Are Security Solutions Enough to Protect Our Enterprises Against the Dangers of Distributed Attacks?
The tech industry has been abuzz with reports of security breaches and attacks as of late. For instance, Yahoo! has been a subject of scrutiny after details of a 2014 breach that involved data of 500 million of its users surfaced.
In the recent weeks, massive distributed denial-of-service (DDoS) attacks on websites and services were reported. Security blog Krebs on Security was hit by a 620 Gbps attack prompting its CDN provider to withdraw its pro-bono service to the blog. French hosting provider OVH was also hit by a 990 Gbps attack. Blizzard Entertainment also suffered from repeated attacks on their game servers. The Mirai botnet has continually pounded the Dyn DNS service, using a zombie army of IoT devices as its attack vector.
With these rising cases of attacks, are enterprises doing enough to protect their services and their customers?
Attackers for Hire
The threat landscape is seeing a shift toward a highly profitable enterprise for individuals and groups who perpetrate DDoS and other security breaches. Historically DDoS attacks had been associated with “hacktivism”, particularly from groups who want to garner attention to their cause. However, recently, groups are starting to offer “stresser”, “booter” or “DDoSer” services, which are essentially DDoS attacks for hire.
And this has started to become inexpensive enough that a one-hour per month attack can start at just $24.
Beyond DDoS attacks for hire, malicious activities are also now starting to have a political dimension. Security expert Bruce Schneier claims that recent waves of distributed attacks has been the working of a nation state trying to bring down the internet by hitting key infrastructure and emphasize intelligence gathering over financial gain.
Increasing Costs of Data Breach
Enterprises stand to lose a lot with these security breaches. Financially, IBM and Ponemon Institute estimate that each stolen record now amounts to $158. Downtime caused by DDoS attacks could amount to more than $10,000 a minute. Even if loss from extortion is taken out of the equation, lost customer confidence and damaged corporate reputation are hard to rebuild and repair. But even those may have monetary value.
Yahoo!’s failure to disclose the breach is now costing them $1 billion as Verizon seeks a discount from its intended cost to acquire the brand. Tech experts are even advising users to sever any ties to the company and delete their Yahoo! accounts.
Security Given More Emphasis
Many enterprises are now taking security more seriously. It is becoming top mandate for many CIOs and CTOs. Spending on security is also estimated to reach $81.6B this year, according to Gartner. With the growing portion of enterprises now reliant on the Internet, it is a challenge for executives to make sure all bases are covered.
The rise of cloud-based and self-service security has enabled many organizations to jump into the security bandwagon. Previously, organizations with significant investments in data centers, servers, and networks were the ones that had to incorporate security into their infrastructure.
Today, many organizations are using the cloud to host their infrastructure. Likewise, businesses that seek to protect their digital assets can turn to the cloud in deploying security solutions like web application firewalls, intrusion prevention and even DDoS mitigation. Sadly, some organizations apply security measures merely for compliance and for show.
Even with the availability of security services, many firms fall into the trap of erroneous deployment, unskilled IT security teams, and the failure to appreciate security as an organization-wide issue. All this attention given to security is all but for show if not done judiciously.
The massive DDoS on Krebs and OVH were carried out through Internet-of-Things devices. Unsecure devices like surveillance cameras were exploited to be part of a devastating Mirai botnet that was able to carry out near-Tbps levels of traffic.
Many of these IoT devices lack essential security features due to their low processing power. Alarmingly, for some devices, the attacks exploited weak and even default administrator passwords. The fact that a number of these devices are enterprise-owned only shows a level of inattention given by some organizations to fundamental security practices.
Prevention and Cure
Security requires significant investment so organizations must be able to identify the areas in which their businesses and infrastructure as most vulnerable and prioritize addressing these issues. Organizations need to be systematic and apply frameworks in planning and implementing security. Given the threats today, experts advise balancing investments in both a preventive and a detection and response approach.
The rise of self-service security encourages many smaller and mid-size organization to outsource their security. Service providers have acknowledged this need and are developing products and packages targeted to this market as a response. If this should be the case, it is better to implement tools from the same provider, as these companies have optimized their solutions to work with each other.
Monitoring and response is a 24/7 duty and organizations who are truly keen on security appoint executives to provide security leadership and form IT security teams to focus on these tasks.
Multi-layer Protection is Key
Security provider Incapsula advises that distributed attack protection requires multi-layer security. Services, at the very least, should protect OSI Layers 3 (network), 4 (transport), and 7 (application). But with the complex realities of web applications today, protecting on the application level is also paramount.
In Incapsula’s analysis of the Mirai attack, it determined that the exploit is able to launch network and transport-layer attacks, and that it also possesses capabilities to both circumvent security solutions, as well as ward of removal by other malware. This means that protecting against network attacks like DDoS will require a combination of services to cover the many possible vulnerabilities to systems.
One of the benefits of managed services is with the advanced analytics and 24/7 support that they perform and provide. These services should be able to have updated rule sets and to address vulnerabilities to systems as these exploits become known. As attackers continually evolve in their methods, security firms are often quicker to adapt and respond to these new threats.
Security Starts Now
Enterprises should also not discount the importance of the common sense approach by empowering individuals to secure their end of IT use. Many vulnerabilities exist simply because people do not bother using secure passwords, disregard warnings against accessing dubious websites, install software that potentially carries malware, or fail to apply patches and updates to the applications and hardware they use.
Security firms all publish statistics on their services, and an average user can only fathom such amount of malicious traffic they collectively protect against. All the statistics point to attacks only worsening. So while, perhaps it can be beneficial for enterprises to start with what can readily be addressed through common sense and then systematically approach securing infrastructure.