Monthly Archives: June 2019

DDoS attacks are relentless, and 5G will only make things worse

Larry Ponemon

The State of DDoS Attacks against Communication Service Providers, sponsored by A10 Networks, specifically studies the threats to Internet Services Providers (ISPs) Mobile and/or Cloud Services Providers (CSPs). Ponemon Institute surveyed 325 IT and IT security practitioners in the United States who work in communication service provider companies and are familiar with their defenses against DDoS. (Click here to access the full report at A10 Networks)

According to the research, communication service providers (CSPs) are increasingly vulnerable to DDoS attacks. In fact, 85 percent of respondents say DDoS attacks against their organizations are either increasing or continuing at the same relentless pace and 71 percent of respondents say they are not or only somewhat capable of launching measures to moderate the impact of DDoS attacks. The increase in IoT devices due to the advent of 5G will also increase the risk to CSPs.

Respondents were asked to estimate the number of DDoS attacks their organizations experienced in the past year from a range of 1 to more than 10. On average, CSPs experience 4 DDoS attacks per year. Based on the findings, the most common DDoS attacks target the network protocol, flood the network with traffic to starve out the legitimate requests and render the service unavailable. As a result, these companies will face such serious consequences as diminished end user and IT staff productivity, revenue losses and customer turnover.

 The most serious barriers to mitigating DDoS attacks are the lack of actionable threat intelligence, the lack of in-house expertise and technologies. As a result of these challenges, confidence in the ability to detect and prevent DDoS attacks is low. Only 34 percent of respondents say their organizations are very effective or effective in preventing the impact of the attack and only 39 percent of respondents say they are effective in detecting these attacks.

Following are the most salient findings from the research.

The most dangerous DDoS attackers are motivated by money. The DDoS attacker who uses extortion for financial gain represents the greatest cybersecurity risk to companies, according to 48 percent of respondents. These criminals make money offering their services to attack designated targets or to demand ransomware for not launching DDoS attacks. Forty percent of respondents fear the attacker who executes a DDoS attack to distract the company from another attack. Only 25 percent of respondents say a thrill seeker and 21 percent of respondents say an angry attacker pose the greatest cybersecurity risk.

Attacks targeting the network layer or volumetric floods are the most common attacks experienced. The most common types of DDoS attacks are network protocol level attacks (60 percent of respondents) and volumetric floods (56 percent of respondents). In a volumetric flood, the attacker can simply flood the network with traffic to starve out the legitimate requests to the DNS or web server.

DDoS attacks pose the greatest threat at the network layer. Respondents were asked to allocate a total of 100 points to seven layers in the IT security stack. The layer most at risk for a DDoS attack is the network layer followed by the application layer. The findings suggest how organizations should allocate resources to prevent and detect DDoS attacks.

DDoS attacks can have severe financial consequences because they cause a loss of productivity, customer turnover and damage to property, plant and equipment. DDoS attacks affect the bottom line. Respondents consider the most severe consequences are diminished productivity for both end users and IT staff.

Threat intelligence currently used to mitigate the threat of a DDoS attack is stale, inaccurate, incomplete and does not integrate well with various security measures. Seventy percent of respondents believe their DDoS-related threat intelligence is often too stale to be actionable and 62 percent of respondents say it is often inaccurate and/or incomplete. Other issues include the difficulty in integrating DDoS threat intelligence with various security measures and the high false positive rate, say 60 percent and 58 percent of respondents respectively.

To improve prevention and detection of DDoS attacks, organizations need actionable threat intelligence. Sixty-three percent of respondents say the biggest barrier to a stronger cybersecurity posture with respect to DDoS attacks are a lack of actionable intelligence. To address this problem, 68 percent of respondents say the most effective technology in mitigating DDoS threats is one that provides intelligence about networks and traffic.

Scalability, integration and reduction of false positives are the most important features to prevent DDoS attacks. As part of their strategy to address DDoS security risks, companies want the ability to scale during times of peak demand, integrate DDoS protection with cyber intelligence solutions, integrate analytics and automation to achieve greater visibility and precision in the intelligence gathering process and reduce the number of false positives in the generation of alerts.

Most organizations plan to offer DDoS scrubbing services. Sixty-six percent of respondents either have a DDoS scrubbing service (41 percent) or plan to in the future (25 percent). Benefits to offering these services are revenue opportunities, enhanced customer loyalty and lower support tickets with subscribers.

To read the rest of this study, visit A10 Networks.

Milk still expires, but now — mercifully– your passwords won’t

Bob Sullivan

Who hasn’t been interrupted during some important task by a strictly-imposed network requirement to “update” a password?  And who hasn’t solved this modern annoyance by some ridiculous, unsafe naming convention like “CorpPassword1…CorpPassword2…CorpPassword3” and so on. People already have 150 or so passwords they must remember. Forced expiration made this already untenable situation even worse — 150 *new* passwords every month or so?

Those days are, thankfully, coming to a close. Last year, NIST revised its passwords, urging companies to abandon forced expirations. And recently, Microsoft announced it would remove the requirement from Windows 10 standards.

This will finally start a movement to drop forced password updates.

In its announcement, Microsoft was both logical and forceful in its argument.

“Periodic password expiration is an ancient and obsolete mitigation of very low value,” it said. “When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”

Either a password is compromised, so it should be changed now — why wait 30 or 60 days? — and if it’s not compromised,  why create the extra hassle?

More from MS:

If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.

Gartner cybersecurity analyst Avivah Litan called the move a “most welcome step.”

“Finally a big tech company (that manages much of our daily authentication) is using independent reasoned thinking rather than going along with the crowd mentality when the crowd’s less secure password management practices are – however counterintuitive – less secure,” she wrote on her blog. 

What should companies be doing about passwords instead? Litan hopes this step signals the beginning of the end of traditional passwords.  Meanwhile, Microsoft hints at what better security looks like:

“What should the recommended expiration period be? If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?”

Coincidentally, this week’s “So, Bob” podcast deals with password managers.  Listen on iTunes,on Stitcher or click play below if a play button appears for you.