Several months ago, following an in-depth analysis of attack methods and defense techniques, the Radware Emergency Response Team (ERT), developed a set of network security predictions that the industry could face this coming year. Let’s take a look at their forecast and see where we stand now.
Surge in critical infrastructure outages. Advanced countries are more likely to experience widespread cyber-attack disruptions to services like power generation, water supply and first responder services.
Somewhat TRUE. The threat has been present, but fortunately security professionals have been able to mitigate this risk. A recent article, citing research from the Ponemon Institute, said that critical infrastructure providers continue to be a favorite cyber attack target. Their research found that “67% of the IT security executives surveyed at utility, oil and gas, energy and manufacturing companies report that they have experienced at least one security breach in the past 12 months.” Energy companies are regularly under full out assaults.
Rise in cyber-hostage incidents. Nefarious groups will take digital assets or services as hostages and commandeer these services until certain demands are met, financial and beyond.
Very TRUE. Attacks on Feedly, Meetup, Basecamp and Elance have all been publicized as having a ‘ransom’ element to them – – that is the attack would stop if the company paid a ransom. DDoS Ransom attacks have become mainstream instead fleeting and infrequent.
Encryption as a mass weapon. Hackers will use encryption to obscure communication in which illegally-obtained sensitive information is sent outside of the organization. With a small portion of organizations decrypting outbound SSL encrypted messages, 2014 will see an increasing use of encrypted messages for malicious activities.
TRUE. Nothing speaks to encryption as a mass weapon more than CryptoLocker, a ransomware virus that may be disguised as legitimate, but locks up the personal files on a computer and won’t release them unless you log on to a site a pay a fee. As it pervades and draws a wake of destruction, it’s now understood that encryption is not all good.
First-ever SDN attacks. Lauded as a promising and positive business disruption, SDN will be exposed to some unique security vulnerabilities that the framework introduces such as disruption to control-plane communications.
FALSE. There has not been an SDN attack per se, but risks still loom. I believe that by the end of 2014 we will see our first meaningful SDN vulnerability exploited. Traditional network devices were autonomous, but the SDN controller is accessible by a variety of systems, which opens more doors for attackers to pounce. SDN continues to evolve and the attacking profiles are being spawned.
Adoption of cyber attack laws. Governments will begin the process of setting laws around cybersecurity, like dictating network traffic flows and the security levels at critical infrastructure companies. Expect lawmakers to also provide rules on what constitutes acceptable Internet behavior.
TRUE. There have already been preliminary steps into adopting these laws and more practical guidelines will continue to evolve. An earlier blog that I’d written also offers a snapshot of DDoS regulations that have occurred recently.
The world has settled into a mode whereby an action taken by an organization of size (e.g. a government, a sporting event, a militia, etc.) is met with an equal cyber-attack reaction. This is something which used to be happenstance, today it is the norm. Taking into consideration factors like industry trends, expert insight and technology evolution there are still some surprises that have emerged on the threat landscape. Some of the areas experiencing an unexpected acceleration in attacks are:
School Districts are finding themselves as a relatively new industry to come under attack en masse. Here at Radware, we have witnessed attacks on schools districts from nearly every region throughout the United States and Canada. This year has had notable attacks in Texas with Spring Independent School District (SPRING ISD) and other similar attacks in Kansas and Pennsylvania.
Advertisers (e.g. the World Cup sponsors) are finding that their well spent and focus-grouped tested efforts can be thwarted by a cyber attack. With their enormous reach and recognizable names and logos, brands are a prime target for attackers seeking press and an amplified voice. Advertisers have experienced a challenge getting their word out or have had to compete with hacktivists diminishing their effectiveness.
Financial Service Firms need to prepare for DDoS the way school children dress in the morning – – with always checking what the daily risk of a storm is and how to prepare for it. It used to be that commercial and investment banks were the most terrorized by cyber-attacks, however, now we are finding that even arcane ATM and money-transfer organizations are feeling the pain associated with modern-day attacks, much of which is characterized as non-DDoS oriented.
In the coming months, the biggest security threats continue to be cyber-attacks that are focused on availability. Availability-based attacks are a common method because they are indisputable – – they are by definition public and obvious. They are very disruptive in today’s “always-on” business environments and they can have a lasting impact on the minds of the customers and do real damage to a company’s reputation and brand image. They can also masquerade other more nefarious attacks which attempt to gain access to systems or data for nefarious purposes. Expect these attacks to be spawned in different ways such as through social engineering, ransom-type attacks, and also nation-state attacks. These attacks will also most likely continue to target industries such as financial services, government services, cloud and hosting environments, retailers, gaming sites, energy companies (oil, gas, power generation) and critical Infrastructure (telcos, water, police, fire, emergency response, power, etc.). Expect also the Internet of Things to become pawns for cyber warfare — hijacked, leveraged and conscripted and discarded.
If you’re interested in learning more about the research developed by our ERT, I invite you to download their annual report. This report takes a deep dive into what attacks the previous year brought and what the coming year may still bring. It’s a valuable resource and offers insights to help detect, mitigate and win the extended and persistent DoS/DDoS Battle.