploit software vulnerabilities. By now you should have called your bandwidth service provider with the information on your contacts list. If the attack is solely volumetric in nature, the service provider will have informed you and may have already taken steps at DDoS remediation. Even though well-equipped organisations use existing monitoring solutions for deep-packet captures, you may encounter cases where you have to use packet captures from other devices, such as the ADC, to assist in diagnosing the problem. These cases include: SSL attack vectors and FIPS-140. Step 6: Evaluate source address mitigation options If Step 5 has identified that the campaign uses advanced attack vectors that your service provider cannot mitigate (such as slow-and-low attacks, application attacks, or SSL attacks), then the next step is to consider the following question: “How many sources are there?” If the list of attacking IP addresses is small, you can block them at your firewall. Another option would be to ask your bandwidth provider to block these addresses for you. · Geoblocking: The list of attacking IP address may be too large to block at the firewall. Each address you add to the block list will slow processing and increase CPU. But you may still be able to block the attackers if they are all in the same geographic region or a few regions you can temporarily block. The decision to block entire regions via geolocation must be made as a business decision. Finally, if there are many attackers in many regions, but you don’t care about any region except your own, you may also use geolocation as a defence by blocking all traffic except that originating from your region. · Mitigating multiple attack vectors: If there are too many attackers to make blocking by IP address or region feasible, you may have to develop a plan to unwind the attack by mitigating “backwards”; that is, defending the site from the database tier to the application tier, and then to the web servers, load balancers, and finally the firewalls. You may be under pressure to remediate the opposite way; for example, mitigating at layer 4 to bring the firewall back up. However, be aware that as you do this, attacks will start to reach further into the data centre. Step 7: Mitigate specific application attacks If you have reached this step, the DDoS attack is sufficiently sophisticated to render mitigation by the source address ineffective. Tools such as the Low Orbit Ion Cannon, the Apache Killer, or the Brobot may generate attacks that fall into this category. These attacks look like normal traffic at layer 4, but have anomalies to disrupt services in the server, application, or database tier. To combat these attacks, you must enable or construct defences at the application delivery tier. Once you have analysed the traffic in Step 4, if the attack appears to be an application-layer attack, the important questions are: Can you identify the malicious traffic? Does it appear to be generated by a known attack tool? Specific application-layer attacks can be mitigated on a case-by-case basis with specific F5 counter-measures. Attackers today often use multiple types of DDoS attack vector, but most of those vectors are around layers 3 and 4, with only one or two application-layer attacks thrown in. We hope this is the case for you, which will mean you are nearly done with your DDoS attack. Step 8: Increase application-level security posture. If you have reached this step in a DDoS attack, you’ve already mitigated at layers 3 and 4 and evaluated mitigations for specific application attacks, and you are still experiencing issues. That means the attack is relatively sophisticated, and your ability to mitigate will depend in part on your specific applications. Asymmetric application attack: Very likely you are being confronted with one of the most difficult of modern attacks: the asymmetric application attack. This kind of attack can be: · A flood of recursive GETs of the entire application. · A repeated request of some large, public object (such as an MP4 or PDF file). · A repeated invocation of an expensive database query. Leveraging your security perimeter: The best defence against these asymmetric attacks depends on your application. For example, financial organisations know their customers and are able to use login walls to turn away anonymous requests. Entertainment industry applications such as hotel websites, on the other hand, often do not know the user until the user agrees to make the reservation. For them, a CAPTCHA (Completely Automated Public Turning test to tell Computers and Humans Apart) might be a better deterrent. Choose the application-level defence that makes the most sense for your application: A login wall, human detection or real browser enforcement. Step 9: Constrain resources. If all the previous steps fail to stop the DDoS attack, you may be forced to simply constrain resources to survive the attack. This technique turns away both good and bad traffic. In fact, rate limiting often turns away 90 to 99 percent of desirable traffic while still enabling the attacker to drive up costs at your data centre. For many organisations, it is better to just disable or “blackhole” an application rather than rate-limit it. · Rate shaping: If you find that you must rate-limit, you can provide constraints at different points in a multi-tier DDoS architecture. At the network tier, where layer 3 and layer 4 security services reside, use rate shaping to prevent TCP floods from overwhelming your firewalls and other layer 4 devices. Connection limits: Connection limits can be an effective mitigation technique, but they do not work well with connection-multiplexing features. Application tier connection limits should provide the best protection to prevent too much throughput from overwhelming your web servers and application middleware. Step 10: Manage public relations Hacktivist organisations today use the media to draw attention to their causes. Many hacktivists inform the media that an attack is underway and may contact the target company during the attack. Financial organisations, in particular, may have policies related to liability that prevent them from admitting an attack is underway. This can become a sticky situation for the public relations manager. The manager may say something like, “We are currently experiencing some technical challenges, but we are optimistic that our customers will soon have full access to our online services.” Journalists, however, may not accept this type of hedging, especially if the site really does appear to be fully offline. In one recent case, a reporter called a bank’s local branch manager and asked how the attack was proceeding. The branch manager, who had not received media coaching, responded, “It’s awful, we’re getting killed!” If the DDoS attack appears to be a high-profile hacktivist attack, prepare two statements: · For the press: If your industry policies allow you to admit when you are being externally attacked, do so and be forthright about it. If policy dictates that you must deflect the inquiry, cite technical challenges but be sure to prepare the next statement. · For internal staff, including anyone who might be contacted by the press: Your internal statement should provide cues about what to say and what not to say to media, or even better, simply instruct your staff to direct all inquiries related to the event back to the PR manager. Include a phone number. Anton Jacobsz, managing director at Networks Unlimited, a value-adding reseller of F5 solutions throughout Africa, notes that it is the organisations focusing on a holistic security strategy that are considered forward-looking and ahead of the digital economy curve. “In a digital age – where sensitive or personal information is at risk of being exposed, and where geo-location and sensor-based tools track movements – organisations need to be prepared for a cyber attack. It has become essential to scrutinise security throughout the entire operation and offerings in order to build the strongest cornerstones for establishing trust between company, employees and consumers,” says Jacobsz. Source: http://www.itnewsafrica.com/2017/06/ten-steps-for-combating-ddos-in-real-time/

