April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Surviving the bots
How long can your business operations be down until irreparable damage occurs? At what point does company survivability become a concern? How much is it worth to you that your external Internet presence be operational?
While merely asking these questions may incite fear, answering these questions is pertinent to your company’s viability when facing an attack. Companies are facing unprecedented threats -- ones that have steep consequences. These risks are prevalent in today’s always-on, always-connected Internet.
With the proliferation of the Internet, businesses began to tap into markets never even heard of before, including online retailing, social media sites -- driven by corporate advertising and online banking. Companies maximized this opportunity by creating consumer and business awareness, while also generating large sums of revenue, all the while becoming ever more dependent on this network.
Despite the fact that the Internet has its advantages, every yin has a yang. There is a dark side to the Internet. While organizations have been focusing on the newest economic and consumer trends, cyber-criminals have been scanning the competitive landscape looking for new opportunities to exploit companies.
Just like businesses, cyber-criminals are in it for the money. They have found an un-serviced market and moved in to fill the need by amassing their own networks, called “botnets.” These networks prey on the weak and, in contrast to the weakest link theory, the weak actually make them strong.
Botnets are patient and subtle, but carry a big stick. The recent news headlines speak to their trophies: “Hackers Take Down the Most Wired Country in Europe,” “DDOS Attacks Crush Twitter, Hobble Facebook,” “How a basic attack crippled Yahoo,” “DDoS attack strikes UltraDNS, affects Amazon, Wal-Mart.” For those who wonder what long-term effects a botnet can have on business operations, consider this: in 2006, cyber-criminals proved that David does not always defeat Goliath. In an attack that marked a turning point, Blue Security permanently shut down operations due to extortion from a botnet. In one of Blue Security’s last public statements, CEO Eran Reshef said, “It’s clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don’t have the authority to start.”
Since the advent of these powerful networks, their size has proliferated. Once small, some of these botnets have grown in numbers greater than any company ever in existence. At one point, the Zeus botnet had captured an upper range estimate of 50 million computers. An army of bots that large can wield an enormous amount of power. To put it into perspective, Google’s cloud computing facility has one million CPUs that can handle up to 1,500 Gbps of traffic. Conficker, at more than 18 million computers strong, can transmit 28,000 Gbps; easily dwarfing Google’s cloud computing farm.
This ominous potential has the security industry extremely concerned. If leased to a vicious criminal or a group of people, the results could be apocalyptic in today’s digital age. The loss incurred in such an attack could have vast economic implications; not only to companies, but also to nations.
In order to prevent infection, mitigate the impact and protect the business, organizations need to consider technical and non-technical controls. In most breach cases, one of the most pervasive findings is the lack of a security awareness program. As users of corporate assets, we pose the greatest security risk to the organization because we are unconscious of the impact, and do not understand the threat.
At the same time, however, employees can be the greatest security asset an organization possesses. With malware threats appealing to our emotions, educating the end-users of the risks and threats is becoming ever more critical. Beyond the human component, there are a number of technical controls that are capable of blocking these attacks, including:
- Reputation-based Web proxies;
- Intrusion prevention sensors;
- Host intrusion prevention software (behavioral);
- Anti-virus software.
When determining the controls to be deployed, organizations should follow the defense-in-depth philosophy. This principle dictates that security should follow a layered approach. In doing so, there is no adherence to a single security control providing all of the protection, because no single control can provide comprehensive protection. In addition, security controls themselves can introduce vulnerabilities. While many of the above controls provide protection, they can be modified to provide detection capabilities with minimal additional work.
Unfortunately, dealing with cyber-criminals has become the expense of doing business on the Internet. While posing considerable risks, organizations can make headway in minimizing the threat. Organizations have the ability and the responsibility to exercise due care. This has to be the way of the future. Anything less will result in criminal networks so menacing and large that it may be impossible to stop them without undergoing massive economical impacts. It is time for companies to take back the ownership of their equipment. No one outside the company has the right to information developed by private organizations. The greatest security control that companies have is their employees. Educate them and make them aware of the risks and the threats. In doing so, your company will be better off both financially and operationally.
Jason Suplita is a senior risk management consultant with SecureState LLC. He can be reached at: