under siege from web threats - akamai...domain, the actual hack is carried out against the dns...

UNDER SIEGE FROM WEB THREATS: APAC COUNTRIES RESPOND IN PATCHWORK AND TARDY FASHION

RESEARCH WHITE PAPER:

IDG Connect Intelligence paper2

INTRODUCTION 3

ATTACKS COME FROM ALL SIDES 4

DIGITAL DEVOLUTION CAUSES FRAGMENTATION IN RESPONSIBILITIES 6

COMPANIES TAKE REACTIVE MEASURES TO SECURITY THREATS 7

METHODS OF DEFENCE IN PLACE TODAY ARE MANY AND VARIOUS 8

COSTS ARE HURTING CORPORATE PURSES, EATING UP EXECUTIVE TIME 9

EXPERT OPINION: MANATOSH DAS - SECURITY AND RISK ANALYST 10

CONCLUSION 11

CONTENTS


INTRODUCTION:

Internet security challenges are asking some tough questions of organisations in APAC countries, according to a poll conducted by IDG Connect for Akamai that is the basis for this White Paper. The online research covered decision-makers and executives at mid-sized and larger organisations (250-plus staff) in India, the Philippines, South Korea, Thailand, Australia, Singapore, Japan, Hong Kong and Taiwan. It discovered a region beset by security threats and taking a wide variety of routes to respond to these threats.

The finding that the region is facing a tough fight is in line with the situation in the rest of the world: internet security is a global challenge that affects every company with an online presence, regardless of the area of the world from which they operate. Ever since the internet became a de facto aspect of business, security has come under the microscope. Doing business on the web offers enormous positives in terms of audience reach, marketing, low cost of transaction, service and ubiquitous access to systems but the big price it carries is the need to address inherent and ever-changing areas of vulnerability. The openness of the internet comes with conditions.

This is the scenario that has created the role of the chief information security officer and a world where reputational damage and financial penalties from regulators are live risks for any organisation that operates on the internet. The penalties are large: a compromised site can lead to damaging headlines, theft of assets, angry customers, lost revenue opportunity and litigation. The UK’s Department for Business Innovation and Skills has suggested that the real total cost to an enterprise of recovering from a worst-case data breach can be up to nearly $1.4m. Recently, APAC data privacy legalisation has grown and penalties have increased. (1)

Masami Kashiwagi of Forrester Research recently wrote that: “Some senior people have admitted to me that their organisations have not traditionally taken data privacy issues terribly seriously within their AP operations. However, in a clear sign that this is beginning to change, [governance, risk and compliance] practitioners are starting to see increased demand for their compliance-related services from both government and business sectors, particularly since late 2012.” (2)

The UK’s Department for Business Innovation and Skills has suggested that the real total cost to an enterprise of recovering from a worst-case data breach can be up to nearly $1.4m

“

”

SECURITY AND THE COST OF DOING BUSINESS ON THE INTERNET


The threat vectors are many and various and subject to sudden change. Some security challenges stem from a desire to hurt companies or to showcase ingenuity while others are born of intellectual curiosity or a desire to demonstrate a potential weakness that could become widespread. Regardless of the intent behind them, these attacks are highly damaging and force organisations to be permanently on guard. To protect themselves, they must regularly audit their security defences and processes and update tools in line with best practices.

Of course, enterprises are doing what they can to defend their digital assets and reputations but many are using defences that hurt their ability to do business. On-premise solutions such as web application firewalls can suck up valuable processing cycles and trigger network latency, thereby bloating bandwidth costs. The results can include lagging datacentre performance, slow web page loading and a generally disappointing user experience.

Unfortunately, in many cases the attackers appear to be gaining the upper hand, and the media continues to be filled with a stream of stories of lost data, compromised user accounts, services brought to a standstill and websites defaced. Frequently, however, companies respond in piecemeal fashion, installing security tools that only offer point solutions to sophisticated threats that are often blended to create multi-vector attacks.

No organisation today can claim to have a perfect defence against attacks or against human error but having a comprehensive set of defences covering network layer, application, DNS and more is just part of the table stakes required for doing business in the age of the internet. Companies that have tried and tested processes and best-in-class tools have the best chance of dealing with the security threats that are everywhere. The battle is never-ending but it must be fought.


ATTACKS FROM ALL SIDES

The survey reveals a stark picture, with a barrage of attacks taking place against the mid-sized and large organisations polled. Of the 111 respondents, which included organisations from the public sector, finance, commerce, gaming, media and entertainment, hi-tech and manufacturing industries, just 1% had experienced no attack at all in the past year. One third (33%) had suffered two attacks or more, and

almost one in ten had suffered four attacks.

