/ BROCHURE / AN E-GUIDE TO ONLINE SECURITY By Melbourne IT Enterprise Services
ONLINE SECURITY As the internet continues to grow in size, scale and complexity, online vendors and service providers are able to develop more innovative and convenient methods of serving and communicating with their target audience. However, new risks and challenges go handin-hand with these new opportunities as cyber criminals exploit the internet s increasing complexity to devise all manner of sophisticated attacks in order to secure their goals. Not only are cyber attacks rising in terms of sophistication, they are also significantly increasing in scale globally. It s no secret that major online businesses face the constant threat of cyber attack as malevolent adversaries continually probe for security weaknesses in the hope of finding an inherent vulnerability to exploit. However, despite the nature of the overall threat of cybercrime becoming common knowledge, too many businesses are still hesitant to commit to procuring a fully capable, scalable and reliable online security solution. This reluctance usually comes down to cost concerns as business decision makers are loathe to make significant investment in a security system which the company might not need to use. SMEs in particular fall into the trap of ignoring cybercrime by considering it a big business only issue but even major international companies will often roll the dice and simply hope that they are not targeted by malicious attacks. account for an estimated annual cost of US$445bn last year i. These losses are both direct (stolen data leading to further online fraud) and indirect (lost revenue through downtime, job losses, etc) and affect businesses which have an online presence, regardless of their size and scale. The severity of the growing threat is clear and so are its implications: online businesses simply cannot afford to treat cybercrime as a low priority and hope that they aren t targeted. It is essential for them to devise and implement a long-term online security strategy which proactively protects their assets from threats which are constantly evolving in sophistication and severity. However, the most recent research conducted by prominent cybersecurity analysts continues to emphasise the gross folly of adopting such an attitude as global cybercrime rose to McAfee estimates that cybercrime accounts for annual losses of $445bn globally while specifically costing Australian businesses the equivalent of 0.08% of the country s GDP. However, awareness of the growing threat is also on the rise as 61% of respondents to a recent PricewaterhouseCoopers survey expressed open concern about cyber threats and a lack of data security, up 13% from 2014. i. Cybercrime loss as a percentage of GDP, McAfee, 2014 MELBOURNE IT ENTERPRISE SERVICES 2
PROACTIVE PROTECTION: IDENTIFYING THE THREAT TYPES The modern-day hacker comes in a variety of guises extortionists, exfiltrators, politically motivated hackers (hacktivists); cyber attacks can even come from rival organisations looking to secure some form of business advantage. Understanding and indentifying the most prevalent types of attacks carried out by these various groups will inform your cyber security priorities and will result in your chosen online security solution being stronger and more focused. DENIAL OF SERVICE ATTACKS (DOS/DDOS) DoS attacks are the fastest growing type of cyber attack being experienced globally and are quickly becoming one of the most common threat types. They rely on flooding the connections between the internet and the target business with vast amounts of traffic in order to overload the network s servers to the point of inoperability, resulting in denial of service. More sophisticated DoS attacks utilise multiple nodes in concert to send even greater volumes of malicious traffic to a site in distributed denial of service (DDoS) which increases the severity of the attack while making its source more difficult to locate. Unfortunately, the tools for initiating DoS/DDoS attacks are readily available and easily understood, meaning that anyone from the most accomplished veteran hacker to the greenest thrill-seeking script kiddie is capable of utilising them. This fact alone plays no small part in the rampant increase of DDoS attacks being perpetrated worldwide. Impact: The most obvious impact that successful DoS/ DDoS attacks have upon their target business is the resultant downtime of their network assets. Subsequently, this leads to various damages inflicted including loss of revenue as potential customers are denied access, reputational losses as customer relations are damaged and all manner of potential logistical costs as normal operations are interrupted. Depending on the scale of the target business, each hour of downtime can equate to losses totalling tens or hundreds of thousands of dollars. DDoS attack volumes increased a record 32% in 2013 compared to a year previously, with increasing diversity as mobile devices and apps began participating in DDoS attacks. If your company has been the target of a DDoS attack, there s a 1 in 4 (25%) chance that you ll be attacked again within 3 months and greater than a 1 in 3 (36%) chance you ll be targeted again within the year. Akamai Research MELBOURNE IT ENTERPRISE SERVICES 3