Operators beware: DDoS attacks—large and small—keep increasing

Despite years’ worth of warnings and countermeasures, distributed denial of service (DDoS) attacks continue to escalate. Every year sees more of them, with increasing duration and severity. The frequency was up by 380% in the first quarter of 2017 compared to the first quarter of 2016, according to Nexusguard, which compiled this set of statistics (PDF) in a new report. From the fourth quarter of 2016 to the first quarter of 2017, HTTP attack counts and total attack counts increased by 147% and 37% respectively. Examples of increasing severity include a 275 Gbps attack that took place during Valentine’s Day (there have been significantly larger attacks) and an attack spanning 4,060 minutes that occurred over the Chinese New Year, the company said. The percentage of days with sizable attacks (larger than 10Gbps) grew appreciably within the quarter for 48.39% in January to 64.29% in March. Lengthier attacks at erratic intervals are becoming the norm, the company said. A separate, simultaneously published report from Corero Network Security said its customers have been hit by an increasing number of small DDoS attacks. Though attacks of 10 Gbps or smaller would seem less severe, what’s insidious about them is that they are apt to sneak under minimum detection thresholds. Though the DDoS attacks themselves might not be that disruptive, they can give hackers the access to wreak plenty of other damage. Corero CEO Ashley Stephenson said in a statement, “Short DDoS attacks might seem harmless, in that they don’t cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions. Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander—in this case, a flicker of internet outage—while hiding their more sinister motives.” Nextguard believes part of the increase in DDoS activity is a ripple effect of increased botnet activity that occurred in the fourth quarter. This is in part a reference to the Mirai botnet, which was first identified in the latter half of 2016. Mirai provided a means to take over connected deviceswith inadequate built-in security safeguards (webcams, some set-top boxes, etc.), and use them to launch sustained attacks, sometimes with spectacular results. Those attacks revealed the Achilles’ heel in the internet of things: Many IoT applications are based on the distribution of large numbers of very inexpensive devices, which can be made so cheaply in part by adopting only minimal security, if any. The DDoS problem is worldwide, but nearly a quarter of the attacks are launched from the U.S. (followed by China and Japan). That’s likely to remain the case, as more U.S. households install “smart” devices that have poorly guarded IP addresses, making them susceptible to hijacking in the service of more DDoS attacks. “IoT botnets are only the beginning for this new reign of cyberattacks. Hackers have the scale to conduct gigantic, continuous attacks; plus, teams have to contend with attacks that use a combination of volumetric and application aspects,” said Nexusguard CTO Juniman Kasman, in a statement. The two largest sources of DDoS attacks were China and Japan, with Russia a distant third. The release of such results is meant to emphasize what should be obvious: companies that haven’t upgraded their security are the most vulnerable. Source: http://www.fiercetelecom.com/telecom/operators-beware-ddos-attacks-large-and-small-keep-increasing

