This is Part 2 of our series on the top 5 most dangerous DDoS attacks and how you can successfully mitigate them. To read Part 1 of the series, click here. Let’s dive back in with Attack Type #4:
Throughout the history of mankind, whether in warfare or crime, the advantage has swung between offense and defense, with new technologies and innovative tactics displacing old doctrines and plans. For example, the defensive advantage of the Greek phalanx was eventually outmaneuvered by the Roman legion. Later, improvements in fortifications and armor led to castles and ironclad knights, until the invention of gunpowder made them obsolete. In the 20th century, fixed fortifications and trenches were rendered outdated by highly mobile armored forces. In all these examples, the common denominator is that one side’s tactical advantage spawned new ways of thinking among its opponents, eventually degrading that advantage or reversing it completely.
The last several months have been historic by any measure. U.S. banks and financial institutions around the world have come under cyber-attacks at a high rate. We’ve seen everything from DDoS attacks to waves of ransomware.
So, why was this? Is it because they didn’t have enough resources or serious professionals dedicated to program management? Not likely. The true answer is a bit more uncomfortable, but worthy of exploration.
Availability, or the big “A” is often the overlooked corner of the CIA triad. Perhaps a contributing factor is the common belief among security professionals that if data is not available, it is secure. Corporate executives have a different opinion, as downtime carries with it a hefty price tag. While today’s corporate risk assessment certainly involves the aspect of availability, it is focused on redundancy, not on security. Penetration tests, a result of the corporate risk assessment, also fail to test on availability security. In fact, pen testing and vulnerability scanning contracts specifically avoid any tests which might cause degradation of service, often leaving these vulnerabilities unknown until it’s too late. Availability is commonly handed off to be addressed by network engineering to design and build resilient networks. Common risk mitigations in this arena include redundant power, internet links, routers, firewalls, web farms, storage, and even geographic diversity with use of hot, warm and cold data centers. You get the picture; there is a ton of money invested in building network infrastructure to meet corporate availability requirements.
Every year Radware sets forth predictions in our annual security report called Radware’s Global Application and Network Security report and, we might add, have achieved a very substantial track record of forecasting how the threat landscape will evolve. After all, it is fun to predict what may happen over the course of a year in security. The industry moves so fast and while some things do stay the course, it only takes one small catalyst to spark a new direction that nobody could have predicted.
Managing the security of critical information has proven a challenge for businesses and organizations of all sizes. Even companies that invest in the latest security infrastructure and tools soon discover that these technology-based “solutions” are short-lived. From antivirus software to firewalls and intrusion detection and prevention systems, these solutions are, in fact, merely the most effective strategies at the time of implementation. In other words, as soon as businesses build or strengthen a protective barrier, the “bad guys” find another way to get in. Attackers are constantly changing their tactics and strategies to make their attacks and scams as damaging as possible. The good news is that it appears that attacks and subsequent defenses are breaking down in categories which can be measured systematically. The following areas are of a particular concern as we look towards 2017-2018 planning for attacks:
To state the obvious, two well-known comic book giants have lit the imaginations of generations of children. They brought to life the fantasy that humans could be ‘super’ or immortal, or somehow infallible.
Each in their own way combined fantastical combinations of humans with unreal, unbelievable and incredible skills.
In the category of vision enhancement alone, there are legions of characters who have developed themselves in a surreal way, for example, through X-Ray vision, or super-acute vision (something akin to a hawk). Other superheroes were gifted with night vision or even eyes that fired deadly laser beams. However, did you know that these characters dreamt up in comic books all have somewhat real world equivalents? Well, maybe not in people, but clearly in video surveillance systems of the future.
I believe by now, most people have come to know the perfect harmony, a revolution, taking place whereby automation and interconnectivity is intersecting newly developed or innovated devices which can be controlled and communicated remotely. This revolution is called the Internet of Things (IoT) and is transforming once-stodgy manufacturers into massive technology giants, old electric companies into the world’s largest interconnected network of lights, meters and transformer stations, and have the possibility to permeate nearly every aspect of our lives, including the ability to transform our love lives and the prospect of our health and quality of living.
Right to Speech, Press, to Congregate, to Privacy, to practice Religion, and many others are no longer protected and thus effectively lost.
They say when you are dead, that you don’t know you are dead. It is difficult only for others, which is normally a select few people who were intimate with you. However, every once and a while a person is so stunning that we realize that everyone would have benefited knowing them.
The same is true for privacy.
2016: What a year! Internet of Things (IoT) threats became a reality and somewhat paradoxically spawned the first 1TBs DDoS—the largest DDoS attack in history. Radware predicted these and other 2016 events in the 2015–2016 Global Application and Network Security Report. Since initiating this annual report, we have built a solid track record of successfully forecasting how the threat landscape will evolve. While some variables stay the course, the industry moves incredibly quickly, and it takes just one small catalyst to spark a new direction that nobody could have predicted.
Let’s take a look back at how our predictions fared in 2016—and then explore what Radware sees on the horizon for 2017.