Another more insidious type of impact needs to be considered too. When a cloud service provider hosts your application, its infrastructure can expand to handle bursts of traffic during a DDoS attack. However, since you pay for the bandwidth you use, a significant and prolonged DDoS attack could mean that while your servers stay up, the resultant costs incurred can be vast. More experienced hackers are capable of determining whether their target uses cloud service providers in such a fashion and deliberately attacks them with this in mind, hoping to inflict a massive bill for the resultant expansion in bandwidth. This is called Economic DDoS or EDoS (Economic denial of Sustainability) and it can prove crippling for a business using providers with uncapped bandwidth fees for peak traffic. Traffic isn t the only concern with EDoS, as the scaling capabilities of AWS allow computing, network and storage scaling all of which can lead to a massive dollar surprise at the end of the month. $1 million loss Recent research from IDG discovered that it takes an average of ten hours before a company can even begin to resolve a DDoS attack. The average DDoS attack will not be detected until 4.5 hours after its commencement and the company will not start to mitigate its effects for another 4.9 hours. Their study s respondents reported average outage costs of $100,000 per hour, meaning that a company reliant on the internet can suffer losses of $1 million from a DDoS attack before it even begins to combat it. DATA THEFT ATTACKS (SQL INJECTION, REMOTE FILE INCLUSION, LOCAL FILE INCLUSION) The damaging impact of successful DDoS attacks cannot be overstated in terms of immediate losses and interruption of business operations. However, data theft attacks can be equally devastating should they allow an intelligent and motivated hacker to access particularly valuable data assets. If DDoS is a sledgehammer that causes blunt force trauma, data theft is a surgical scalpel that pierces an organisation s defences and leaves serious lasting damage. As with DDoS, businesses are facing a widening range of data theft threat types, most of which are designed to take advantage of inherent vulnerabilities at the web application level. Data thieves bypass traditional network-layer security tools through the generation of application traffic which appears in the form of genuine requests to fool detection systems and allow the hacker to inject commands into the compromised application. Then, commonly using SQL Injection, Remote File Inclusion or Local File Inclusion, the hacker can input their own commands or queries which allow them to view sensitive data and misappropriate it for their own uses. MELBOURNE IT ENTERPRISE SERVICES 4
Impact: Whether this results in thieves stealing bank account and credit card details or hacktivists causing chaos by wiping out whole databases, the repercussions of such data theft attacks can be both devastating and long-lasting for the compromised organisation. Reputational losses to companies like Sony, UPS and JP Morgan Chase who have recently suffered significant data breaches demonstrate just how serious these attacks can be. In November 2014, UPS confirmed that the breach it suffered took place in 395 locations and may have affected nearly 600,000 debit and credit cards ii. 1 billion+ email addresses Data theft attacks are increasing in scale and audacity. On March 5th 2015 three defendants were charged with one of the largest reported data breaches in US history. Between them they managed to steal over a billion email addresses from at least eight separate email service providers, using the stolen confidential information to make millions of dollars. DOMAIN NAME SYSTEM (DNS) ATTACKS Though not as prolific as the first two types of threat, DNS attacks which include registrar hijacking and redirection/cache poisoning still need to be considered as part of a comprehensive online security strategy. Registrar hacking allows hackers to gain control over a target domain name, ultimately pointing it to servers of their choice, including name servers, web servers, email servers and so on. In the case of DNS redirection attacks, the hacker redirects DNS names queries to servers under the attacker s control. Impact: Most recent high profile DNS hijacking/redirection attacks have been carried out by hacktivists looking to hijack legitimate traffic and point it towards sites of their own choosing to draw attention to whatever political statement they wish to promote. While considered to be a low-brow form of attack, changes to domain name records can damage relations with an organisation s web users since there s little they can do to protect themselves from being redirected to sites which are disturbing or ones which automatically try to install malicious software. ii. The Big Data Breaches of 2014, Forbes, 01/13/2015 MELBOURNE IT ENTERPRISE SERVICES 5
KEY CONSIDERATIONS FOR ACQUIRING LONG-TERM ONLINE SECURITY Once your organisation has properly understood the nature of the various cyber crimes currently being practised online, it s time to forge a security strategy which is robust enough to proactively detect potential vulnerabilities at the network and application levels and reliably protect you against any incoming threat. Every business is unique and so are its potential security weaknesses. There is no one-size-fits-all solution which can effectively compensate for all your vulnerabilities and guarantee continued protection. Instead, business organisations need to take a clear and unbiased look at their ICT infrastructure, identify its inherent weaknesses and aim to implement a bespoke security solution which adequately accounts for all of the following key considerations: EFFECTIVENESS Does your online security solution offer effective protection at both the network and application layers against the kind of threats that your organisation could be targeted with? Can it withstand a dedicated DDoS attack through scalable bandwidth to handle the volume of incoming traffic without incurring crippling fees? Does it proactively detect potential vulnerabilities in your web applications in order to protect against malicious command code which is used to steal or wipe data? Simply put, is your security solution properly provisioned to combat the manifold cyber threats being carried out across the internet? AVAILABILITY Even the most effective and sophisticated security solution will only be able to protect your business if it is operational at the time of the attack. An integral part of a viable security strategy is determining its availability to ensure that your assets