Attacks/Breaches
6/14/2012
03:47 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How To Defend Against Infrastructure Attacks

Gartner security experts offer defense strategies for four big attack threats

GARTNER SECURITY & RISK MANAGEMENT SUMMIT -- National Harbor, Md. -- Cracks in the foundation of the Internet infrastructure are leaving organizations prone to potentially dangerous attacks, a pair of Gartner security analysts said here yesterday.

"The basic underpinnings of the Internet -- BGP, DNS, and SSL -- we take for granted they were built in much friendlier times when friendly people wanted to communicate with friendly people. The Internet was built to be survivable, not trustable," said John Pescatore, vice president and research fellow for Gartner Research. "There are still major fractures we are seeing that need to be addressed."

Pescatore and Lawrence Orans, research director for Gartner, called out four main attacks that exploit the aging Internet infrastructure and offered strategies for defending against these infrastructure attacks: denial-of-service and distributed denial-of-service attacks, certificate authority breaches and scams, Domain Name Services (DNS) attacks, and 4G LTE.

[ New DDoS reports highlight evolving M.O. of DDoS and DoS attacks and increased firepower. See Mas DDoS: More Powerful, Complex, And Widespread . ]

"The Internet as a whole is stable. But if you look at the component level, there are problems and instability and reliability issues," Orans said.

Here is Gartner's list of the four main infrastructure attacks, plus how to defend against them:

1. Distributed denial-of-service (DDoS) and denial-of-service
The annoying and painfully effective DDoS attack just won't go away: About half of all ISPs get hit with anywhere from one to 10 of these attacks per month, according to Arbor Networks, and it's getting easier to launch one with free tools, such as Low Orbit Ion Cannon (LOIC), a favorite DDoS weapon of Anonymous. "The overall picture is it's really ugly out there" with these attacks, Orans said. "Hacktivism is a problem: If someone doesn't like your organization, they can launch attacks against it. Criminal attacks are a problem, [as well]," he said.

On the criminal side of the equation, these attacks are used as a cover for more nefarious targeted attacks, said Rodney Joffe, vice president and senior technologist at Neustar, in a video message presented during the Gartner session. "The bad guys are getting better at hiding what they are doing, and the better they get at doing it, the more difficult it is for us to filter against them."

Joffe said attacks will become more camouflaged, and organizations should deploy BCP 38 to counter source-address spoofing. "That will make a significant difference against DDoS attacks," he said.

Gartner's advice for stemming a DDoS attack: First, assess the financial impact of losing your organization's Web presence and come up with an incident response plan in case you get hit. "Talk in terms of business continuity and disaster-recovery strategy" for justification purposes, Oran said.

Consider DDoS mitigation services. The cheapest approach is a clean-pipes service, which can cost anywhere from 10 to 15 percent above your bandwidth service pricing. "The ISP detects and mitigates a DDoS so the bad guys don't fill up your pipe," Oran said. "This is a very good, cost-effective approach."

A more premium version is a scrubbing-type service, where once you're under attack, you send your traffic over to a provider, such as Akamai, Neustar, or VeriSign, he said. "They act as a middleman and scrub the traffic clean so they take out the DDoS traffic and only send the good traffic," Orans said. That can cost $10,000 per site, however, or you pay on a bandwidth basis.

Another option is a DDoS appliance that sits in the DMZ and detects and deflects DDoSes. Arbor, Correro, Radware and RioRey are among the vendors here.

2. Certificate authority (CA)
Comodo. DigiNotar. Flame. The litany of certificate authority (CA)-type breaches and attacks has led to many experts calling for a new approach to certifying the authenticity of a website or software.

"The real issue is this registration process," Pescatore said. "Digital certificates are only as strong as their registration process: A key exchange doesn't automatically equal authentication."

Taher Elgamal, inventor of SSL, said it's not a technical issue. "This is purely a process issue, not a tech problem," Elgamal said in a video message presented during the Gartner session. "There have been incidents in the past couple of years when a CA went broke, when people had CAs with names they did not own. Trust doesn't work on it anymore."

How can you mitigate the CA threat? Gartner suggests certificate management tools and hardened browsers. "The first problem is finding where you're using them, and do you have any that need to be revoked? There can be tens of thousands of SSL certs in a typical company," Pescatore said. A cert management tool can help root those out.

Another option is to harden browsers for sensitive operations, such as online banking or business-to-business transactions, he said. And be sure to educate users on the limitations of SSL and how an SSL session doesn't guarantee the authenticity of the site itself, for instance.

"What happens if a CA is compromised? Have an incident response [plan]," Pescatore said. Defending against these threats will entail a lot of DIY for now, he said, until industry efforts like the Sovereign Keys directory and DNS Authenticated Naming of Entities (DANE) -- where DNS validates certs or users -- are deployed.

"I think the incidents we saw were just the start, and it's time to put some mitigation processes in place," Pescatore said. "When you're enrolling mobile devices, talk to MDM [mobile device management] vendors about mitigation approaches for SSL weaknesses."

3. Domain Name Services (DNS)
Speaking of DNS, the vulnerability of Internet name servers also has been in the bull's eye, with the well-publicized cache poisoning threat that was discovered and patched a few years ago, to DDoS attempts against the Internet's DNS root servers.

While these types of attacks remain relatively rare, organizations need to take steps to ensure their DNS servers are protected because of the potentially devastating fallout, security experts say.

Paul Mockapetris, the inventor of DNS and chief scientist at Nominum, said most DNS attacks occur against older versions of software. "Updating software is the first line of defense," Mockapetris said in a video message shown in the Gartner session. "Check your configuration and make sure it's not compromised."

DNSSEC, which digitally signs domains to ensure their legitimacy, should also be deployed by service providers, he said.

Gartner's Orans said DNSSEC has a way to go in enterprise adoption. Organizations can employ some of the same DDoS mitigations as for protecting their Web servers. There also is AnyCast, which distributes DNS traffic among name servers, for example, he said. It routes DNS requests to the topologically nearest node or name server. "AnyCast is a core component of a managed DNS service," Orans said. "It can mitigate the impact of a DNS DDoS attack."

Cache poisoning, or DNS spoofing, isn't so simple to mitigate, however, he said. "Nothing will change until we have a high-profile cache [poisoning] attack," Orans said.

Next Page: 4G LTE

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.