How to Prepare for IPv6 DDoS attack

How to Prepare for IPv6 DDoS attack

IPv6 DDoS attacks are a persistent problem. Read more about why they have become so rampant and how to prepare your business. 

IPv6 DDoS: Explanation

Every device on the Internet is assigned a unique IP address for identification and location definition. With the rapid growth of the Internet after commercialization in the 1990s, it became evident that far more addresses would be needed to connect devices than the IPv4 address space had available.

Because there are fewer than 4.3 billion IPv4 addresses available, depletion has been anticipated since the late 1980s, when the Internet started to experience dramatic growth. This depletion is one of the reasons for the development and deployment of its successor protocol, IPv6. Currently, IPv4 and IPv6 coexist on the Internet.

The total number of possible IPv6 addresses is more than 7.9×1028 times as many as IPv4, which uses 32-bit addresses and provides approximately 4.3 billion addresses. The two protocols are not designed to be interoperable, complicating the transition to IPv6.

IPv6 DDoS: Why are they being attacked?

IPv6 introduces an entirely new attack vector with greater attack volume. IPv4 provides approximately 4.3 billion unique 32-bit IP addresses while IPv6 uses 128-bit addresses and gives attackers over 340 undecillion addresses to play with.

Hackers know what is coming, even though only around 25% of websites completely support IPv6 today. The problem begins when IPv6 is supported by the company’s network – and the administrators may or may not be aware of it. Many IPv4 DDoS attacks can be replicated using IPv6 protocols. And, hackers are already testing new methods for IPv6 DDoS attacks.

Many on-premises DDoS mitigation tools aren’t yet fully IPv6-aware, just as countless network security devices haven’t been configured to apply the same set of rules to IPv6 traffic as to IPv4 traffic. Even large vendors who offer VPN-based services have recently been found to only protect IPv4 traffic even though they handle IPv6 traffic.

How to prepare for IPv6 DDoS attacks

As IPv6 becomes a larger part of your enterprise’s network, your exposure to every form of IPv6 DDoS attacks will increase. According to a recent report, “Administrators need to familiarize themselves now with the Secure Neighbor Discovery (SEND) protocol, which can counter some potential IPv6 DDoS attack techniques; an IPv6 node uses the Neighbor Discovery (ND) protocol to discover other network nodes but is susceptible to malicious interference.”

“Network administrators should audit their systems and review how devices handle IPv6 traffic and run a sense-check to ensure that there are no configuration settings that could lead to exploitable vulnerabilities and that tools have feature and hardware parity in both IPv4 and IPv6.”

The massive amount of address space is another area of concern. For example, one IPv6 DDoS attack technique involves sending traffic addressed to random addresses in a network and hoping that many of those addresses don’t exist. This causes a broadcast storm on the physical network, which ties up the router that must send out requests asking for the Layer 2 address that handles the non-existent destination IP address. On an IPv6 network, the number of available addresses is dramatically higher, so the amplification of the attack is greatly increased and the chance of a host existing at the address that is being used in the attack is almost zero.

To tackle this problem, administrators need to configure routers with a black-hole route for addresses not actively being used on the network while using the longest prefix-match specific routes for each real endpoint. This ensures traffic addressed to a real endpoint will be forwarded to its destination and traffic addressed to other addresses will be dropped by the black hole.

Related: https://cybriant.com/understanding-cybersecurity-attack-vectors/

Need Cyber Risk Advice?

Continuous Network Monitoring like a…Fitbit?

Continuous Network Monitoring like a…Fitbit?

The single best analogy for continuous network monitoring: Fitbit. What does this mean and what can a Fitbit tell you about continuous network monitoring?

First of all, what do we mean by continuous network monitoring?

Continuous monitoring is an ancient concept dating back to warring factions using arrows, clubs, and spears. The Babylonians in 539 BC didn’t think they needed to monitor their defenses because their defenses were so impenetrable—that is, until the Persians dammed up the river to sneak in through what turned out to be an unmonitored vulnerability. More recently, we’ve seen references to multiple break-ins that relied on gaining a foothold through one or more vulnerabilities that may or may not have been known.continuous network monitoring

Because of continuous changes in the threat and monitoring landscape, over the past few years, monitoring has become so important that federal agencies are now required to continuously monitor their systems and defenses. Outside the federal government, IT organizations in almost every sector are required to maintain and monitor their computers to various degrees.”