are continually under its protection. Whether this means guaranteeing availability as part of a service level agreement with a reliable cloud solution provider or running multiple redundant versions of the relevant security controls, your security strategy cannot afford to ignore this vital consideration. IMPACT ON PERFORMANCE We ve seen how damaging the impact and subsequent cleanup of a successful cyber attack can be, making an effective online security solution a money-saver in the long term through prevention rather than cure. However, the best security controls provide adequate protection without compromising the performance of the sites they defend. In order to properly monitor incoming traffic for various attack types while allowing for peak performance, a security solution needs to be built with the correct architecture to strike a delicate balance between the two priorities. MELBOURNE IT ENTERPRISE SERVICES 6
TOTAL COST OF OWNERSHIP While an effective security solution can afford your organisation significant savings, every business has budgetary considerations. That s why it s important to be fully aware of the TCO of implementing your chosen solution: the obvious costs such as the installed hardware need to be tallied alongside the costs of redundant systems, solution management, scalability agreements with cloud service providers, the ongoing cost of security verses performance and so on. LONG-TERM VIEW Cyber threats are constantly evolving so your security strategy needs to evolve as well. Proactive monitoring and awareness of developing threats as well as existing ones should be the cornerstone of your security solution and inherent in every aspect of its delivery. WEIGHING THE COST OF COMPLACENCY AND MISPLACED CONFIDENCE The major issue in the fight against cyber attacks is twofold: too many businesses believe that hackers will go after someone else while others fundamentally misunderstand the nature of the threats they face. Too many companies rely on their in-house technology to protect them, when amplification/redirection attacks can easily overwhelm such traditional defences before delivering their potentially devastating impact. In order to keep pace with the worryingly complex and cunning efforts of sophisticated hacking adversaries your security strategy must be aligned with this new reality and capable of responding to it. Prevention rather than cure, mitigation rather than misplaced confidence, continuous monitoring rather than complacent hope of avoidance; these priorities are the foundation of a robust and reliable online security solution. Melbourne IT offers Secure Design Engineering advice and architecture recommendations which match these long-term, proactive security solution priorities. Our Security Specialists have extensive practical experience of operating online cloud platforms that provides valuable direction and guidance in the design and development of solutions which are aligned with Cloud Security Alliance cloud controls as well as complying to PCI DSS, ISO 27001 and IRAP security standards. recommended to reduce the platform risk and secure the solution. After identifying all potential risks, we determine which assets are being considered for transition to the cloud and assess how sensitive and important each asset is to your organisation in order to determine how the risks change with a move to the cloud. Finally, we conduct mapping of all potential cloud deployment models to assess their suitability and determine the most effective and secure solution that would cause the minimum amount of disruption to your organisation s operations. Following this simple model allows for sufficient context to evaluate the required security controls that should be applied to manage risk and exposure. Melbourne IT s approach to Secure Design is based on a series of workshops through which we identify the areas of risk in your solution, then define the relevant controls that are 77% of companies have firewalls, 65% have routers and switches and 59% have intrusion detection. But only 26% use cloud-based mitigation services. Nevertheless, there is a strong but misplaced belief among IT managers of these companies that they are adequately protected: 86% of the respondents are either somewhat, very or extremely confident in their defences. - IDG Research MELBOURNE IT ENTERPRISE SERVICES 7
www.mcafee.com/es/resources/misc/infographic-cybercrime-loss-gdp.pdf SOURCES www.pwc.com/gx/en/ceo-survey/2015/key-findings/technology.jhtml www.prolexic.com/knowledge-center-ddos-attack-report-2013-top-ten-10-ddos-trends-infographic.html www.infosecurity-magazine.com/news/a-ddos-attack-could-cost-1-million-before/ www.forbes.com/sites/moneybuilder/2015/01/13/the-big-data-breaches-of-2014/ www.justice.gov/opa/pr/three-defendants-charged-one-largest-reported-data-breaches-us-history www.akamai.com/dl/akamai/akamai-ebook-guide-to-multi-layered-web-security.pdf www.media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf www.ddosattacks.biz/ddos-101/article/ddos-awareness-day/ www.csoonline.com/article/2597532/cyber-attacks-espionage/playstation-network-crippled-by-ddos-attack.html www.idgresearch.com/thwarting-ddos-attacks-with-cloud-defenses/ ABOUT MELBOURNE IT Melbourne IT Enterprise Services designs, builds and manages cloud solutions for Australia s leading enterprises. Its expert staff help solve business challenges and build cultures that enable organisations to use technology investments efficiently and improve long-term value. With more than 15 years experience in delivering managed outcomes to Australian enterprises, Melbourne IT has been long associated with enabling success. Its certified cloud, consulting, and security experts repeatedly deliver results. This is why many of the brands you already know and trust, rely on Melbourne IT. THE RIGHT SOLUTION IS MELBOURNE IT melbourneitenterprise.com.au 1800 664 222 corporate.sales@melbourneit.com.au MELBOURNE IT ENTERPRISE SERVICES 8