Last Friday’s massive DDoS attack against and its DNS services slowed down or knocked out internet connectivity for millions of users for much of the day. Unfortunately, these sorts of attacks cannot be easily mitigated. We have to live with them for now.

Huge DDoS attacks that take down entire sites can be accomplished for a pittance. In the age of the insecure internet of things, hackers have plenty of free firepower. Say the wrong thing against the wrong person and you can be removed from the web, as Brian Krebs recently discovered.

[ Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

Krebs' warning is not hyperbole. For my entire career I’ve had to be careful about saying the wrong thing about the wrong person for fear that I or my employers would be taken down or doxxed. Krebs became a victim even with the assistance of some of the world’s best anti-DDoS services.

Imagine if our police communications were routinely taken down simply because they sent out APBs on criminal suspects or arrested them. Online hackers have certainly tried. Plenty of them have successfully hacked the online assets of police departments and doxxed their employees.

Flailing at DDoS attacks

Readers, reporters, and friends have asked me what we can do to stop DDoS attacks, which break previous malicious traffic records every year. We're now seeing DDoS attacks that reach traffic rates exceeding 1Tb per second. That’s insane! I remember being awed when attacks hit 100Mb per second.

You can’t stop DDoS attacks because they can be accomplished anywhere along the OSI model -- and at each level dozens of different attacks can be performed. Even if you could secure an intended victim's site perfectly, the hacker could attack upstream until the pain reached a point where the victim would be dropped to save everyone else.

Because DDoS attackers use other people's computers or devices, it’s tough to shut down the attacks without taking out command-and-control centers. Krebs and others have helped nab a few of the worst DDoS attackers, but as with any criminal endeavor, new villains emerge to replace those arrested.

The threats to the internet go beyond DDoS attacks, of course. The internet is rife with spam, malware, and malicious criminals who steal tens of millions of dollars every day from unsuspecting victims. All of this activity is focused on a global network that is more and more mission-critical every day. Even activities never intended to be online -- banking, health care, control of the electrical grid -- now rely on the stability of the internet.

That stability does not exist. The internet can be taken down by disgruntled teenagers.

What would it take?

Fixing that sad state of affairs would take a complete rebuild of the internet -- version 2.0. Version 1.0 of the internet is like a hobbyist's network that never went pro. The majority of it runs on lowest-cost identity and zero trust assurance.

For example, anyone can send an email (legitimate or otherwise) to almost any other email server in the world, and that email server will process the message to some extent. If you repeat that process 10 million times, the same result will occur.

The email server doesn’t care if the email claims to be from Donald Trump and originates from China or Russia’s IP address space. It doesn’t know if Trump’s identity was verified by using a simple password, two-factor authentication, or a biometric marker. There’s no way for the server to know whether that email came from the same place as all previous Trump emails or whether it was sent during Trump’s normal work hours. The email server simply eats and eats emails, with no way to know whether a particular connection is more or less trustworthy than normal.

Internet 2.0

I believe the world would be willing to pay for a new internet, one in which the minimum identity verification is two-factor or biometric. I also think that, in exchange for much greater security, people would be willing to accept a slightly higher price for connected devices -- all of which would have embedded crypto chips to assure that a device or person’s digital certificate hadn’t been stolen or compromised.

This professional-grade internet would have several centralized services, much like DNS today, that would be dedicated to detecting and communicating about badness to all participants. If someone’s computer or account was taken over by hackers or malware, that event could quickly be communicated to everyone who uses the same connection. Moreover, when that person’s computer was cleaned up, centralized services would communicate that status to others. Each network connection would be measured for trustworthiness, and each partner would decide how to treat each incoming connection based on the connection’s rating.

This would effectively mean the end of anonymity on the internet. For those who prefer today's (relative) anonymity, the current internet would be maintained.

But people like me and the companies I've worked for that want more safety would be able to get it. After all, many services already offer safe and less safe versions of their products. For example, I’ve been using Instant Relay Chat (IRC) for decades. Most IRC channels are unauthenticated and subject to frequent hacker attacks, but you can opt for a more reliable and secure IRC. I want the same for every protocol and service on the internet.

I’ve been writing about the need for a more trustworthy internet for a decade-plus. The only detail that has changed is that the internet has become increasingly mission-critical -- and the hacks have grown much worse. At some point, we won’t be able to tolerate teenagers taking us offline whenever they like.

Is that day here yet?

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.

