Dumping the Checklist Approach to Security

There are significant security compliance challenges for all Australian organisations today, no matter what sector they are in, regulation is everywhere.

 Many have made the mistake of adopting the security checklist approach, hoping this will provide them with the perfect security, but the reality is that there is no such thing. The dynamic nature of systems and network environments results in a wide variety of actions or inactions that can cause a compliant system to become noncompliant almost immediately after a satisfactory compliance report has been submitted.

The security checklist approach is driven by these compliance concerns, because many organisations are driven by what the regulators say is the minimum they must have in place to protect themselves. The regulators tend to focus on perimeter defences, such as firewalls and intrusion protection and prevention systems. All too often, organisations then lull themselves into believing that if they are compliant, they are secure. They have ticked all the boxes on their security checklist.

Firewalls and IDS/IPS certainly have their place in the security arsenal. They are the first line of defence against attacks whose purpose is, for example, to identity theft or industrial espionage. But on their own, they are inadequate against attacks intended to deny service. In fact, they are often the first targets of DDoS attacks seeking to compromise network infrastructure.

In the 13^th Annual Worldwide Infrastructure Security Report (WISR) from NETSCOUT Arbor, survey respondents were asked to identify the security measures they had in place against DDoS attacks. Among enterprise respondents, 82% identified firewalls and 57% had intrusion detection/prevention systems (IDS/IPS). In contrast, only 28% had Intelligent DDoS Mitigation Systems.

Instead of checking off a list of solutions, enterprises need to assess where they stand on the continuum of risk posed by DDoS threats. In other words, “What are the top DDoS risks we face, and are we prepared to meet them?” Here are six of the most common DDoS threats:

• 1.Volumetric DDoS attacks: This type of DDoS attack seeks to consume the bandwidth either within the target or between the target and the rest of the internet. It achieves its objective of blocking access to and delivery of services through overwhelming force. Such attacks are increasing in size – the 1+ terabit attack is becoming the new reality. Defending against them requires a mitigation solution of comparable capacity, which because of its sheer size typically resides in the cloud.
• 2.TCP State Exhaustion attacks:  These attacks attempt to consume the connection state tables present in many infrastructure components, such as load-balancers, firewalls and application servers. Even high capacity devices capable of maintaining millions of connections can be taken down by these attacks.
• 3.Application layer attacks: These attacks go after specific applications or services residing at Layer-7, also known as the application layer. These are particularly insidious because they can be very effective with as few as one attacking machine generating a low traffic rate, which makes them very difficult to detect and mitigate. Defending against them requires a device that can distinguish between legitimate data traffic coming into a network and cleverly disguised threats – no easy task as traffic volume and speeds accelerate.
• 4.Multi-layer, multi-vector attacks: DDoS attacks are increasingly employing some combination or variants of these three attack categories in a single sustained attack. This has the effect of confusing and diverting defences. A recent reported attack on Chile’s largest bank put some 9,500 servers and workstations out of commission – a major disruption, but it turned out to be merely a diversion that allowed the attackers to achieve their real objective: siphoning $10 million out of the bank via the SWIFT network.
• 5.Outbound attacks from within: Sophisticated attackers are turning the tables on defenders and planting malware in enterprise networks that can be used to launch attacks on both internal and external targets. Bad actors especially favour Internet of Things (IoT) devices to worm their way into enterprise networks. IoT botnets have figured prominently in recent large attacks.
• 6.Emerging threats: As if all these threats were not enough, new ones keep springing up on the global threat landscape. Staying ahead of them requires a global threat intelligence capability.

 A strong defence posture calls for protection against all these types of threats. Ignoring anyone leaves you exposed at some point along the risk continuum. A hybrid or layered defence combining cloud-based and on-premise detection and mitigation, informed by global threat intelligence alerts and powered by automation, is widely considered best practice.

A security professional might look at all the risks and what it takes to mitigate them, and think, “We don’t have the budget, and we don’t have the bandwidth.” That is where the managed DDoS service option comes in – outsourcing to a provider that has already made the investment in technology and professional expertise to mitigate any type of attack. It saves money, amplifies in-house resources, and reduces risks. And it renders the security checklist obsolete.