So, as we come to the end of 2016, it is time to start looking ahead to the security challenges our customers will face in 2017. 2016 was full of security events from the hacking successes that made the news during the election year, to the deluge of ransomware that everyone is facing, to the current challenge of denial of service attacks faced by everyone due to the Internet of Things (IoT).
With this in mind, let’s focus on some of these issues and what solutions are available to you:
The Election Hacks – Several issues made the news this election. Everyone has heard of the email server issues by this point, but in addition to this, there were also several incidents during the run-up to the primaries. When you analyze the facts of each of these events, several themes appear:
- Cloud Hosting –Just because your company put something in the cloud does not absolve your company of the responsibility/liability to protect that data. If your business deals with sensitive data, it is well within your right to request proof of your cloud providers ability to assist you in securing that data, while it is in Transit, Process, and At Rest. If the vendor cannot provide results from a recent security test, demand they get one.
- Insecure Web Applications –Millions of voter registration entries were stolen this year due to insecure web applications. These insecure applications either had weak database security, basic security misconfigurations, or easy to find (and exploit) web application vulnerabilities. At the very least, proper security testing should always be part of the release process before making a website available. If your application works with or transmits sensitive data, you owe it to your users to make sure your application is not vulnerable to drive-by or trivial hacking attempts.
- Insecure Protocols –One of the most common issues we saw during these hacking events, was that the production websites storing or hosting voter or campaign data did not have secure encryption (TLS – HTTPS) enabled. This means that every time someone used the site, they were potentially exposing voter data. At this point, the best recommendation we can give anyone is to stop using HTTP altogether. Regardless of what your application is doing, you should assume an HTTPS-only website presence. It helps with your security; it protects your users where they are interacting with your site, and heck even Google will give you a boost in your SEO rankings because you went to HTTPS only access.
Internet of Things Out of Control – Several of our clients had to deal with denial of service attacks this year, due in large part to the prevalence of IoT devices. Arguments aside on who should be held accountable for the weak security or the vulnerable state of these devices, understanding how to survive a Denial of Service attack is still a basic requirement:
- Attacks based on Protocols –At its very core, Transmission Control Protocol (TCP) is fundamentally flawed due to the obligation to perform the three-step-handshake. Depending on how the coding of the TCP stack of your operating system was constructed, if your system does not properly go through all three steps, what happens? The answer is varied based on the OSes you are running. This is SYN flooding. Depending on the configuration of your servers, you may have 10-1000 listeners waiting to establish connections and if I as the attacker, send enough requests, I can fill up all those listeners, thus preventing legitimate traffic from getting through. The good news is this strategy is very well known, and most firewalls and OSes have solutions for addressing this attack; however, it is very common to find that people have not turned on these settings due to a lack of understanding. So, at the very least, turn these settings on.
- Attacks based on Service –Another standard method of DoS, is to attack a known vulnerability with a particular service. An excellent example of this is the Apache “Slowloris” attack, which takes advantage of sending an extremely slow GET request. While Apache is waiting for the full request to be completed, the Apache process starts consuming memory on the server and eventually consumes all available resources. The best way to prevent these attacks is to scan your systems for known vulnerabilities and patch them as they come up.
- Volume Based Attacks –This attack is just like is sounds. Is your site prepared to handle 100-500 users at a time? How about 10,000? In a nutshell, the attacker is going to send a flood of traffic well beyond the capabilities of your server to handle. The good news is that there are a lot of mitigating services like CloudFlare, AT&T, and Akimai that are geared to help you combat this issue. The bad news is they are not perfect and depending on the level of survivability you require; they may be very expensive.
At the end of the day, you need to discuss with your business owners what is an acceptable level of being offline and establish solutions that can meet or exceed these levels.
The Continued Rise of Ransomware – This single issue made tons of headlines this year because it just works! The bad guy gets in and make your data unusable, you find out your backups haven’t functioned correctly in months, and then you pay to get access back to your data. Why does this painful attack work in the first place, and what can you do about it?
- Backups are part of Business Continuity –Repeatedly, we saw clients discovering the hard way, that their backup process was broken or not properly optimized to assist in recovering from a ransomware event. If your plans for recovery from a ransomware event were to go to your backups, we firmly recommend you test your existing backups before you get hit with ransomware. Typically, you will discover that you currently are not doing enough and may need to augment your backup strategy accordingly. Set a level of “survivability” for yourself and see if you can meet or exceed it. Would a 24-hour old backup be acceptable for their division? You may find out that you have several divisions that need backups on the hourly or every four hours basis to meet their survivability requirements.
- Logs Can Actually Help You –Want to spot which system is infected and what files were altered? One simple, but challenging, solution is to configure your file servers to have detailed logging enabled for file access via the “Global Policy” for your Domain. Have those servers log to a Syslog server and tada, you now have a method of discovering which systems are infected and what files you’ll need to recover.
https://www.malwarearchaeology.com/cheat-sheets/ – Use the Windows File Auditing Logging Cheat Sheet as your template.
At the very least, you now can identify which desktops/systems need to be turned off, and which files you need to attempt to restore. Not perfect, but this is an easy to use solution.
- Stop Accepting Inferior Endpoint Protection Solutions –Nothing annoys us more than sitting through an Anti-Malware vendor’s ransomware presentation and have them show us every time they failed to do their job in the past 12 months. We said it last year, and we’ll say it again – STOP USING TRADITIONAL ANTI-MALWARE. It doesn’t work, and it will never be as good at stopping things as it was 10 years ago. It is time to look for alternatives, such as Cylance which boasts 99.7% effectiveness in blocking all known and unknown threats. Do not take our word for it, test it for yourself.
The ROI for replacing your existing anti-malware solution will be that your team can finally got back to work, by not having to worry about viruses and malware, thus giving yourelves time to work on more important security issues, like fixing your SIEM. This alone should outweigh most excuses for not considering alternative solutions.
At DirectDefense, we pride ourselves in providing practical and realistic security solutions that assist our clients in meeting their security goals for the year. If you’d like to hear more about how we can assist you, please contact firstname.lastname@example.org.