InfoWorld Security Adviser

Successful Attacks Can Blend Both Cyber and Physical Elements Seamlessly to Compromise an Enterprise

You’ve seen it before in movies like Ocean’s Eleven: a ragtag gang of thieves use a combination of social engineering, burglary and hacking to break into a seemingly impregnable site and make off with millions in stolen loot. While Hollywood often pushes the limits of “believability,” the scenario described above has a basis in reality; a fact some unfortunate companies can attest to.

While most organizations will not face a well-funded attacker attempting to break into a physical safe, the trope speaks to something all must now consider: cybersecurity needs to build bridges between the security operations (SecOps), network operations (NetOps) and physical security teams to be successful. Each group, working in a silo, may only have a piece of the puzzle, which is exactly what adversaries are counting on.

Integrated Cyber and Physical SecurityBefore we focus on coordination between SecOps, NetOps and physical security, let’s examine a use case detailing how an attacker could plan and orchestrate the theft of intellectual property (IP) from an enterprise:

• Malicious actors determine the IP they want: schematics for a nuclear power plant, which are held by a Dallas, Texas-based organization.

• Once the target is identified, the attackers profile C-level executives at the company, eventually crafting a targeted email attack against the CFO.

• The CFO is compromised with a malware payload installed on the person’s machine. In typical scenarios, attackers would pivot from this initial entry point, which is the location on the network where the schematics reside.

• In this case, the production data center has strict controls for incoming data – they must maintain regulatory compliance, and there is limited ability to move laterally from the corporate network.

• Using the CFO’s email archives, attackers find the building where the engineering team is designing the next version of their nuclear plants.

• With this knowledge, the malicious actors move into the physical realm with their attacks in two ways:

- Drop a series of infected USB sticks in the parking lot of the engineering building.

- Tailgate an employee into the premises (they “forgot” their badge that day).

• Once access is established through malware on the USB, or physically by the tailgater, the attackers can access the schematics and achieve their goal.

You can see how a successful attack blends both cyber and physical elements seamlessly. When there are millions of dollars on the line, or a state-sponsored attack, the cost of an airline ticket or USB drive is trivial. How does this apply to the enterprise though? The answer lies in a security gap I’ve noticed. In most organizations, the SecOps, NetOps and physical security teams report to different executives: SecOps is the responsibility of the CSO, NetOps of the CIO, and physical security falls under the COO or CFO. These three teams are tasked with different objectives: SecOps keeps the network secure against cyberattack, NetOps keeps the network operating as fast as possible, and physical security secures company assets and personnel on location. Combine this with separate budgets and objectives that can conflict with each other, and you can start to see how these operational silos leave gaps attackers can exploit.

In our hypothetical scenario, if the target organization’s IT and security teams are structured as described above, the likelihood of the criminal gang succeeding is high, even if one of the attempts is thwarted. Why? Because in a siloed corporate structure, one team may never even hear of another team being attacked and think perhaps they should check their own systems. However, if the teams had been in communication, they’d be more likely to verify the security of their own areas of responsibility upon hearing that another team was compromised.

The SecOps, NetOps and physical security teams need a single executive sponsor to ensure all elements of the security program are working together. If one person had been in charge of security in the scenario described above, reports of both the physical and cyber intrusion would have been shared between the physical, cybersecurity and IT teams, who would then examine their processes, policies and technology to determine where the shortcoming was and how to fix it. In our scenario, that would include re-imaging the CFO’s hard drive, blocking command-and-control activity, tailgating awareness training, enhanced physical security for high-priority assets, and more.  

A more coordinated security team can also yield budget savings by allowing each team to leverage the investments of the others. For example, if IT chooses a new next-generation firewall but it doesn’t provide the log data and prevention mechanisms that SecOps needs, they will end up buying and deploying one that does. The cost is doubled (not to mention the operational impact of adding yet another security device to the network). But if there were one executive charged with overseeing the needs of all groups, that person could influence the firewall purchase decision to address the combined needs, providing better security while saving precious time and resources.

view counter

Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.

Previous Columns by Scott Simkin:


SecurityWeek RSS Feed

As the Greek philosopher Heraclitus famously noted, “the only constant is change”. This statement was as accurate 2,500 years ago as it is now. The world around us changes constantly, often times at a somewhat frenetic pace. The field of information security is no different. Both the organizations we support and the threat landscape we face are changing and evolving constantly.

One unfortunate side effect of continual change can be what I colloquially call “shiny object syndrome” (SOS). As you might imagine, there are some organizations, and indeed some people, that seem to run continually from one “shiny object” to another, unfortunately. In other words, rather than approach security strategically, adjusting the plan in a calculated manner to account for changes to the risks and threats the organization faces, many organizations repeatedly chase after the fad of the day.

