February 2011 Archives

DDoS attacks: coming to a network near you

| 1 Comment | No TrackBacks
| More

There has already been much fallout from the recent massive release of information by the WikiLeaks organisation--including attacks on WikiLeaks itself by those angered by its actions that aimed to disrupt and discredit the organisation. This saw WikiLeaks targeted by a variety of sustained distributed denial of service (DDoS) attacks that aim to make its web presence inaccessible.
Although these attacks were seen to be relatively modest in size and not very sophisticated, the publicity that they received has served to raise awareness of the dangers of such attacks, which can be costly and time-consuming to defend against. DDoS attacks occur when a hacker uses large-scale computing resources, often using botnets, to bombard an organisation's network with requests for information that overwhelm it and cause servers to crash. Many such attacks are launched against websites, causing them to be unavailable, which can lead to lost business and other costs of mitigating the attacks and restoring service.
DDoS attacks are actually extremely widespread. A recent survey commissioned by VeriSign found that 75% of respondents had experienced one or more attacks in the past 12 months. This is echoed in recent research published by Arbor Networks of 111 IP network operators worldwide, which showed that 69% of respondents had experienced at least one DDoS attack in the past year, and 25% had been hit by ten such attacks per month. According to Adversor, which offers services to protect against DDoS attacks, DDoS attacks now account for 4% of total internet traffic. Another provider of such services, Prolexic Technologies, estimates that there are 50,000 distinct DDoS attacks every week.
The research from Arbor Networks also shows that DDoS attacks are increasing in size, making them harder to defend against. It found that there has been a 102% increase in attack size over the past year, with attacks breaking the 100Gbps barrier for the first time. More attacks are also being seen against the application layer, which target the database server and cripple or corrupt the applications and underlying data needed to effectively run a business, according to Arbor's chief scientist, Craig Labovitz. Among respondents to its survey, Arbor states that 77% detected application layer attacks in 2010, leading to increased operational expenditures, customer churn and revenue loss owing to the outages that ensue.
Measures that are commonly taken to defend against DDoS attacks include the use of on-premise intrusion detection and prevention systems by organisations, or the overprovisioning of bandwidth to prevent the attack taking down the network. Others use service providers, such as their internet service provider (ISP) or third-party anti-DDoS specialists, which tend to be carrier-agnostic, so not limited to the services offered by a particular ISP. The first two options are time-consuming and costly to manage by organisations and they need the capacity to deal with the massive-scale, stealthy application-layer attacks that are being seen.
With attacks increasing in size and stealthier application-layer attacks becoming more common, some attacks are now so big that they really need to be mitigated in the cloud before the exploit can reach an organisation's network. ISPs and specialist third-party DDoS defence specialists monitor inbound traffic and when a potential DDoS attack is detected, the traffic is redirected to a scrubbing platform, based in the cloud. Here, the attack can be mitigated thus providing a clean pipe service--the service provider takes the bad traffic, cleans it and routes it back to the network in a manner that is transparent to the organisation.
Guarding against DDoS attacks is essential for many organisations and vital especially for those organisations with a large web presence, where an outage could cost them dearly in terms of lost business. DDoS attacks are becoming increasingly targeted and are no longer just affecting larger organisations. Rather, recent stories in the press have shown that organisations of all sizes are being attacked, ranging from small manufacturers of industry food processing equipment and machinery through to large gambling websites.
By subscribing to cloud-based DDoS mitigation services, organisations will benefit from a service that not only provides better protection against DDoS attacks than they could achieve by themselves, but can actually reduce the cost of doing so as the cost of hardware and maintenance for equipment required is spread across all subscribers to the service and organisations don't need to over-provision bandwidth as the traffic is directed away from their networks. For protecting vital websites, subscribing to such a service is akin to taking out insurance for ensuring that website assets are protected, and the organisation can protect itself from the cost and reputational damage that can follow from a successful DDoS attack that renders services unavailable.


McAfee and Wind River - Blown Together Nicely

| No Comments | No TrackBacks
| More
Life is moving fast in the world of mobile device security. With announcements this week at Mobile World Conference of ever more powerful smartphones and mobile devices the game of security catch up needs to be happening quicker than ever.

The recent announcement of a strategic hook up between McAfee and Wind River shows that the big players are taking this seriously, and clearly with Intel's hardware expertise thrown into the melting pot it presents an interesting  view of mobile device security being, at long last, supported with specially designed solutions rather than crippled PC products crowbarred into a smaller form factor.