“Continuous monitoring is a cycle consisting of four basic phases: discovery, analysis, tuning, and reporting. Each of these basic phases has multiple parts, but simplifying the basic phases makes the entire process applicable to a wider range of situations. These are not individual phases that run in sequence; all four phases need to be going on continuously.”

Thank you to the SANS reading room for that great explanation of continuous monitoring!

Back to the Fitbit example

Many of us have learned through our Fitbit that we’re not sleeping enough, exercising enough, or eating correctly. It’s the same scenario with continuous network monitoring, although it monitors your organization’s security posture instead of tracking your personal health.

There are typically 5 critical cyber controls when it comes to continuous network monitoring:

1. Discover all assets: Asset discovery is critical! But many find this step the most difficult. Legacy tools aren’t sufficient to cover it. You should include identification of all authorized or unauthorized hardware and software, transient devices and applications, unknown endpoints, BYOD devices, network devices, platforms, operating systems, virtual systems, cloud applications, and services. The optimum solution should include a combination of automated discovery technologies running in near real-time.

2. Continuously remove the vulnerability from all assets: To remove all vulnerabilities, you must implement a regular continuous monitoring program. Procedures should include three areas:

  • Applying software, hardware, and cloud service patches to remove vulnerabilities
  • Applying configuration changes to limit malicious exploits
  • Applying additional host or network-based security monitoring

3. Deploy a secure network: Network security should be a daily practice. For each asset, one or several mitigating technologies can be deployed to prevent or detect malicious activity. For example, host-based technologies include anti-virus, application white-listing, and system monitoring; network-based technologies include activity monitoring, intrusion prevention, and access control; auditing cloud-based technologies can be done with APIs, threat subscriptions, and network monitoring or endpoint system monitoring.

4. Give users access to the systems and data they need: All users should have a demonstrated business need to access specific systems and data. Limit and control administrative privileges, avoid using default accounts, enforce strong password creation, and log all accesses.

5. Continually hunt for malware and vulnerabilities that could potentially attack the well-being of your network: You must actively monitor your systems for anomaly detection and exploitation. It is frankly unrealistic to expect your systems to be 100% incident free. Attackers acquire new technologies every day; you have to stay one step ahead of them by proactively managing your systems with near real-time continuous scanning for viruses, malware, exploits, and inside threats. Each of the previous 4 controls makes your search for malicious activity easier and creates several audit trails to be used in forensic analysis.

These controls are at the heart of continuous network monitoring, to help you track the vital signs of your systems. If you aren’t sure where to start, take a look at our Modern Approach to Vulnerability Scanning.

continuous network monitoringIT teams deploying continuous network monitoring for the first time often find they are not remediating their vulnerabilities as fast as they thought, are not monitoring their users as thoroughly as they believed, and are spending precious resources working on the wrong risk reduction programs. Regardless of the industry sector, every executive needs some form of assurance that the organization’s cyber assets are protected.

Tweet: Every company that leverages networks, mobility, cloud, and virtualization is subject to the threat of network attacks and the demands of regulatory compliance.

Many of Cybriant’s customers deploy our continuous network monitoring solutions as a peer to their business systems. Our solutions help assure that the IT organization is not adding new types of cyber risks, so executives can be confident the business is operating safely over the Internet.

Modern Day Problems with Continuous Network Monitoring

Unknown Assets and Devices

An asset is no longer just a laptop or server. It’s now a complex mix of digital computing platforms and assets which represent your modern attack surface, including cloud, containers, web applications, and mobile devices. Proactively discover true asset identities (rather than IP addresses) across any digital computing environment and keep a live view of your assets with our managed vulnerability management service.

Sporadic Vulnerability Scans

Periodic vulnerability scans, like annual physicals, are limited in the type of protection that they can provide to assure system fitness. However, continuous network monitoring is a game-changing technology and is becoming the new normal. Continuous network monitoring is not a fad; it implements the 5 healthy best practices your organization should be monitoring and provides daily visibility into your progress. Tenable is proud to be leading the trend.

