It has been an interesting time at the RSA Security conference in Singapore this week. The overarching theme of the conference has been around that of “change”. I had a hard time seeing anything that really stood out as driving change from the talks that I was in. What I did see however, was a drive by attendees to tackle the fundamentals based on a lot of the conversations that I had.
Security practitioners from all over the Asia Pacific region were in attendance for the conference and I was afforded the opportunity to give a talk about DDoS from the perspective of the types of attacks, the tools used and the data that correlated to attacks against various targets.
One of the interesting things that I noted was a fascination from people I spoke with around recent attacks that have been perpetrated by a group called DD4BC or DDoS for Bitcoin. This is a group that I have written about in the past and they are growing in prominence. People are starting to take note of this extortion driven group.
These are attackers that first launch an attack against a website for a period of time. Then they send an email to the victim and let them know who the group is, what they want and what will happen if their demands are not met. They would even go so far as to say that if their was any doubt to Google them. Last year we saw amounts of around $150 as ransom demands made to victims. This amount has grown in the last year to $8000 and higher in some cases. They would always request that the funds be paid in bitcoin. It is unclear if any of their victims have given in to their demands.
One conversation in particular stuck with me. A conference attendee asked me if they would be safe if they paid these attackers the ransom that they demanded. “Would they come back again?” I was a little puzzled at this but, I made it clear that there were no guarantees especially when dealing with a criminal organization such as this one. This resulted in a furrowed brow and a stern look. I sincerely hope that they had not paid to stop an attack.
While delivering my talk I touched on certain things that people can do to better secure their environments. One piece is to have a better handle on the hygiene of their servers. What I mean by this is that they need to ensure that systems are patched to current or at least n-1. You may sit back and say, “OK, so what?” but, this is a problem that is not being handled. Everyone knows that they need to patch they servers. They know that they are exposing themselves to risk by not fixing issues. But, the issues persist.
Time and again I read breach notifications for companies or organizations that have been compromised who fell victim to an old exposure that could have been easily remedied. The media is often littered with stories of 0-day vulnerabilities but, often those become 100-day vulnerabilities. Hopefully enterprises will get better at patch management.
I was pleased with the number of good questions after my talk. What resonated with me was that people understood that they needed to do a better job at patching their systems so as to not expose themselves to attack or worse, unwittingly have their servers be added to a botnet that was used to attack someone else.
Change was the theme for the conference. But, I don’t believe it was with respects to the next new wonderful technology. Rather, the change lies in the fact that enterprises need to tackle the security fundamentals and get back to basics.
Security practitioners from […]