5 ways to fight a ddos attack

Credit Union - DDoS (Distributed Denial of Service) Attacks?

Virtual Education Session May 2nd | 4 – 4:45pm

Moderator: Kristine WilsonPresenters: Bill Murphy and James Crifasi

Live Tweet from the event! @TheRedZoneCIO

Schedule of Events

Learn 5 Practical Things A Credit Union Can Do To Prevent An Attack

4:00p – 4:30p Presentation (If Lucky)

4:30p – 4:45p Q&A


President and Founder • RedZone Technologies• ThunderDG• MA DR Solutions• Beyond Limits Magazine

Keep In Touch With Bill:@TheRedZoneCIOCIO Executive Series [email protected]

About Bill Murphy


http://www.twitter.com/theredzonecio

http://www.linkedin.com/groups?gid=1986838&trk=hb_side_g

mailto:[email protected]

About James Crifasi


• CTO of RedZone Technologies• Co-Founder ThunderDG• Co-Founder MA DR

• University of Maryland Graduate | B.A. Criminology & Criminal Justice | B.S. Computer Science – Algorithmic Theory & AI | M.S. Interdisciplinary Management

• Keep In Touch With James: [email protected]

mailto:[email protected]

Assessment: IT Architecture and Design

Integration: Security| Disaster Recovery| Infrastructure

Managed Service Programs

Cloud Brokerage


Agenda – Types of attacks To Be Reviewed

1. Pure network attack against the credit union

2. Pure network attack against the ISP router

3. Content DDoS

4. DNS DDoS

5. Random Botnet attack


Agenda – Questions To Be Answered

• What does it mean?

• What are your zero-day protection options?

• What to check on your security products?

• How to enable global IP protection?

• How do I address potential fraud communication in advance?

• What are some vendor solutions?


Set The Stage


Insidious Plots

.


.


Insidious Plots

Source: InformationWeek.com

.


Insidious Plots

Source: DarkReading.com

Insidious Plots

.


Source: RSA

What Do They Want?


“Their tactics have been succeeding. They will be back for more because they are getting what they want.”

- Avivah Litan, a Gartner analyst who tracks DDoS.

CU Times1. Primary objective appears to be to create uncertainties

about the reliability and dependability of the United States’ financial system and knock many big banks off line – mission accomplished.

2. Headlines

What Do They Want?

.


Source: RSA

What Does It Mean?

• Being down• Unable to update members on situation• Greater risk of attacks on members (Phishing)


Source: Tosh.ComedyCentral.com

Our Philosophy – Be Proactive

.

Live Tweet from the event! @TheRedZoneCIOSource: Google Images

Whack-A-Mole? Reactive!


http://cioes.org/event-registration/?regevent_action=register&event_id=7&name_of_event=CIOExecutiveSeriesandRedZoneTechnologies

Security When Under The Gun

.


Our Approach When Time Is Of the Essence

.


• Review critical network components

• Communication with members

• Let board know there are no guarantees

How Can a Credit Union prepare and respond during an attack?

An attack can be from hours to days…

Three Phases Are Needed1. Pre-Attack Phase –

• Readying for an attack • Securing mitigation solutions, deploying appropriate security

systems, etc.2. During the Attack Phase

• Assemble the required manpower and expertise• Considering that you may only experience a few attacks per year

3. Post-Attack Phase • Conducting forensics, drawing conclusions and improving for the next

attack• Search for additional competencies externally - from security experts,

vertical alliances, or government services. • On-demand service Live Tweet from the event!

@TheRedZoneCIO

Our Approach When Not Under GunLogic | Assessment | Portfolio Investment


• Review Security Portfolio• Develop 24 month investment roadmap• Identify Gaps• Remediate Gaps

• Let Board know there are no guarantees

**Don’t make it easy for them (attackers)

Security Scoreboard

Live Tweet from the event! @TheRedZoneCIOSource: RedZone Technologies

Client Integrity

Intelligent Perimeters

Identity Access Control

Enterprise Single Sign On

Provisioning/ Deprovisioning

Authentication

Authorization & Roles

Directory - Foundation

Multi-year Security, Identity and Privacy Strategy(SIP)

ComplianceRequirements

PC firewallsUSB Mgmt

Laptop MgmtEmail Encryption

FirewallsUTM devices

IDP/IDSSPAM Filters

VPNsSSL/VPNWeb Mail

Two factor Authentication

BiometricsKey fob (two factor)

Secure Password Management and

Building access Mgmt through anAppliance or

Application rewriting

Single Directory with process and system ‘tie-

ins’Federation

Strategic Creation of Roles based on job

function, not individualized on a per

user basis.

