Black Friday, Cyber Monday, And The Digital Holiday Feeding Frenzy

The months of November and December, in particular Black Friday and Cyber Monday, can best be described as a digital feeding frenzy for consumers and cyber criminals alike. The pressure to buy can be overwhelming for many. With so much going on, it's easy to get caught up in the excitement and make simple mistakes that can cost you far more than you expected to spend. The holiday commotion around online commerce has attracted the attention of predators from Brazil to Moscow, and they are coming for your stocking stuffers.

For the Employer:

Your primary responsibility is education. Users will inevitably purchase items with a corporate credit card. They will use a generic corporate account to log into the Staples portal. They will participate in the holiday frenzy with your equipment, and if they make mistakes your business is at risk.

Also, expect network performance during "Internet free-time" at lunch to diminish as workers clamor to get shopping done during their breaks, especially in large office buildings with high concentrations of hourly workers. If you’re a network administrator, watch those pipes to see if there are congestion problems. If you're approaching capacity you might want to suggest that workers shop from home. Be firm but honest with them about the challenges of traffic surges resulting from holiday ecommerce shopping. If you're a network security admin and your Internet connection or firewall state tables are already running hot, you might want to brief your users on the potential dangers associated with careless online shopping.

For the Online Merchants / Retailers:

Denial of service outages are the name of the game for online retail organizations during the heavy holiday shopping season. DoS problems manifest in two ways for the retailer:

I. Legitimate Oversubscription

A recent poster child for a legitimate oversubscription DoS would have to be Target's launch of the Missoni clothing line. High demand for the Missoni product line brought Target's online commerce portal to its knees. Shoppers were unable to access the site in a reliable manner for almost 24 hours after the launch. Online deal finders such as theblackfriday.com and mobile apps like BlackFriday can lead to a sudden influx of web requests, overwhelming the commerce portal itself. Note to consumers: Shop early! Especially if you’re on the West Coast.

II. Malicious DoS

Another major threat to an online retailer, especially those with a strong brand, is malicious denial of service attacks. Criminal elements can take advantage of events such as Black Friday to extort money from retailers. Hacktivists are also given a unique opportunity to ride the wave of media coverage that follows the big holiday spending days by launching an attack at that time.  

For the Consumer:

Socially engineered attacks will be out front leading the charge this season. Facebook especially has created an opportunity to put malicious code in front of the user in a comfortable environment. Attackers know that users will click on just about anything to save a buck, and during the holiday season they'll click twice. Many consumers have paid down credit cards and saved up cash in anticipation for the shopping season. In short: holiday shoppers are ripe for the picking. Holiday predators rely on numbers. While their methods are often crude, if you put a "Take this survey and win a free iPhone!" link in front of enough people, someone will bite. Fortunately these "industrialized attacks" are easily thwarted through rational online shopping habits such as:

• Make sure you are browsing the website using https:// versus http://. This will ensure your session with the merchant is encrypted and free from snooping with simple session capture utilities like Firesheep. Also, be on the lookout for strange certificate errors that occur while checking out.
• If you have any doubt at all about an email's origin, don't follow any links found within the email itself. If you receive an email touting a great deal, enter the website of the vendor directly into the browser address field.
• Make payments using an actual credit card rather than your check card. Giving an attacker direct access to your cash just before Christmas could spell disaster.
• Limit exposure where you can. Don't create a user account unless you have to and DO NOT allow the online vendor to store your credit card info for later use. It doesn't take that long to enter the credit card information again if necessary.
• If the deal seems too amazing to be true, it probably is. Ask yourself what the motivation is behind the vendor's sudden willingness to part with profits - especially when faced with an ad like
  "New iPad 2 for $199.00 - ONE DAY ONLY!" Has anyone ever known Apple to discount anything through a retailer? Obvious scam. While they aren’t all so obvious, a bit of cool reasoning can greatly reduce the attacker's likelihood of success.
• If the site wants you to authorize a Facebook app or install any kind of additional software, don't bother.

The Criminal Advantage:

According to ComScore, retail commerce spending for Nov-Dec 2010 was $32.6 billion, up 12% over 2009. Online shopping is getting easier and more prominent than ever before as mobile devices are finally finding their place as a virtual mall in the consumer's hand. ComScore estimates that 90% of consumers will use their phones to shop for holiday gifts this year. Criminals now have multiple venues to host their attacks. From the consumer's PC to their phone, the number of potential attack vectors is increasing. While email has long been the go-to medium of attack, other delivery methods such as SMS, Facebook Messaging, and malicious links in blogs are also gaining popularity. 

The holiday season provides the perfect storm for the motivated cyber criminal: excited, hurried victims with lots of money and a willingness to spend it. And if 2011 taught us anything about today's cyber security landscape, it's that no company is safe from headline-making breaches. Sony Entertainment, Epsilon, RSA Security, Marriott Hotels, the list goes on and on. If these sophisticated organizations aren't safe from compromise, what chance does the consumer have?

The answer lies in education and defense in depth. The unfortunate truth about modern network security is that it is a continuously escalating arms race between the professional IT workforce and the cyber criminal underworld. Events like Black Friday place the consumer directly in the crossfire.

-- 

Critical Infrastructure Protection Month

Deeming December "Critical Infrastructure Protection Month", President Obama has called on the feds to "reflect on" their responsibility to keep U.S. electricity, financial networks, and other critical control facilities safe from cyber threats.

