2015 A10 Security Predictions WHITE PAPER

Transcription

1 2015 A10 Security Predictions WHITE PAPER

2 Table of Contents Executive Summary... 3 Introduction... 3 Prediction 1: Malvertisers will dole out trouble as they infiltrate ad networks... 3 Prediction 2: A new DDoS amplification attack will emerge... 3 Prediction 3: Traditionally secure infrastructure such as VDI will be compromised... 4 Prediction 4: The Internet of Things (IoT) will expose new security risks... 4 Prediction 5: POS systems will continue to be under fire, but smart cards will come to the rescue... 5 Conclusion... 5 About A10 Networks... 5 Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided as-is. The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks products and services are subject to A10 Networks standard terms and conditions. 2

3 Executive Summary In 2014, large-scale retail breaches and vulnerabilities in widely used software libraries were the two major themes dominating security headlines. Retail breaches overshadowed virtually every other attack vector in late 2013 and 2014, when a continuous parade of breach disclosures hit headlines and affected many of the world s most wellknown retail brands. As an IT and security professional, you are continually faced with this critical question: how do you protect your systems and company assets from future threats? Although it is difficult to predict exactly which cybersecurity threats will wreak the most havoc in the future, we believe that threats like malvertising, Distributed Denial of Service (DDOS) attacks, malware-based point-of-sale (POS) infections, the Internet of Things (IoT) and attacks to remote desktop infrastructure will all make headlines in In this white paper, A10 Networks provides valuable insights into possible new attack vectors and vulnerabilities, as well as the sources from which these are most likely to come. Through a set of five carefully considered security predictions, you will learn what areas you should be monitoring most closely, and how best to protect your organization as you mitigate the risk of future attacks. Introduction Major retailers like Home Depot, Goodwill, Staples and many more suffered massive credit card breaches last year. What was the number one culprit behind these breaches? Malware infections on point-of-sale devices. And these breaches did not show any signs of slowing down as the year came to a close. And then, of course, there were the security vulnerabilities. Heartbleed started the procession of high-profile vulnerabilities discovered in Disclosed in April, Heartbleed, a flaw in the OpenSSL cryptographic library, affected roughly 17% of all SSL-enabled web servers at the time of the discovery. i As soon as website owners had patched their SSL software to mitigate Heartbleed, a new set of OpenSSL vulnerabilities were disclosed, including the ChangCipherSpec injection flaw. The Shellshock Bash bug, revealed in September, and the POODLE SSL flaw, disclosed in October, rounded out the list of widespread vulnerabilities in While researchers and financially-motivated hackers will undoubtedly uncover more vulnerabilities this year, we don t expect them to eclipse the number of software flaws identified last year. So, what cybersecurity bombshells are in store for us next year? Prediction 1: Malvertisers will dole out trouble as they infiltrate ad networks Malware distributors have zeroed in on a fast and effective way to infect millions of users: malvertising. With malvertising, cybercriminals distribute malicious code through online advertising networks. Because the malware-laden advertisements are hosted by legitimate websites and the ads constantly change, traditional security tools that blacklist malicious sites cannot easily block malvertisers ads. And malware-laden ads often silently infect machines without users knowledge. In 2015, we predict that malvertisers will take advantage of known exploits like Dynamic DNS, and signature and sandbox evasion techniques to further propagate their malware across advertising networks. To prevent malware infections, organizations should install anti-malware software on client machines and enforce security controls on clients browsers. Advanced threat protection platforms can also help detect malware in web traffic. Since many webbased advertisements are now delivered over SSL, organizations should decrypt and inspect encrypted traffic. Prediction 2: A new DDoS amplification attack will emerge Over the past two years, cybercriminals and other mischief-makers have exploited DNS and Network Time Protocol (NTP) servers to amplify the size of their DDoS attacks. With DNS and NTP amplification attacks, an attacker spoofs, or impersonates, the attack target and sends a small request to a reflector, which is a server that replies with a much larger response to the victim, flooding the victim s network. 3