More:
Operators beware: DDoS attacks—large and small—keep increasing

Why IoT Botnets Might be the Next Big Worry ?

Rise of IoT globally is still in its early days hence the level of protection is on the lower end. We all love Internet of Things (IoT), isn’t it? It has brought ‘things’ a.k.a devices, around us to life – from watch, bed, luggage, bulb and clothes to even buildings (in some time). But that love is now turning into a spoiler. The smart band or watch on your wrist and other IoT electronics are being hacked by malware attackers to turn them into an army of zombie machines, and launch botnet attacks. Much like October 2016 attack that used IoT webcams and video recorders to block user access to many sites including Twitter, Reddit, Spotify, etc., by spamming the domain name service used by them. Read on as Dhruv Khanna, CEO, Data Resolve – cyber intelligence company shares insights on it. Distributed denialof-service (DDoS) attacks aren’t new. So using IoT devices are of a new type? There are multiple types. First is the conventional botnets that target your laptop and desktop servers to track your online activity. Second is the enterprise specific attacks called distributed denial-ofservice attack(DDoS) when botnets blocks all your access to the device. Third is where your activity and data is captured and sent to a third party. Fourth is where your device is remotely controlled and access is blocked until some money is paid to the attacker. IoT botnets are like DDoS attacks that not just use computers in a conventional botnet way but also IoT devices to break into information and data. But why IoT devices have become favourites to launch attacks? Rise of IoT globally is still in its early days hence the level of protection is on the lower end. Moreover there are constraints in IoT devices such as using basic version of the operating system, less processing, storage and computational power in terms of setting up anti-virus and firewall and other security applications to them. This makes them an easy target for attackers to use to them as botnet for attack in comparison to using just computers and laptops which are relatively better secured. For e.g. Mirai botnet that target consumer devices like remote cameras, and home appliances. The ecosystem in India too isn’t making efforts to be ready. Right? That’s because IoT here is beginning to take its first step, hence, the awareness around it is not significant. On the enterprise side before pushing business services on IOT devices, as a best practice chief information security officers of the company eventually would have to frame a security manual and controls around IOT devices in terms of IOT device on-boarding, incident monitoring and control. Also, there is a need of regulation to control and monitor them. Are we better off without IoT? Not really. Advantage of IoT is that it is part of the cloud ecosystem. Securing the cloud is as good as securing the device. That’s why people are not spending too much on the device level but more on the cloud side. In a typical malware attack you are not able to control the source of attack but in IoT device you can as you know where your service is based on the cloud. But if your cloud application is compromised, it would be difficult to trace it. So, this is next level of cyber security challenge? It is certainly the next level of attack. For large businesses, it will be a significant hit on their brand along with data. If10,000 of ant vendor devices in the market get compromised then it will impact on the company. It is not impacting just you as an individual but all the devices that are interconnected to your device and vice versa. Source: https://www.entrepreneur.com/article/295274

View article:
Why IoT Botnets Might be the Next Big Worry ?

