Akamai Technologies, an organization providing content delivery network provider, has released statistics “Q2 2015 State of the Internet – Security Report”, which lists India in the fourth position for being the origin of non-spoofed DDOS attacks. Of all the attacks, 7.43% originated from the country.
However, when it concerns Botnet related DDOS attacks, India ranks 7th as the source origin.
Image Source: Akamai’s “Q2 2015 State of the Internet – Security Report”
According to the report, Akamai researchers when looking at Layer 7 DDoS attack traffic, track the last hop IP address of DDOS attacks against the National IP Ranges, which enables them to identify non-spoofed sources.
DDOS attack vectors includes exploiting the vulnerabilities at the infrastructure level or at the application layer. Moreover, spoofed attacks carried out fall under various categories viz. reflection/ amplification based attacks, while non-spoofed attacks are specifically carried out by specialized tools/ scripts and botnets.
According to the report, DDOS attackers have relied more and more on reflection vectors as the primary DDOS attack method. Not only do these reflection attacks obscure the true IP addresses of the attackers, they also require fewer attack resources relative to the size of the attack. Some of the popular attack vectors mentioned in the report are SYN floods, UDP fragment, UDP floods and DNS attacks. Additionally, NTP attacks, CHARGEN, ICMP and ACK floods were also accounted for, while SSDP and SYN have continued to gain popularity.
Using scripts/ tools to carry out DDOS attacks is the choice of an individual, however Botnets aren’t, as in order to carry out an attack using botnet, the computer system/ the web-application needs to be infected or hacked.
The statistics provided by Akamai and emergence of India into the top ten countries whose networks are responsible for carrying out DDOS attacks raise quite a question about the overall aspects governing IT Security Scenario of India.
In these times, IT Security doesn’t mean protecting your networks but encompasses the entire IT Assets Protection landscape. Security is not just limited to implementation of Firewalls, WAFs and IDS/ IPS solutions but also includes, migration from obsolete services to the latest ones, deployment of security policies covering desktops and servers alike. Implementation of Security Suites which provide all round protection from Trojans and viruses is also a must.
DDOS attacks are on the increase and that’s a fact, however proactive measures and implementation of stronger security policies in order to mitigate the source of these attacks is the only way out.
The dream to accomplish ‘Digital India’ would only be possible when we have a holistic approach towards IT Security coupled with collaboration within the IT Security Industry, the software developers and various service providers is imperative in order to mitigate such attacks and would pave the road towards future implementations of new age technologies.
Tips about Patch Management
- Automate: These days, IT managers are expected to do more with less. Patch management is generally time-consuming. Analyzing and deploying patches can be easier with an automated system from a single workstation and can save time.
- Plan your approach: Proper planning of approach towards patch management is important even with automated systems. Group systems by department, location, etc., should get a better handle on the environment and improved productively.
- Test patches: It is advisable not to push out patches without lab-testing them. Even though patching is necessary to secure the IT infrastructure, yet patches can cause problems if not applied properly.
- Know the configurations: A single difference of configuration between the lab server and production server can cause server failure even most minute in nature. The production servers’ configuration settings are standardized with test lab server.
- Maintain patch levels: With automation, patch management no longer needs to be a reactive process. It is advisable to be proactive. Scheduling of scans on a daily or weekly basis in order to analyze the environment and deploy all critical patches is required. An updated patch is more secure and stable.
Tips on Intrusion Prevention System (IPS)
An Intrusion Prevention System (IPS) consists of features of an intrusion detection system which can act upon malicious traffic. Since IPS generally sits in line with network traffic, it can prevent attacks by blocking access from the attacker or to the target. Here are some tips on IPS:
- AET protection: Advanced Evasion Techniques (AETs) are used to test security vendor products. According to latest report by Verizon, 31% of attacks in large organizations remain unknown. Most current security devices are unable to flag or log AETs separately – they mainly report suspicious traffic.
- Event correlation: Event correlation provides accurate protection for network services and intranet users. It looks at log data from one or more sensor engines, searches for malicious event sequences in real-time. A good event correlation engine can alert the IPS to isolate an attacker or network worm on all firewall minimizing the chances of damage to network services.
- Web filtering: Web filtering is a great enhancement for your IPS. It provides multiple benefits such as increased security by preventing access to known malware and phishing/ unwanted websites. Advanced Web filtering systems offers plenty of options like blacklists and whitelists where it is possible to set rules for the entire network.