Performing only a single vulnerability scan each year or quarter puts organizations at risk of not uncovering new vulnerabilities. The time between each scan is all an attacker needs to compromise a network. With continuous scanning, our security experts automatically have visibility to assess where each asset is secure or exposed.

Prioritized Risk

By using risk prioritization, our security experts have the skills to understand exposures in context. They will prioritize remediation based on asset criticality, threat context, and vulnerability severity. Our reporting will help you prioritize which exposures to fix first, if at all, and apply the appropriate remediation technique

Introduction to The Modern Approach to Vulnerability Scanning

Today’s enterprise networks are in a perpetual state of flux. The use of mobile devices to access corporate data is skyrocketing. More IT services are being delivered via the cloud than ever before. And users are constantly subscribing to SaaS-based applications, including file sharing applications like Box, Dropbox, and Google Drive, without IT’s consent. Meanwhile, hardly a day goes by without reports of a major data breach appearing in the trade rags or some high-profile cyberattack being featured on the evening news.

But why? Are the bad guys getting smarter? Or are our existing defenses becoming outdated? Perhaps it’s a bit of both. Innovations in continuous network monitoring are giving savvy IT security teams a leg up in mitigating risks associated with advanced threats. Unlike legacy vulnerability management systems that rely on active scanning, continuous network monitoring provides real-time visibility into mobile devices, virtual platforms, cloud applications, and network infrastructure — including their inherent security risks. If you and your colleagues are tasked with reducing network security risks while maintaining compliance with industry or government regulations, then this book is for you.

Download the ebook today: https://www.cybriant.com/modern-approach-to-vulnerability-scanning-2/

Real-time Vulnerability Management

The larger the gap, the greater the risk of a business-impacting cyber event occurring. Traditional Vulnerability Management is no longer sufficient. Managed Vulnerability Management extends vulnerability management by covering the breadth of the attack surface (IT, Cloud, IoT/OT) and providing a depth of insight into the data (including prioritization/analytics/decision support). We help security leaders answer the following questions:

Where are we exposed?

What assets are affected, where, and what is the significance/severity? The changing technology and threat landscape have made this harder to see.

Where should we prioritize based on risk?

Data overload and lack of security staffing have made this more important than ever.

How are we reducing exposure over time?

Security leaders want to understand and report on their progress and show the value of their investments to senior management.

If you are unsure how to respond to these questions, let’s talk.

When you outsource your vulnerability management to a security provider like Cybriant, you’ll be able to:

  • Discover: Identify and map every asset for visibility across any computing environment
  • Assess: Understand the state of all assets, including vulnerabilities, misconfigurations, and other health indicators
  • Analyze: Understand exposures in context, to prioritize remediation based on asset criticality, threat context, and vulnerability severity
  • Fix: Prioritize which exposures to fix first, if at all, and apply the appropriate remediation technique
  • Measure: Model and analyze cyber exposure to make better business and technology decisions
  • Report: Cybriant’s security experts staff will report and give security and IT teams complete and accurate visibility and insight.

 Cybersecurity Standards for Compliance

There are many different types of government and financial compliance requirements. It is important to understand that these compliance requirements are minimal baselines that can be interpreted differently depending on the business goals of the organization. Compliance requirements must be mapped with the business goals to ensure that risks are appropriately identified and mitigated.

For example, a business may have a policy that requires all servers with customer personally identifiable information (PII) on them to have logging enabled and minimum password lengths of 10 characters. This policy can help in an organization’s efforts to maintain compliance with any number of different regulations. These compliance checks also address real-time monitoring such as performing intrusion detection and access control.

Common compliance regulations that require continuous monitoring include, but are not limited to:

  • Center for Internet Security Benchmarks (CIS)
  • Control Objectives for Information and related Technology (COBIT)
  • Defense Information Systems Agency (DISA) STIGs
  • Federal Information Security Management Act (FISMA)
  • Federal Desktop Core Configuration (FDCC)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • ISO 27002/17799 Security Standards
  • Information Technology Information Library (ITIL)
  • National Institute of Standards (NIST) configuration guidelines
  • National Security Agency (NSA) configuration guidelines
  • Payment Card Industry Data Security Standards (PCI DSS)
  • Sarbanes-Oxley (SOX)
  • Site Data Protection (SDP)
  • United States Government Configuration Baseline (USGCB)
  • Various State Laws (e.g., California’s Security Breach Notification Act – SB 1386)

Yay for Boring Security!

