By Paul Mazzucco, TierPoint Chief Security Officer
Cyber-criminals are after your corporate data and they’re going to great lengths to get it. With the help of sophisticated bot-nets, the Internet of Things and multi-layered attack strategies, the threat to sensitive customer data and intellectual property has grown stronger. Developing an effective security strategy starts with an understanding how these attacks work and the motives behind them.
In the past, cyber-attacks were often the work of casual hackers or petty criminals looking for an easy opportunity. Today’s hackers are a much more sophisticated bunch with more serious, and potentially devastating, goals.
There are three basic types of hackers today. These are:
- “Hacktivist” groups who want to punish a corporation or country, usually for political reasons. Anonymous is perhaps the most famous example.
- Hostile governments and terrorist groups. The break-in of the Democratic National Committee email server was alleged to have been done by Russian government hackers, while North Korea was the presumed perpetrator of the 2014 attack on Sony Pictures. China is a perennially hacker of both government and business systems.
- Criminal organizations. The third type of hacker, criminal syndicates, commit by far the most attacks on IT networks: 72.4% of all cyber-attacks in August 2016 were by crime groups, according to Hackmageddon.com. They do it for the same reason all criminals commit break-ins – money.
When it comes to stolen data, crime pays–sometimes a lot. One set of stolen login credentials to a $2,000 bank account will net a thief $190 on the Dark Web, while login credentials to online payment services like PayPal can bring in $20 to $300 depending on the balance. Credentials to an online auction account can go for as much as $1,200. Imagine those numbers multiplied by the thousands.
But the real money-maker in cyber-crime is patient health and insurance data, because that data includes pretty much everything that criminals need to commit identity theft. With insurance information, a criminal can buy prescription drugs and resell them for significantly more, as well as apply for new credit cards, or just resell the data online to other criminals. Patient data can net from $500 to $1,800 depending on the age of the person and his insurance coverage. For the victim, it’s far worse than the theft of a credit card or banking password, because he can’t stop the fraud with just one or two calls. It can take years to repair a case of identity theft.
Bots do much of the work for cyber criminals. More than 50% of web traffic is from bots and about 30% of this is malicious, according to Imperva. A network of bots can be programmed to do repetitive tasks such as testing out passwords or querying databases. Bot-nets can continuously probe networks for weak spots, spam computer users with malware, or launch repeated DDoS attacks.
The growth of the Internet of Things has, unfortunately, provided criminals with a whole new army of potential bot devices, from web cameras and routers to smart building controls, most of which have weak security. IoT bot-nets make it possible to conduct much larger DoS attacks. French hosting provider OVH suffered the largest attack yet in September, which reached 1 Tbps from several simultaneous attacks, and a single attack that reached nearly 800 Gbps. Unsecured IoT devices provide hackers with the firepower to bring down large, well-guarded networks.
Perhaps the scariest development, however, is this: DDoS attacks are increasingly deployed as smoke screens to provide cover for the real crime, typically a massive theft of data. While the IT staff is scrambling to identify and stem the DDoS attack, these professional criminals are quietly hacking in, under the radar. Some recent examples:
- Hackers bombarded Carphone Warehouse with online traffic while they stole the personal and banking details of 2.4 million people.
- Cloud provider Linode recently suffered more than 30 DDoS attacks that appeared to be a ruse to distract attention from a breach of user accounts
- As far back as 2011, hackers used massive denial of service attacks to distract Sony’s IT team while they stole account information from millions of customers
- The FFIEC has warned banks about the use of DDoS as a diversionary tactic “by criminals attempting to commit fraud using stolen customer or bank employee credentials to initiate fraudulent wire or automated clearinghouse transfers.”
Currently, about one third of all DDoS attacks are multi-vector attacks that include more subtle invasions that never cross the IT security radar until it’s too late.
So how does an organization protect itself and its clients from this kind of break-in?
The sophisticated nature of these multi-layered attacks make them more difficult to defend against. IT must take an equally sophisticated approach to spotting and stopping it.
One such promising technology is the “bot classification engine,” such as Imperva’s Incapsula, which evaluates elements such as a bot’s header information, its interaction with servers and clients, the frequency of requests, and whether those requests make sense from the standpoint of human behavior. For instance, if it enters data extremely rapidly, or it logs in from one country, then logs in shortly after from a different country, it’s likely a bot.
Of course, we can’t simply block all bots. Good bots are an essential part of the Internet. And that’s one of the reasons that IT security is a complex responsibility. With cyber-attacks growing more numerous, and much more harmful, than even a few years ago, CIOs must be vigilant for new types of threats and educated on the best methods of protection.
Last week, I presented more detailed information on this topic with Deepak Patel, Director of Security Strategy at Imperva. Click below to watch the archived presentation.
Paul Mazzucco is responsible for all TierPoint corporate standards regarding physical, information and network security; and he leads the charge in acquiring and maintaining all industry-specific compliance certifications, including PCI DSS, FISMA and the FedRAMP/NIST Cloud Security standards. Paul joined TierPoint through its 2014 acquisition of Xand, where he served in a similar role.