Web applications appear to be the main target of attacks. Denial of service, cross-site scripting, compromised authorisation process and DNS attacks formed the vast bulk of problems and these are forms of attack that can effectively take a domain offline or see the victim’s brand defaced.

Almost half of respondents (45%) reported experiencing a DNS Compromised or Amplified attack in the past year and

28% reported Distributed Denial of Service (DDoS) attacks. Attacks against the DNS records, whether these are DNS Compromised or DNS Amplified attacks, may not directly breach a web application’s security, but they can still lead to loss of reputation and, for transactional sites, a loss of revenue. The threat is often exacerbated because organisations typically have only a few DNS servers in the same datacentre, making it a potential single point of failure.

DNS Compromised attacks have hit a number of large online properties recently: Twitter and Huffington Post were both victims in August 2013 alone and the APAC region is not immune: The New York Times attack was in part due to a DNS compromise in Australia. Such attacks are difficult to defend against because, although they target a particular domain, the actual hack is carried out against the DNS server, over which most organisations have little control.

Security Attacks Experienced in the Last Year:

One

Two

Three

17%

Four

66%

7%

Zero

9%

1%


Organisations’ authorisation processes are also frequent targets with 43% of respondents reporting at least one instance of compromised authorisation processes in the past year. Application layer attacks are difficult to identify and therefore to mitigate but they are becoming more common: Gartner has predicted that they will represent 25% of all DDoS attacks in 2013. (3)

Thirty-seven per cent of respondents, meanwhile, reported instances of cross-site scripting attacks. Both attacks on authorisation processes and CSS represent a far more directed, invasive and purposeful type of attack on an organisation. In this category of attack, the attempt being made is not just about taking a domain offline but about gaining privileged access to the servers. As such, these attacks should be major concerns for organisations throughout APAC nations.

And of course, many of these will be multi-vector attacks with

combinations such as DDoS and SQL injection increasingly common and mixtures of volumetric, state-exhaustion and application-layer attacks also frequently reported to test the unity and comprehensiveness of enterprise defences.

Clearly, “eternal vigilance is the price of liberty”: in other words, defences must be regularly tested and upgraded based on the latest threats and knowledge.

Companies with a strong security focus, internal policies and the ability to evolve their security profile will be best positioned to defend themselves. It is critical to have multiple levels of defence and broad coverage in order to deal with the changing threat landscape. Becoming an active participant in security knowledge-sharing communities will help not only one organisation’s ability to withstand attacks, it will also contribute to the wider good and to deter malicious attackers.

Types of Security Threat Experienced:

3. Cross-site scripting

4. DDos

2. Compromised authorisation

1. DNS compromised or amplified

1 2 3 4

45% 43%37%

37%


DIGITAL DEVOLUTION CAUSES FRAGMENTATION IN RESPONSIBILITIES

Over the past five or so years, a couple of business technology trends have been seen across many organisations and have made security weaknesses more likely.

First is the proliferation of websites and web applications with ever deeper links into core IT infrastructure as the internet has permeated middleware and back-office systems. For example, billing and payment systems that might once have been insulated are now commonly woven into the internet fabric of many organisations’ IT systems.

Second is the trend for some online presence and development to shift out of control of the IT department. Where, a decade ago, it would have sat in the remit of IT, in businesses with a strong online presence, many ‘digital’ functions are now run by managers outside the IT department. Often, line-of-business managers see digital development projects – sometimes just websites but increasingly web applications too – as key to boosting revenues or improving services. This trend is driven by a number of factors, among them a need to move quickly without jumping through the hoops of IT procurement.

Today, there appears to be a land grab for functions that previously would have resided with the IT department. Increasingly these business functions engage development teams and create online payment processes with deep integration back to core IT systems. This devolution of digital functions is a major concern for IT as disparate web development teams often remain poorly integrated with the IT security function.

Not only does this trend increase risk, but it takes a real toll on IT department time, with 59% of survey respondents saying security

planning now requires IT spending more time with line-of-business managers. This is a scenario that is seeing rising interest in comprehensive managed security services. Insight Research predicts that the sector will grow at over 11% annually over the next four years. (4)

How do security concerns impact IT security planning?

More Information Governance to Show Compliance

More CIO Time

Increased Spending

59%

35%

55%

57%

Requires More Time with Lines of Business


COMPANIES TAKE REACTIVE MEASURES TO SECURITY THREATS

Security measures will often be reactive rather than proactive as our data suggests that actions on security directly correlate with experience of compromises. The research indicates that just over half (53%) of organisations turn to more than one solution in reaction to a threat they have recently experienced. A quarter (27%) takes three or more measures in reaction. Clearly it would be better if these organisations were more proactive rather than waiting for an attack to take place.