Microsoft AD, Novell, Open LDAP, etc

M O N I T O R

LOGGNG

R E P O R T I N G


PURE POWER IS BIG ENABLER


• Attacks reach 40+ gigabits/second

• Attacker only needs 2,000+ servers

• Targets have to invest substantial resources to defend

• Reflective DNS attacks still major “weapon”

• Tactics have adapted to counter measures

• Attacks are more intelligent and deadly

Source: RSA

Pure Network Attack Against the Credit Union


THE CUServer (Any)

Source: RSA

Pure Network Attack Against the ISP Router


The droidguy.com

ISP Router

CU Security Gear

Source: RSA

Content DDoS


Normal: ask for one file and wait for answer

DDoS: ask for hundreds of files and ignore answer

EXAMPLE 1

EXAMPLE 2

Source: RSA

Content DDoS


One example of content DDoS is using the servers SSL certificate against it.

Source: Radware

DNS DDoS (Amplification)


CU MembersSource: RSA


Random Botnet

Credit Union

Source: RSA

What To Check

• Firewall – Basic DDoS Network Protection

• Load Balancers – Network DDoS Protection

• ISP Router – does it answer to the internet? (do you let people ping?)

• Where is your DNS hosted? i.e. On a single server, with the ISP, self hosted behind security (best), secure cloud hosted (best)

• IDS/IPS and Security Services at the edge of your network


What To Check

Live Tweet from the event! @TheRedZoneCIOUlrich RSA

Defense

• Block DNS responses from servers that don’t need to see them

• Only answer queries for which server is authoritative

• Limit access to recursive name servers to internal users

Offense

• Attacker uses queries for which server is authoritative

• Attacker compromises servers with substantial bandwidth

• Use of “ANY” queries• Use of EDN0

Vendor Options


Live Tweet from the event! @TheRedZoneCIOSource: Blue Coat

Live Tweet from the event! @TheRedZoneCIOSource: RSA


The Dell SonicWALL Threats Research Team discovered a new Trojan spreading through drive-by downloads from malicious links.

The Neglemir Trojan was found reporting to a Botnet infrastructure and performing DDOS (Distributed Denial of Service) attacks on selected targets in China.

During our analysis, we found it targeting various servers belonging to China Telecom as well as websites selling tools for The Legend of Mir, an online multiplayer roleplaying game.

• Web Application Firewalling – Content DDoS• NSA UTM protection – Network DDoS• Spam Filtering – Phishing Relevance

Source: Dell


A new malware threat for the Mac, called “Pintsized,” attempts to set up a secure connection for a remote hacker to connect through and grab private information.

This backdoor Trojan can be used to conduct distributed denial of service (DDoS) attacks, or it can be used to install additional Trojans or other forms of malicious software. The Trojan stays hidden by disguising itself as a file that is used for networked printers in Mac OS X.

This tactic conceals the Trojan and makes a monitor think that a printer is seeking access to the network, thus evading traditional signature-based detection systems. http://alrt.co/15ekmXW

Takeaway: Distributed denial-of-service attacks (DDOS) can be minimized or even completely mitigated by a properly planned Web security infrastructure consisting of global DNS as well as Web application firewalls.

• Web Security Monitor• Threat Manager

Source: AlertLogic

http://alrt.co/15ekmXW

In Summary - Plan


Upcoming Events


BYOD | MDM | Mobile Policy Management | Compliance | Advanced Threats (APTs) | Security Portfolio Investment RiskIn this symposium learning event, Credit Union IT Chiefs will learn to Go Hunting for Malware & Crimeware. We will cover 15 major areas of an IT Security and Infrastructure Best Practices program. Some highlights of the learning and education will be:• Centralized deployment of applications and data• BYOD, MDM and Mobility• Perform Compliance functions with ease.• Increase Security effectiveness, management, and auditing on a tight

budget• Advanced Threat Education on APTsWednesday, June 12th from 11:30am to 5:00pmEggspectations in Columbia

Security Scoreboard



Pyramid of Networking Success – Assessment Foundation

BONESIP Addressing, Routers, and Switches

MUSCLESNOS Services (DHCP, WINS, and DNS)

BRAINThe Windows Domain

Active Directory

Security Edge to Core

NOSNetworking

AndName Resolution

Foundation Network Services

Desktop and ServerManagement

Compliance, Risk Mgmt, Monitoring, WAN QoS,

Reporting

Data Protection, Backup and Recovery

Source: RedZone Technologies

RZ Assessment

• RedZone will assess your risk

• Examine a number of factors

• Score you based on those factors (RZ Scoreboard)

• Better to be proactive and assess now to find potential weaknesses than to be reactive after you’ve already been hacked


Security Scoreboard


Summary

• Review zero-day protection options? Check your current vendors or vendors on following page

• What are your BotNet IP options? Check your current vendors or vendors on following page

• How to enable Global IP Filter protection? Check your current vendors or vendors on following page

• How do I alert fraud communication in advance?

• What are some vendor product options for advanced content security?


Q&A


5 ways to fight a ddos attack

Technology