Here is a brief quote from Obama's proclamation:

“As we navigate new and uncertain challenges in the digital age, we must also address the growing threat cyber attacks present to our transportation networks, electricity grid, financial systems, and other assets and infrastructure.  Cybersecurity remains a priority for my Administration, and we are committed to protecting our critical infrastructure by taking decisive action against cyber threats.  To ensure the safety of our most vital operations, we are working to give public and private organizations the ability to obtain cybersecurity assistance quickly and effectively.  These efforts will bolster our ability to withstand any attack, whether virtual or physical.”

In combination with this new proclamation the House Permanent Select Committee on Intelligence approved a bill to facilitate sharing and pooling of “cyber threat information” between private companies and government intelligence agencies. This bill is seen as controversial from different groups as it potentially punches an enormous hole in the wiretapping laws that have, for decades, been a primary guarantor of our electronic privacy. It is beyond the scope of this blog to address this issue, however the most fascinating part of this bill is the definition of what constitutes a cyber threat:

Information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity, including information pertaining to the protection of a system or network from—

(A) efforts to degrade, disrupt, or destroy such system or network; or

(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

To understand more about today's prominent cyber attacks we recommend you attend Lancope's complimentary webinar “Leveraging Netflow to Combat Today's Most Prominent Cyber Attacks.” Participants will learn about the types of cyber attacks they need to be prepared to address in 2012, and how NetFlow can help improve their security strategy for the new year and beyond.

 

 

Combating Today's Prominent Cyber Attacks

 On Thursday, December 15 2011 Lancope will present a complimentary webinar “Leveraging Netflow to Combat Today's Most Prominent Cyber Attacks.” Participants will learn about the types of cyber attacks they need to be prepared to address in 2012, and how NetFlow can help improve their security strategy for the new year and beyond.

 Everyday businesses, governments, organizations, schools, and consumers extend the reach of information and communications technologies. Our modern culture is interconnected by information technologies – and irreversibly dependent on it. The increased adoption of information technology has also been accompanied by the development of a new set of cyber threats:

• Advanced Persistent Threats (APTs)

• Insider threats

• Industrialized attacks

• Employee misuse & abuse

• Fully automated attacks 

 Just take a moment to grasp the extent of these cyber attacks:

• Hackers take down CIA website, steal Sony user data and cause mayhem for Google online security.

• Epsilon, the largest email marketing service company in the world, announced it was hacked by a group targeting the company's email lists.

• A cyber war may be on the horizon after Google accused hackers in China of breaking into the personal email accounts of US officials

• Governments, IOC and UN hit by massive cyber attack

• The Pentagon has responded saying it will consider computer sabotage an act of war and would consider responding to such acts as it would any other threat to the country.

 This list is just the tip-of-the-iceberg, as sitting below the surface of these six articles are thousands of other stories about the increase in cyber threats. Obviously, this is a topic that we need to understand and Adam Powers, Lancope's CTO, will explain how to harness the latest developments in enterprise-ready flow collection and analysis solutions to help combat these threats.

StealthWatch from Both the Private and Public Sectors

As we come to the close of 2011 it is time to step back and look at how both the private and public sectors view Lancope's StealthWatch product family. From the perspective of the private sector Lancope is:

“The leading provider of flow-based monitoring to ensure high-performing and secure networks for global enterprises. Unifying critical network performance and security information for borderless network visibility, Lancope provides actionable insight that reduces the time between problem onset and resolution.

Enterprise customers worldwide, including healthcare, financial services, government and higher education institutions, rely on Lancope to make better network decisions and avoid costly outages and downtime. Founded in 2000, Lancope is continuously innovating to stay ahead of customer demands and marketplace trends, holding five patents and more than 130 proprietary algorithms.”

There are two approaches for analyzing Lancope from the government's perspective. First we can look at specific government contracts and view how the government is utilizing the StealthWatch product family:

In light of increasingly sophisticated and high-profile cyber attacks, it became clear to this organization that implementing the minimum requirements to comply with federal regulations was no longer enough to adequately protect its critical assets. The organization therefore decided to move from a reactive to a proactive security strategy, going above and beyond traditional, perimeter-based security tools and embracing innovative solutions that would provide more comprehensive protection.

“How do we get better situational awareness of attacks within our target-rich environment?” asked the organization’s chief security architect. “How do we stop reacting and start hunting?” In order to improve its security posture, the organization implemented a defense-in-depth strategy consisting of a set of innovative, complementary security technologies, including Lancope®’s StealthWatch for behavioral-based network monitoring and anomaly detection. Overall, the organization wanted to increase its situational awareness and improve incident response. “We have a target-rich environment that has been (and will continue to be) attacked,” said the chief security architect. “We need to detect these [attacks] sooner, and be able to rapidly investigate and respond.”

After reading these press-release based articles I still wanted to see, from a deeper perspective, the issues that were driving the federal agencies to rapidly adopt the Lancope StealthWatch product family. As you can imagine, for every government decision there are ten research/case studies and then several dozen official reports to Congress. Within a few hours of research I gathered the following set of documents that trace most of the issues surrounding the adoption of Lancope's StealthWatch.

Comprehensive National Cybersecurity Initiative: http://www.fas.org/sgp/crs/natsec/R40427.pdf

Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations: http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf

Guide to Intrusion Detection and Prevention Systems (IDPS): http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

The fiscal 2011 Federal Information Security Management Act reporting metrics for CIOs: http://gcn.com/articles/2011/06/06/%7E/media/GIG/GCN/Documents/FISMA%20reporting.ashx

Managing Information Security Risk (Organization, Mission, and Information System View): http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

Fiscal Year 2010 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002: http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/FY10_FISMA.pdf

At first this list of documents may seem a little daunting, but after spending several hours of reading I came away with a serious respect for the teams that assembled these reports. These documents taken as a whole layout the ground-work of information security management. Over the new few months I will dive into the content of these documents and how they relate to StealthWatch.