In 1984, Pat Benetar came up with an enormously silly, but entertaining song about love and battlefields. That was before the Internet was invented. Today, the Internet is probably the most epic battlefield for consumers and businesses.
In just the last three years, we’ve seen three individual cases of entire countries being brought to their heels by malicious Distributed Denial-of-Service (DDoS) attacks. In basic terms, a DDoS attack involves saturating targets with such an extreme volume of communications requests that the victim’s machines are unable to respond to legitimate network traffic.
There are many different flavours of DDoS attack, but the end effect is similar. For all intents and purposes, the target machine goes ‘down’, disrupting communication to the victim machine, and, on a wider scale, potentially upsetting communication across an entire nation.
Estonia was the first country to succumb to a DDoS attacck in 2007. Said to be politically motivated, the hit came on a massive scale after days of wide-spread rioting among ethnic Russians over a ‘disrespectful’ relocation of a Soviet war monument.
Georgia was second a year later, in 2008. Again, Russia was attributed to be the source of the attacks. This time, Internet communication was hit was during a clash between the two nations over the South Ossetia region, and Georgia’s push for inclusion in NATO.
In 2009, Kyrgyzstan was attacked, and for a third time, Russian cyber criminals were blamed. Supposedly undertaken by the same group of nationalists behind the Georgian assault, the DDoS attack crippled the already-struggling central Asian nation for seven days.
It’s pretty frightening stuff, but according to BT Australia head of security, Harry Archer, it is entirely possible to wreak similar havoc in Australia.
“If we had a foreign Government that is unhappy with Australia, it could mount a DDoS attack on the country,” Archer said. As a comparison, he pointed to recent disruptions across American financial markets recently, where someone typed in one too many figures during a stock exchange deal and caused a rout.
“If you were able to interfere with the stock exchange here and do similar things, you could deliberately cause havoc in the financial markets,” Archer said.
The problem is compounded by the increased number of devices sitting on the network. Look at the datacentre, for instance – air conditioners and security cameras have their own IP addresses, and all it takes is one halfway decent hacker patching into the network to shut everything down.
“The main security concern is about improving those controls in the network and from the point of view of DDoS,” Archer said.
“Botnets are an absolute nuisance and cost us money, but if we get hit by a DDoS stack against our country or a major bank, it’s not just costing money, it’s compounded the situation by stopping us working.”
That’s not to say botnets are not a concern in themselves, though. If a DDoS attack is the equivalent of running a full-scale assault, fighting botnets is the skirmishes on the flanks of either side.
It’s an exceedingly difficult battle to win – new botnets equipped with horrible new malware codes are continually coming into existence, and trying to keep an antivirus properly up to date is a momentous challenge.
Grandfather of military strategy, Sun Tzu, theorised the best way to defeat an enemy too large to overpower with raw strength was to isolate and chip away core elements of the enemy. A large enemy without communication or effective leadership is one easy to defeat, he claimed.
It’s a philosophy RSA has adopted in its approach to the botnet threat. Those that control botnets, or “botmasters”, are RSA’s targets, and denying those botmasters their payloads the ultimate goal for the vendor.
“The information stolen from infected computers often goes to a drop site,” RSA pre-sales engineering manager, Greg Singh, explained.
“We’re extracting that data, and then preventing the botmasters from getting to it. When we find significant hauls we advise organisations that a lot of their credentials, or credentials pertaining to their customers, have been stolen and we can advise them of that. We quite often deal with the Australian authorities in notifying them.”
The good news is that organisations are increasingly willing to put effort into protecting their data. Not necessarily because it’s a good idea (although it is), but because compliance regulations are essentially forcing them to wise up.
Historically, security precautions and management were more an ad hoc situation, driven by the security or systems administrator. The more recent trend is for the company policy to be set down, and the administrators to then work to meet that policy.
“Governing policies and understanding the risk associated with it, and understanding the compliance that needs to be adhered to both from an internal and regulatory perspective, is what tends to be driving the security behaviours at the moment,” Singh said.
“The new trend that seems to he happening in the market is for governance risk and compliance to be treated as a complete security topic.”
So who’s responsible?
Having a policy or regulatory requirement is one thing – following through with those and properly securing your organisation is quite another.
One of the victories that malware coders often have against their victims is taking advantage of a lack of understanding among users. While a security administrator can be expected to be up-to-date with the most recent threats, businesses at the smaller end of town without dedicated security personal, or consumers, aren’t necessarily as focused on or aware of the integrity of their systems.
“Business owners are in the business of whatever industry they’re in, and they’re not focused on IT security as a thing they look at day-to-day. Nor should they – it’s Symantec’s [and other security vendors] job to be the expert,” Symantec director of SMB and distribution, A/NZ, Steve Martin, said.
The problem is that for a security vendor to be able to perform this function, the software and licence needs to be up-to-date. Often, a user is out-flanked by the malware coders by simply being too slow to put the shield up.
“If you’re running software that’s three years old, it’s not good enough to protect you from the threats of today, because the landscape is evolving at such a rapid pace,” Martin said.
Getting users clued into this is becoming more and more difficult, however. The rise of social networking is opening computers up, for both good and ill purposes, and the computing environment is getting to the point where even if there were free antivirus tools made available, it might not be enough to win the war.
The best way forward might well be to stop trying to convince customers to keep themselves protected, and enforce a policy at an OEM level.
“If I was the Government, I would give everyone a copy of an Internet security suite and I would do my best to educate people to have appropriate controls on their computers,” BT Australia’s Archer said. “I would make sure that when a computer is sold by a manufacturer, that it already had a year, or perhaps even a three-year licence on it.”
Ultimately, an organisation can be as well protected as humanly possible, but if even one computer by a less-understanding consumer is compromised, then there can be no promise of complete security.
“We’ve got one Internet and that’s it. I would say everyone has a responsibility – government, ISPs, vendors and end users,” Archer said.
The war against malware might never be won in its entirety, but there are ways to reduce the impact that the endless waves have. From education, to OEM partners, proactive vendor engagement and at a policy level, it’s possible to understand where the threats are coming from, and proactively come up with solutions to address the problem.