In the recent article, “Is My Company Secure,” we discussed how monitoring is the ‘boring’ phase of selecting a security framework. But, in the end, don’t you want security to be boring? continuous network monitoring

By using a framework, we are converting information security from something that is at best a hodgepodge of duct tape into a strategy. The strategy takes us from reaction to prevention and that takes us from front news to boring company that protects their customer’s data. In security, you want to be boring.

Just like a Fitbit, Continuous network monitoring takes a holistic approach to monitoring security well-being. Not only does it discover all assets and track them for vulnerabilities, but it also monitors networks in real-time for threats, gathers contextual analytics, and provides assurance that mitigating controls are in place.

Continuous network monitoring keeps you on track, continually making progress towards improving your security posture and meeting your business goals, just like a Fitbit does for your health.

About Cybriant

Cybriant is a holistic cybersecurity service provider which enables small and mid-size companies to deploy and afford the same cyber defense strategies and tactics as the Fortune 500. We design, build, manage, and monitor cybersecurity programs. Follow Cybriant @cybriantmssp and cybriant.com.




Download: The Modern Approach to Vulnerability Scanning

This simple ebook can help move your organization into the modern era of real-time vulnerability management!
How to Avoid Cybersecurity Scams in the Real Estate Industry

How to Avoid Cybersecurity Scams in the Real Estate Industry

Consider the situation: Your clients are purchasing their dream home. As you are helping them prepare for the closing, they inform you that they’ve already wired the closing costs/down payment per the instructions you sent them via email. Your clients have been scammed and it’s likely because of malicious software that is on your computer because of a phishing scam.

Cybercriminals are targeting and attacking real estate professionals because of the amount of personal and confidential information that is stored and exchanged on their personal devices.

cybersecurity monitoring
There are some simple steps that everyone in the real estate industry can take to prevent being a victim of these scams – educating your clients, using only secure access to email and devices (NO free wi-fi!), use secure cloud-based solutions – never send as personal information as an attachment or stored on devices, and avoid phishing attacks – do not click on anything suspicious.
The last step – avoid phishing attacks – may not be as easy as it seems.

Here are the top ways that cybercriminals have been attacking the real estate industry, and how to avoid them:

  1. Wire Fraud
    Hackers will attempt to steal personal information from either the real estate agent, closing officer, or the clients. Avoid human error at all cost by being anticipatory and preventative and remain diligent always. Verify email addresses, do not share information such as wire instructions via email, pay attention to phone numbers and be focused on grammar.
  2. Email Phishing Scams
    Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details through spoofed emails that include links to fraudulent websites. These websites can download malicious software that will steal confidential information from your computer or mobile device. Be vigilant and always double check the spelling of popular website addresses and most importantly don’t give away personal information if you are unsure about the validity of the website.
  3. Texting Scam
    While this may not be a direct attack, this is an attempt of a hacker trying to gather personal information to prepare for a spear phishing attack, which is a more targeted phishing attack. Clicking on a link from a text scam could also download malicious software on your device. Prepare to be just as vigilant when viewing texts as when checking emails. Don’t click on links from an unverified source, don’t provide any personal information to an unverified individual.
  4. Social Media Scam
    Promoting your real estate business on social media seems like an efficient way to generate new clients. Unfortunately, hackers are using social media to target real estate professionals. This can be in the form of someone contacting you supposedly from your company to assist you with your social media efforts over the phone. This is an attempt to gain access to your computer and install malicious software. Be aware and don’t willingly grant anyone access to your computer unless they are a verified source.

The bottom line is awareness, education, and ongoing training. Consider Managed Security Awareness from Cybriant. We’ll educate and test your employees and agents on an ongoing basis. We’ll schedule simulated phishing attacks on your employees and provide reports to management of the most ‘phish-prone’ employees. Based on those reports, we’ll provide the world’s largest library of cybersecurity training including interactive modules, videos, games, posters, and newsletters.

Prevent attackers by securing your human firewall.

Managed Cybersecurity Awareness Training