7 nightmare cyber security threats to SMEs and how to secure against them

Small businesses face a range of cyber threats daily and are often more vulnerable than the larger organisations. Small businesses that see themselves as too small to be targeted by cyber criminals are putting themselves at direct risk. In fact, small businesses are at an equal, if not greater risk of being victims of cyber crime – two thirds of small UK firms were attacked by hackers between 2014-2016, according to a report from the Federation of Small Businesses. Cyber crime can cause massive damage to a young business’s reputation, result in loss of assets and incur expenses to fix the damage caused. These attacks could mean the difference between cutting a profit or going bust. Legal action could also be taken if businesses are found to have failed to put proper safeguards in place. When new data protection laws are introduced in 2018 under GDPR, complacent businesses risk fines of up to £17 million or 4% of annual turnover (whichever is higher) if they suffer a data breach. So what can small businesses do to protect themselves and the sensitive data of their customers? These are 7 nightmare cyber security threats and how to secure against them. Threat 1: internal attacks This shouldn’t come as a surprise to readers, but internal attacks are one of the largest cyber security threats facing small businesses today. Rogue employees, especially those with access to networks, sensitive data or admin accounts, are capable of causing real damage. Some theories even suggest that the notorious 2014’s Sony Pictures hack – typically linked to North Korea – was actually an insider attack. To reduce the risk of insider threats, businesses must identify privileged accounts – accounts with the ability to significantly affect or access internal systems. Next, terminate those that are no longer in use or are connected with employees no longer working in the business. Businesses can also implement tools to track the activity of privileged accounts. This allows for a swift response if malicious activity from an account is detected before the damage can be dealt. Threat 2: phishing and spear phishing Despite constant warnings from the cyber security industry, people still fall victim to phishing every day. As cyber crime has become well-funded and increasingly sophisticated, phishing remains one of the most effective methods used by criminals to introduce malware into businesses. Spear phishing is a targeted form of phishing in which phishing emails are designed to appear to originate from someone the recipient knows and trusts – like senior management or a valued client. To target victims deemed ‘high value’ — i.e. those with access to privileged accounts — cyber criminals may even study their social media to gain valuable insights which can then be used to make their phishing emails appear highly authentic. If an employee is tricked by a malicious link in a phishing email, they might unleash a ransomware attack on their small business. Once access is gained, ransomware quickly locks down business computers as it spreads across a network. Until a ransom is paid, businesses will be unable to access critical files and services. To mitigate the risk posed by phishing – and ransomware – organisations must ensure staff are aware of the dangers and know how to spot a phishing email. Businesses must also ensure they have secure backups of their critical data. Because ransomware locks down files permanently (unless businesses want to cough up the ransom) backups are a crucial safeguard to recover from the hack. But as ransomware attacks are on the rise, prevention remains better than treatment. Education is the best way of ensuring protection for small businesses. Threat 3: a dangerous lack of cyber security knowledge Entire cyber security strategies, policies and technologies are worthless if employees lack cyber security awareness. Without any kind of drive to ensure employees possess a basic level of cyber security knowledge, any measure or policy implemented will be undermined. A well-targeted spear phishing email could convince an employee to yield their password and user information. An IT team can’t be looking over everyone’s shoulders at once. Because of this, education and training are essential to reduce the risk of cyber crime. Some employees may not know (or care enough) to protect themselves online, and this can put businesses at risk. Hold training sessions to help employees manage passwords (hint: two-factor authentication for business accounts) and identify phishing attempts. Then provide support to ensure employees have the resources they need to be secure. Some small businesses will also consider up-skilling members of their IT teams in incident handling, often through popular GCIH training