As cloud computing becomes more prevalent, the need to secure non-PC based endpoints that access remotely hosted corporate data becomes a number one concern for CISOs - or if it isn't it should be.

Nigel Stanley
Practice Leader, Security
Bloor Research  

Web security in an always-on world

| No Comments | No TrackBacks
| More

My habits are not dissimilar to those of many others. In the morning, my first act is to collect my phone from beside the bed, check my email accounts and then look to see who has posted what on Facebook and Twitter. All these services are based in the cloud, accessed directly via the internet. But web-based services have become the preferred way for criminals to disseminate malware, with the intention of harvesting information that can be used for financial gain. As well as this, mobile devices are becoming an increasingly attractive target for hackers and issues surrounding smartphone usage are now being seen as a major issue for organisations looking to protect their sensitive data from loss or misuse. 


Where organisations once looked to limit or block the use of mobile devices and web collaboration and social media tools, many have now come to realise the value of such devices and applications as they enable greater flexibility and productivity. According to research by technology vendor Clearswift, 61% of respondents to a survey conducted in the UK in 2010 stated that their organisations are encouraging or allowing the use of collaborative and social media tools, and more than half say that their use is critical to the business. For social networking site Facebook, the greatest growth is being seen among the 35-plus age group. The use of mobile devices is also seen as critical and research shows that smartphone shipments will overtake those of PCs in 2011. And new tablet computers are proving to be a runaway success. 


The technology tide cannot be turned back. Rather, the onus is on organisations not just to allow the use of such tools, but to ensure that in doing so they are not adding to the security risks that they face. Since so much malware is delivered via web applications and users connect to web-based applications directly via an internet browser, an organisation must ensure that it can control what applications users can access to avoid them visiting sites that are riddled with malware or that contain inappropriate content that could hard the organisation's reputation. They must also be able to control what information can be downloaded from or uploaded to web applications, from whatever device is being used. 


Traditionally, web security controls have been delivered via an appliance, installed within the organisation's four walls and administered and managed locally. That works fine for large organisations where employees generally work from the office, but is generally too expensive an option for smaller resource-strapped organisations, or those with large numbers of mobile workers, for which VPN technologies would also have to be purchased to provide a secure connexion to the appliance. 


The advent of cloud-based computing opens up the playing field. It allows users to connect directly to resources, providing always-on, instant access from anywhere at any time and is particularly suited to smaller organisations--especially those that are looking to benefit from the economies offered by software-as-a-service applications--and for those will large numbers of mobile workers or geographically dispersed operations. 


In order to ensure the security of those applications and to control access to the data they contain, specialised cloud computing vendors began to develop web security services based in the cloud, backed up by global threat intelligence networks that look to stop malware in the cloud, before it can even reach end users. Such specialised vendors in the market include Webroot, which added to its capabilities with the acquisitions of BrightCloud and Prevx in 2010, Clearswift, which recently expanded the capabilities of its products and services, and Websense, which has combined its web security protection with outbound DLP for content control. 


There are also specialised vendors that have been acquired by larger security or networking players. These include Cisco, which acquired ScanSafe, McAfee, with its MX Logic acquisition, Symantec, which acquired MessageLabs and MI5 Security, and M86 Security, which recently acquired web security capabilities from Finjan. All of these are building out their cloud-based web security offerings, looking to extend their presence in the SME sector and to cater to mobility trends. The newest entrant to the market is network security and management company Blue Coat Systems, which has just unveiled its new cloud-based web security offerings. All of these vendors have also announced that they are unveiling hybrid options to allow organisations to combine the use of appliances deployed on-premise with cloud-based services for those that need them. 


With threats emanating over the internet a constantly growing problem, more organisations should evaluate the developments being made in web security offerings--especially since research from the Computer Security Institute shows that just three-fifths of organisations are using any web security controls, such as URL filtering. A survey conducted during Infosec in London in April 2010 found that 62% of organisations with 500 or more employees and 43% of smaller organisations had experienced virus and other malware infections in the past year--up from just 14% of organisations of any size in the 2008 survey. 


There is a pressing need for organisations to pay greater attention to web security since web applications are a prime vector of attack and growing more so. And the time is right to do so. All the vendors mentioned in this article continue to build out their capabilities and there is something suited to every organisation--from the smallest microfirm to multinational enterprises.

Critical infrastructure under attack

| No Comments | No TrackBacks
| More

Critical infrastructure is a term that is used to describe assets and facilities that are essential for the functioning of society and the economy. It encompasses a wide range of vital assets, including utilities and communications networks, food and water supply, oil and gas facilities, public health systems, transport networks and financial services. Should such services be disrupted, the consequences could be dire. 