4 DNS amplification attacks can increase the size of DDoS attacks by up to 54 times, while NTP amplification attacks can magnify DDoS onslaughts by a factor of 556 times 1. But DNS and NTP are not the only culprits of amplification attacks. Attackers can also leverage SNMP, NetBIOS and other protocols to launch amplification attacks. Attackers have even exploited WordPress applications to carry out large-scale DDoS assaults. Amplification has contributed to the escalating size of DDoS attacks. We predict that in 2015, a new type of DDoS amplification attack will make headlines. While DNS and NTP amplification took the security world by storm in 2013 and 2014, attackers will uncover and exploit a yet unknown attack next year. Attackers continually investigate new attack vectors, as witnessed by the recent discovery of DVMRPbased reflection attacks. Disclosed by Team Cymru 2, Distance Vector Multicast Routing Protocol (DVMRP) reflection attacks have already been observed by service providers. To protect against amplification attacks in 2015, organizations should deploy security equipment that can mitigate large-scale DDoS attacks. Prediction 3: Traditionally secure infrastructure such as VDI will be compromised Virtual Desktop Infrastructure (VDI) allows organizations to host desktop environments on servers and enables users to access these desktops from any location. Compared to traditional desktop infrastructures, VDI provides a host of advantages; organizations can lower hardware and operating costs, support Bring Your Own Device (BYOD) initiatives, and bolster security. Since all data is stored in a central location rather than on endpoint devices, VDI reduces physical data theft risks. However, desktop virtualization also exposes new security challenges. Organizations often host multiple desktops with the same operating systems and the same set of applications on a single physical server. Without proper isolation, an attacker can install a rootkit and compromise multiple desktops. With limited system diversity, attackers might uncover a vulnerability, allowing them to quickly exploit thousands of desktops at one time. We predict that in 2015, attackers will execute more brute force attacks and conduct new and creative attacks on virtual desktops. To protect VDI environments, organizations should implement operating system or application isolation especially if virtual desktops are hosted in the cloud. Organizations should also control how data can be transferred to and from VDI environments, install anti-malware software and monitor for intrusions. Prediction 4: The Internet of Things will expose new security risks More knowledge and convenience is not always a good thing. The Internet of Things promises to make our lives easier, but without proper safeguards, it also opens us up to an array of new security threats. Even though IoT is still in its early stages, the number of devices connected to the Internet is growing, thereby increasing the potential for attacks at any time. Three potential IoT risks include: Attackers using brute force or knowledge of default credentials to gain access to IoT devices or to the cloud infrastructure that stores IoT data Malware infiltrating high-end IoT devices, such as SmartTVs, that have full Android (News 3 - Alert 4 ) operating systems and access to app stores Malware infecting PCs and tablets that manage IoT devices, such as home security systems or cameras To reduce risks associated with IoT devices, consumers and businesses alike should investigate how devices are accessed and whether they store sensitive data. They should avoid installing unknown software and, whenever possible, configure strong passwords on devices. Not convinced? A recent hack 5 of more than 73,000 webcams underscores the importance of using strong passwords on IoT devices

5 Prediction 5: POS systems will continue to be under fire, but smart cards will come to the rescue Retail breaches overshadowed virtually every other attack vector in late 2013 and A continuous parade of breach disclosures hit headlines and affected many of the world s most well-known retail brands. The culprit behind these breaches: malware infections on POS devices. Using a variety of techniques, including brute force and compromising management or software update tools, hackers are able to install malware on POS systems. The malware scrapes credit card numbers and CVVs from system memory. The most advanced malware strains can actually capture data from inter-process communications, quickly zeroing in on payment card data. While we predict that these attacks will continue, the migration to chip-and-pin smartcards towards the end of 2015 will make it harder for hackers to monetize the data stolen from POS systems. They won t be able to use fake magnetic cards and will primarily be relegated to online payment fraud. What should organizations do to prevent POS-based breaches? They can protect POS systems from malware using whitelisting, code signing and behavioral techniques; harden systems against compromise by controlling who and what can access POS terminals; and monitor for infiltrations with advanced threat prevention platforms. And since malware can communicate to command and control servers over SSL and over normally harmless protocols like DNS, organizations should inspect all traffic, including encrypted traffic. Conclusion Although it is difficult to predict which cybersecurity threats will wreak the most havoc in the future, we believe that threats like malvertising, DDoS attacks, malware-based POS infections, the Internet of Things, and attacks to remote desktop infrastructure will all make headlines in We also believe with a high degree of certainty that cybercriminals, hacktivists, and state-sponsored attackers will continue to seek out new attack vectors and new vulnerabilities to exploit. To prepare for the next generation of threats, organizations should implement a multi-layered defense that encompasses security technologies that can protect all elements in the network, including data center servers and endpoints. Organizations should also invest in training to prevent social engineering threats, and implement security procedures to ensure that security defenses are continuously updated and monitored. While it is difficult to predict never-before-seen threats, security and IT professionals can make an educated guess, which in turn will help them be better prepared with the appropriate security controls and processes in place. About A10 Networks A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, California, and serves customers globally with offices worldwide. For more information, visit: i Corporate Headquarters A10 Networks, Inc 3 West Plumeria Ave. San Jose, CA USA Tel: Fax: Part Number: A10-WP EN-01 Feb 2015 Worldwide Offices North America sales@a10networks.com Europe emea_sales@a10networks.com South America latam_sales@a10networks.com Japan jinfo@a10networks.com China china_sales@a10networks.com Taiwan taiwan@a10networks.com Korea korea@a10networks.com Hong Kong HongKong@a10networks.com South Asia SouthAsia@a10networks.com Australia/New Zealand anz_sales@a10networks.com 2015 A10 Networks, Inc. All rights reserved. The A10 logo, A10 Lightning, A10 Networks, A10 Thunder, acloud, ACOS, ACOS Policy Engine, ACOS Synergy, Affinity, aflex, aflow, agalaxy, avcs, AX, axapi, IDaccess, IDsentrie, IP-to-ID, SoftAX, SSL Insight, Thunder, Thunder TPS, UASG, VirtualN, and vthunder are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. To learn more about the A10 Thunder Application Service Gateways and how it can enhance your business, contact A10 Networks at: or call to talk to an A10 sales representative. 5