Reactive measures companies typically take include upgrading security suites (59%) and bolstering firewalls (also 59%) and SSL defences (33%). Organisations that experienced a DDoS attack were more than twice as likely to purchase DDoS defences, reinforcing the picture of reactive stances to security. All too often, firms are locking the stable doors after the horse has bolted.

Another notable tactic (42% of respondents) is using outsourcing to combat challenges.

Outsourcing any aspect of IT is a major decision and has to be handled carefully. Done right though, it can bring important benefits. For instance, by outsourcing a service, an organisation gains access to hard-won external knowledge where experts are likely to have broader experience of tackling specific threats than could be found in a typical in-house IT department. Also, remotely-located third-party security organisations are likely to be able to see threats coming faster than those focused on their own companies.

However, a piecemeal approach to outsourcing, or one where the service provider is changed on a regular basis, can cause problems. The managed security service provider needs to have a good overview of threat vectors and to be able to understand the processes of the company in question.

The rapid evolution of security threats is well documented and continued exposure and experience of the threats is necessary to keep skills and knowledge up-to-date. While the numbers of attacks suffered in the past year by the survey respondents represents a significant threat for a single organisation, even the 10% of organisations that suffered four attacks will only be building their experience based on a fraction of the latest attack vectors.

How many measures have you taken to address security challenges?

One

Two

Four Three26%

14%

13%

47%

What measures have you taken to address experienced challenges?

New /Upgraded security

Strenghtened Firewall

Outsourced Security

59%

42%

33%

59%

New/Improved Security


METHODS OF DEFENCE IN PLACE TODAY ARE MANY AND

VARIOUS

The current state of defences is a mixed bag. While firewalls are widely used, installed in four out of five organisations (80%), encryption is only used by 56% of respondents and fewer than half (46%) of respondents use identity and access management tools. Only a minority (34%) said they use cloud-based tools for DDoS mitigation and intrusion prevention or detection systems were present in less than a third (30%) of organisations.

This raises the question of how much organisations really know about the traffic on their networks and how often attempts are being made to compromise corporate security. It’s also particularly worrying as hacktivists are using DDoS attacks for protests and cyberterrorism, upping the ante for DDoS mitigation services.

Web application firewalls (WAFS), either cloud-based (24%) or on-premise (21%) are fairly widely used to mitigate attacks aimed at the application layer, such as application-layer DDoS attacks and SQL injection attacks. Almost a quarter (24%) use a clean pipe/scrubbing solution to limit data traffic based on the traffic behaviour and so reduce the volume of attack traffic to a level that the datacentre can handle. The downside to this can be a significant hit to website performance resulting in slow response times and high bandwidth costs.

Although organisations questioned are clearly taking some precautions in their web security, the picture is very variable with numbers of security measures stretching from one (30%) to eight (11%). One half of respondents had only one or two measures in place, which will almost certainly be insufficient to protect against all attack vectors.

Clearly, for the good of all, a more consistent set of numbers would be welcome with a greater degree of uniformity in responses. Too often organisations today are taking a piecemeal approach and only adding security controls after an incident has taken place.

What security measures do you have in place today?

Network firewall

Encryption

Identity and Access Management

Cloud-based DDoS Mitigation solution

IPS/IDS

Clean pipe/scrubbing solution

On-premise WAF

Cloud-based WAF

80%

56%

46%

34%

30%

25%

24%

21%


COSTS ARE HURTING CORPORATE PURSES, EATING UP

EXECUTIVE TIME

Security threats are hitting companies in their pockets with 57% of respondents saying they are spending more on security when asked how security planning was affecting them today. This is remarkable at a time when most organisations are either reducing or maintaining IT budgets, and it underlines that security is a ‘must have’ area of investment rather than a ‘nice to have’.

But it’s not just finance that’s being affected; security planning is also occupying the time IT needs to spend with managers of lines of business to address threat vectors. Fifty-nine per cent of respondents cited this as a factor and it may well point to the “digital devolution” trend referred to above.

Also, security planning is not just adding to the workload of admins or other junior staff or even CISOs. Thirty-five per cent of those polled said that CIOs are having to spend

more time than previously on security issues. Also, more than half (55%) said that security challenges are adding to their information governance burden. This highlights the fact that information security today is not just about protecting an organisation’s assets. It’s also about demonstrating to regulators, lawmakers and other interested parties the lengths to which the organisation has gone to defend against incidents.

It is inevitable and understandable that the post-internet rise in security concerns will divert CIOs and business managers from their usual key areas of responsibility. However, at some point it will be necessary for senior executives to strike a better balance in their workloads. Information and digital security is quite rightly a key concern today but it should not become an onerous duty that distracts leaders from business opportunities.

of respondents saying they are spending more on security when asked how security planning was affecting them today.