Rather than discuss why this occurs, I’d like to focus on what organizations can do to avoid falling victim to shiny object syndrome. Hype, buzz, and trends change constantly, but the fundamentals of a good security program stay the same.

Signs: Change is Contstant

While this is certainly not an exhaustive list, here are my top five ways that organizations can stay grounded and focused amidst a sea of distractions:

1. Stick to the plan: As I and many others have previously noted, if you don’t already have an incident response plan, you should. If you do already have a plan, then you are already one step ahead of the game. The trick is to stick to the plan, even when the temperature gets a little hot in the kitchen. If you’ve done your homework properly, or worked with qualified professionals who have helped you do it properly, you will pull through. Just as long as you don’t succumb to the near constant temptation of distraction and the knee-jerk reactions it causes.

2. Focus on risk: The best security organizations use a variety of techniques to understand the unique threat landscape they face. Those same organizations use this knowledge to help them prioritize the risks and threats that they wish to mitigate. In addition to helping these organizations prioritize spending and mitigate risk more effectively, this approach helps them stay focused and avoid running astray in pursuit of shiny objects. When the temptation to run in a particular direction arises, the organization can evaluate this new direction against its prioritized list of risks and threats. This helps the organization understand how this potential new direction impacts the organization, specifically regarding any additional risk that it may or may not introduce. In this sense, it is fairly easy to identify distractions by understanding their lack of relevance to the risk mitigation goals of the organization.

3. Prioritize holes to plug: In the security world, new techniques for intruding into organizations appear fairly frequently. Some of them grab big headlines, which of course can increase attention and pressure on security types from non-security types in leadership or executive positions within our respective organizations. But how firm of a grasp do we have on the primary ways in which we are being attacked and owned, as well as broader patterns and trends across the industry? It is far too easy to divert important resources away from their strategically prioritized day-to-day work and onto the hack du jour. But if today’s distraction poses a minor risk to our organization, does it make sense to divert resources from mitigating risks or plugging holes that we know pose serious risk to the organization? Not particularly, although without a quantitative handle on risk that includes a robust risk register, it can be hard to justify that stance in the heat of the moment.

4. Go beyond the buzz: A few years ago, I remember walking around the RSA Conference vendor expo hall and seeing signs that read “big data”, “security analytics”, or “big data security analytics” everywhere. Everyone was talking about the topic, and many still are, for good reason. But let’s go beyond the buzz and take a look at one of my favorite questions: So what? What will you use security analytics for? Do you have a list of risks to mitigate that will require a variety of different people, process, and technology to mitigate, including security analytics? For example, identifying stolen credentials and attackers masquerading as legitimate users? Having insight beyond the buzz allows an organization to more efficiently and effectively apply people, process, and technology to solve real world problems and challenges. Otherwise, solutions that are purchased and implemented wind up looking for a problem to solve. Not a great place to be, particularly when looking to justify expenditures and show return on investment.

5. Measure what matters: Did your security organization open and close 500 tickets last week and handle 10,000 IDS alerts? Pardon my candor, but who cares? How do those metrics help you assess how you are or are not progressing against the prioritized list of risks and threat you’re looking to mitigate? Measuring what matters allows an organization to produce metrics that actually help it assess its progress against its strategic objectives. Unfortunately, I am not able to expand on this concept in this piece, but I have written about if previously. Metrics that matter have the added benefit of allowing an organization to assess and measure whether activities (whether new or old) are adding value to the security program. You guessed it -- that helps a security organization stay focused on adding value, rather than chasing after shiny objects.

There is no shortage of distractions in the information security realm. As security professionals, we need to stay focused on managing, mitigating, and minimizing risk to our respective organizations, even as both the business and the threat landscape change around us. If we stay grounded, adapt strategically, and adjust incrementally, we stand a far better chance of successfully accomplishing our goals. Running off course on all sorts of impulsive tangents never made anyone more secure.

view counter

Joshua Goldfarb (Twitter: @ananalytical) is CTO – Emerging Technologies at FireEye and has over a decade of experience building, operating, and running Security Operations Centers (SOCs). Before joining nPulse Technologies, which was acquired by FireEye, as its Chief Security Officer (CSO), he worked as an independent consultant where consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career Goldfarb served as the Chief of Analysis for US-CERT where he built from the ground up and subsequently ran the network, physical media and malware analysis/forensics capabilities. Goldfarb holds both a B.A. in Physics and a M.Eng. in Operations Research and Information Engineering from Cornell University.

Previous Columns by Joshua Goldfarb:


SecurityWeek RSS Feed