from security vendor GIAC. Incident handling professionals are able to manage security incidents as they happen, and speed the process of recovery if hacks do occur. Ultimately, even a basic level of knowledge and awareness could mean the difference between being hacked or avoiding the risk altogether. Threat 4: DDoS attacks Distributed Denial of Service (DDoS) attacks have overwhelmed some of the largest websites in the world, including Reddit, Twitter, and Netflix. DDoS attacks, which ambush businesses with massive amounts of web traffic, slow websites to a crawl and, more often than not, force crucial services offline. If a small businesses relies on a website or other online service to function, the outages caused by DDoS attacks will be catastrophic. Most DDoS attacks last between 6-24 hours and cause an estimated £30,000 per hour, according to data from Incapsula, a DDoS prevention firm. Whilst businesses can’t stop a website or service being targeted in a DDoS attack, they can work to absorb some of the increased traffic, giving them more time to form a response or filter out the spam data. Ensuring there is extra bandwidth available, creating a DDoS response plan in the event of an attack or using a DDoS mitigation service are all great steps towards reducing the impact of an attack. But that’s just scratching the surface of DDoS mitigation – here are more ways to prevent a DDoS attack. Threat 5: malware Malware is a blanket term that encompasses any software that gets installed on a machine to perform unwanted tasks for the benefit of a third party. Ransomware is a type of malware, but others exist, including spyware, adware, bots and Trojans. To prevent malware from taking hold, businesses should invest in solid anti-virus technology. Plus, operating systems, firewalls and firmware, and previously mentioned anti-virus software must be kept up-to-date. If services are outdated or not updated regularly, businesses are at a serious risk. Just look at the damage caused when malware infected the UK’s National Health Service through an exploit within an outdated version of Windows XP. And that was just one of the high profile targets affected by the global WannaCry ransomware attack. Threat 6: SQL Injection Almost every business relies on websites to operate and many depend entirely on the service they provide online. However, poorly secured websites could be wide open to data theft by cyber criminals. Of the many attacks that can be staged against a website, SQL injection is amongst the most dangerous and even the largest companies fall victim to it. SQL injection refers to vulnerabilities that allow hackers to steal or tamper with the database sitting behind a web application. This is achieved by sending malicious SQL commands to the database server, typically by inputting code into forms – like login or registration pages. It takes a few well-calculated steps to protect against SQL injection. As a precaution, businesses should assume all user-submitted data is malicious, get rid of database functionality that isn’t needed and consider using a web application firewall. For a closer look at SQL injection, take a look at this documentation from Cisco. Properly preventing SQL injection is primarily a responsibility for a web development or security team, but the change has to be driven from the top. Still not convinced? Take a look at this video from Computerphile to see how effective and dangerous SQL injection can be. Threat 7: BYOD Businesses are vulnerable to data theft, especially if employees are using unsecure mobile devices to share or access company data. As more small businesses make use of bring your own device (BYOD) technology, corporate networks could be at risk from unsecured devices carrying malicious applications which could bypass security and access the network from within the company. The solution is nailing down a defined BYOD policy. A comprehensive BYOD policy educates employees on device expectations and allow companies to better monitor email and documents that are being downloaded to company-owned devices. Ensure employee-owned devices can access the business network through a VPN which connects remote BYOD users with the organisation via an encrypted channel. A VPN is crucial if employees are using public WiFi networks to access business data. Public Wi-Fi is notoriously unsecure and provides little protection against criminals that might be watching the transfer of sensitive data. If an attacker does capture encrypted VPN traffic they will only see incomprehensible characters going from you to a VPN server – meaning no sensitive data is leaked. Source: http://www.information-age.com/7-nightmare-cyber-security-threats-smes-secure-123466495/

See more here:
7 nightmare cyber security threats to SMEs and how to secure against them