“”

57%


EXPERT OPINION

Cyber-attacks can often inflict just as much damage as attacks using sophisticated weapons such as missiles, bombs, and bullets. For instance, a cyber-attack could be aimed at an electric grid, which could then cut off the power source for hospitals in a city or country, wreaking havoc on the system.

In last few years the threat landscape has not evolved, but rapidly mutated. The security gap between new attack methods and traditional controls continues to grow in favor of the attackers. Hackers today are highly organized, well-funded crime syndicates, or in some cases, state-sponsored agents. Forrester sees few fundamental changes occurring, with attacks overall becoming more targeted, sophisticated, and resourceful:

- The motivation for such attacks has shifted from fame to financial gains. Today, organized crime is not only involved in this endeavor but also looking for huge sums of money.

- The hackers are now using low and slow methods to launch attacks. This is a very systematic and precise attack in which the attackers go after the network, then the applications, and then the data, covering all traces of their presence as they penetrate the different parts of the environment.

- Today, attackers have moved to a much more targeted approach. It’s a lot more common to see targeted attacks against not just financial institutions but business competitors, political groups, or even enemy countries.

- A security breach in the past meant that you had to respond quickly, keep law enforcement involved, deal with your affected customers, and ask their forgiveness. A breach today could lead to the discovery of several other regulatory, legal, or policy violations, ultimately resulting in millions of dollars in fines and remediation costs.

MANATOSH DASSenior Analyst Serving Security & Risk Professionals

To fight these mutating attacks, Forrester recommends the security pros must build security into the DNA of their IT architecture, invest in situational awareness, and develop robust vulnerability and incident management capabilities. It also demands that security pros redesign their network into a massively powerful and scalable data security enforcement point. This approach will help us bring some order to the haphazard deployment of overlay (and ineffective) security technology in our environments. And at the same time make sure you are not just building on reactive controls but preventive ones as well.


CONCLUSION

The data shows that organisations in APAC countries are taking fragmented approaches to information security, and they are often adopting older security methods that can slow down performance for the enterprise and for its customers on the web or across the supply chains.

They are subject to waves of attacks from across vectors and the weight and sophistication of those attacks is only likely to increase with more blended attacks aimed at exploiting any lack of comprehensive cover or failure to develop a joined-up approach. Despite this, responses show a wide span of attempts to deal with threats and worryingly belated attempts to fix matters only after having been compromised by attacks.

The net effect of all this is CIO and executive time and money mounting up to combat threats. Organisations need to take an end-to-end approach, assembling an array of defences. This should be a proactive, ‘always-on’ approach that includes specialist knowledge from outside the organisation and, where relevant, uses cloud-based security. It’s already clear that cloud-based security has scope to serve up cost savings, faster time to deployment and broad coverage compared to on-premises equipment. As threats become ever more sophisticated and broad, a ‘security-as-a-service’ approach is likely to grow in importance.

APAC is a diverse, dynamic part of the world and that dynamism is reflected in increasing ICT sophistication. Broadband adoption has more than doubled in several countries in the region, according to Akamai’s Q1 2013 State of the Internet report. The opportunities in the region are vast but companies need to ensure the right processes, tools and people are in place to cope with information risk and let executives focus on strategy and execution. The alternative is becoming so risk-averse and inward-facing that new, nimbler companies steal market share.

Better organisation and planning needed


(1) Department for Business Innovation and Skills 2013 Information Security Breaches Survey

(2) http://blogs.forrester.com/masami_kashiwagi/13-06-05-data_privacy_regulations_in_asia_ pacific_do_you_know_where_you_stand

(3) Gartner press release and report Armin Financial and E-commerce Services Against Top 2013 Cyberthreats

(4) Managed Services in an IP World

SOURCES:

Asia Pacific Headquarters 1 Raffles Place, #16 – 61 One Raffles Place, Singapore 048616 Tel +011.65.6593.8700 Fax +011.65.6593.8799

European Headquarters Pfingstweidstrasse 60, 8005, Zurich, Switzerland Tel +41.43.210.91.00 Fax +41.43.210.91.01

North American Headquarters 8 Cambridge Center, Cambridge, Massachusetts, United States 02142 Tel +1.617.444.3000 Fax +1.617.444.3001

©2013 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice.

Akamai® is the leading cloud platform for helping enterprises provide secure, high-performing user experiences on any device, anywhere. At the core of the Company’s solutions is the Akamai Intelligent Platform™ providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200455/bis-13-p184-2013-information-security-breaches-survey-technical-report.pdfhttp://blogs.forrester.com/masami_kashiwagi/13http://www.gartner.com/newsroom/id/2344217http://www.gartner.com/resId%3D2320416http://www.insight-corp.com/reports/manserv13.asp

under siege from web threats - akamai...domain, the actual hack is carried out against the dns...

Documents