Yet many organisations operating critical infrastructure facilities--some 90% of which are private organisations--feel that while the threats are real, they are not adequately prepared to defend against an attack on their IT systems. A survey conducted by Secure Computing, now part of McAfee, asked respondents to indicate their state of readiness for defending against IT threats in eight different industries in the critical infrastructure realm. More than 50% of respondents stated that utilities, oil and gas, transport, telecommunications, chemical, emergency services, and postal and shipping industries were not prepared, with the energy and oil sectors emerging as the most vulnerable targets and, therefore, the most likely to be attacked. 


Attacks against critical infrastructure have been on the rise. These range from wide-ranging nation state attacks, such as that seen against Estonia, that caused widespread services outages affecting a range of industries and the government sector, many of which are providing vital services, to the targeted attacks seen recently against high-value nuclear infrastructure facilities in Iran. 


Highly targeted in nature and generally employing a range of techniques in combination in an attempt to evade defences and make their attacks more likely to be successful, malware threats are becoming increasingly sophisticated and complex. Malware writers also increasingly test their exploits against defences that are available and release large numbers of variants of a particular strain of malware to avoid detection by anti-malware technologies that rely on signatures of known viruses and blacklists of applications known to be malicious to guard against infection. 


That is a game of catch up that can no longer be won. The most recently reported attack on critical infrastructure was perpetrated against oil, gas and petrochemical companies, purportedly by Chinese hackers, dubbed 'Night Dragon'. McAfee reports that the attacks, which looked to steal information property, have been going on undetected for some four years owing to the elaborate mix of techniques that were used against their websites and staff to compromise their operations. McAfee states that, despite penetration testing, the breadth and complexity of the computer systems in place made it difficult to link malicious actions together. 


However, application whitelisting vendor CoreTrace, states that whitelisting technology can actually stop such attacks from occurring in a proactive manner. Rather than relying on signatures identifying attacks that have already been seen, whitelisting works by only allowing approved applications that are known to be good to run. It states that its technology can stop attacks such as Night Dragon in their tracks. 


According to JT Keating, VP of marketing for CoreTrace: "The new attack against critical energy infrastructure computers, code named 'Night Dragon', utilises multiple remotely controlled applications on servers and PCs. Application whitelisting technology stops 'Night Dragon' and 'Stuxnet' type attacks by preventing the execution of all applications that are not on the whitelist for each computer in the infrastructure--including both malicious and legitimate remote control applications used in these attacks." With hackers now looking for fortune rather than fame, only a proactive stance to security will allow organisations to stay one step ahead of their attackers.

Sound Trojan for Smartphones

| No Comments | No TrackBacks
| More

This is an interesting paper It introduces some work called Soundminer, "a stealthy and context-aware sound Trojan for smartphones".

It explores the threat of smartphone malware with access to on-board sensors, which opens new avenues for secret collection of private information. The trojan intelligently "pulls out" sensitive data such as credit card and PIN numbers from both tone- and speech-based interaction with phone menu systems.

It shows how potential attackers can now target side channel information

Nigel Stanley
Practice Leader - Security
Bloor Research

Charting the vendor landscape for web and email security

| No Comments | No TrackBacks
| More

Today's threat landscape is complex. Hackers no longer lust for fame, rather looking for ways to make their fortune. Simple exploits, such as a malicious email sent en masse, are no longer effective. This means that they have turned their hands to more sophisticated attacks, often highly targeted at individuals or organisations, and in many cases combining vectors of attack in an attempt to make their payloads more successful. For example, an individual may be sent a highly personalised email urging them to click on a link that looks genuine, but that will lead them to a bogus site riddled with malware that is often designed to steal personal or sensitive information. 


To protect our computing devices and networks from these complex threats requires a combined approach to securing electronic communications mechanisms, using email and web security controls in combination. There are many products on the market, including newer cloud-based services that will appeal to organisations of all sizes, from a microfirm to a large multinational with geographically dispersed operations. 


A new report from Bloor Research looks at the vendor landscape for web and email security controls, which has seen much consolidation recently. This stacks specialist providers up against security and network behemoths, each with their own flavours and capabilities. The report is available for download here: A competitive overview of players in the market.

About this Entry

This page contains a single entry by Nigel Stanley published on March 9, 2011 4:53 PM.

DDoS attacks: coming to a network near you was the previous entry in this blog.

Mobile Phone Hacking at Counter Terrorism Expo, London, April 2011 is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

-- Advertisement --