- SSL inspection: SSL inspection is important to ensure that no attacks, viruses or other unwanted content can enter the organization’s network in disguise. SSL inspection gives administrators the ability to monitor traffic inside the TLS/ SSL encryption and detects any unwanted content.
- Denial-of-service protection: Your IPS should provide protection against illegal input and traffic flood DoS (denial of service) attacks without disturbing legitimate network traffic. Connection flood or Web service starvation attacks are typical examples of distributed Dos attacks. TCP SYN flood attacks can be stopped by blocking the incoming connection attempts from hoaxed address sources and prevent them from reaching the target system. Your IPS must quickly identify the spoofed connection sources and block them, while allowing valid user connections to pass through.
- Central management capabilities: Central management is essential for IPS security because it allows manipulating the system without changing every single remote location. Central management allows to monitor and manage appliances and components with options that may include alerts, security content updates, appliance updates, firewall and intrusion prevention settings. Thus less administrative time is devoted to network security and log management operations.
- Performance: Your IPS could affect your network if it is not implemented properly or even if the IPS product is poorly constructed. The ability to use clustering to share processing connections enhances performance and reduces time. The deployment of the components of your IPS could also minimize the risk of performance degradation. The IPS should capture and analyze traffic, thus it is better to separate the analysis component into a dedicated system.
- IPv6 ready: Major operating systems and core networking components offer IPv6 support. For example, Windows Vista uses IPv6 addresses by default, which may be a potential security threat without properly implemented access control and deep inspection.
- Integration with your firewall: The essence of a next-generation firewall is important to interact with an intrusion prevention system. The integration of these capabilities can either be within a single system or separate.
Tips on Intrusion Detection System (IDS)
An Intrusion Detection System (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to compromise a system. Organizations that implement the following recommendations can enable more effective intrusion detection system use:
- Organizations should use multiple types of intrusion detection technologies to ensure more comprehensive and accurate detection of malicious activity. The four primary types of such technology are network-based, wireless, network behavior analysis and host-based. Each offer essentially different information gathering, logging, detection and prevention capabilities.
- Organizations that are planning to integrate multiple types of intrusion detection technologies, should consider the capability of the system first. Direct integration of such system might occur if that organization uses multiple products from a single vendor, by having a single console that can be used to manage and monitor the multiple products. Some products can also share data mutually. It accelerates the analysis process and helps users to prioritize threats in a better way.
- Before evaluating intrusion detection products, organizations should define the requirements that the products should meet. Evaluators must understand the characteristics of the organization’s system and network environments, so that a compatible intrusion detection system can implement.
- While evaluating intrusion detection products, organizations should consider using a combination of multiple sources of data according to the products’ capabilities. The sources include test lab or real-world product testing, vendor-provided information, third-party product reviews and experience from people within the organization.
Tips on Firewalls
Next-generation firewalls go beyond filtering traffic and can deliver more control by providing the ability to filter by application type and user identity. Among all the other features that are being built into one box. Here are six tips for managing next-generation firewall policies:
- Tune the Policies: Generating regular reports from the network and understanding the trends and its impact from a security or performance perspective is important. Intelligence regarding application usage is extremely helpful in enhancing policies and removing unused applications. Identification of rules can be stiffened based on application and user requirements. For example, if an application is only required by one group of users (i.e. marketing team needs access to Facebook) then that application can be opened up to that specific group and can be restricted from others.
- Reorder Rules for better Performance: Firewalls consecutively scrutinize through infinite rule sets to identify the rule that matches every packet. Another way to augment the next-generation firewall policy is to reorder the rules based on throughput (rules where heavier application usage is on top). This can help addressing any potential performance issues.
- Identification of Rules for elimination from the Rule Base: Firewall rules are often forgotten and even duplicated through change requests. Identification of these types of rules can significantly help reduce the overload on the firewall and the admin team.
- Running Risk Queries Regularly: There are a lot of known risks and configuration practices that can be leveraged (i.e. NIST, PCI, etc.) to identify vulnerable rules and also their remedies. It is possible to define acceptable applications for the organizations and then create exceptions or even segment by user groups as and when required. Additionally, recent research has shown that common risks in firewall policies are laidback outbound policies.
- Ensure Continuous Compliance: Running reports is no doubt important to ensure that the policies are in compliance with regulatory requirements such as PCI DSS, SOX etc.
- Automate the Firewall Change Request Process: Maintaining the optimized and risk-free policy by automating the firewall change request process is important. With all the traditional firewalls, the primary fields for change management consist of source, destination and port.