Do the Math: Multi-Layered Attacks = Need for More Sophisticated IT Security

Cover Story

Do the Math: Multi-Layered Attacks = Need for More Sophisticated IT Security

By Special Guest
Paul Mazzucco, Chief Security Officer, TierPoint
  |  July 11, 2017

Cyber criminals are after your corporate data, and they’re going to great lengths to get it. With the help of sophisticated botnets, the Internet of Things, and multi-layered attack strategies, the threat to sensitive customer data and intellectual property has grown stronger. Developing an effective security strategy starts with an understanding of how these attacks work and the motives behind them.

In the past, cyber attacks were often the work of casual hackers or petty criminals looking for an easy opportunity. Today, things have escalated. Just within the last year the Ukraine has accused Russian hackers of targeting its power grid, financial system, and other infrastructure; a Turkish hacker masterminded three cyber attacks that enabled $55 million to be siphoned off from bank machines around the world; Yahoo disclosed that data from more than one billion user accounts was compromised, making it the largest breach in history; and, perhaps the most insidious of all, three U.S. intelligence agencies reported that Russia likely acted covertly to meddle in the U.S. elections by hacking both the Democratic and Republican National Committees. So, as you can see, today’s hackers are a much more sophisticated bunch with more serious, and potentially devastating, goals.

The following are three basic types of hackers today.

1. Hacktivist groups that want to punish a corporation or country, usually for political reasons

The group, Anonymous is perhaps the most famous example.

2. Hostile governments and terrorist groups

The break in of the Democratic National Committee email server was alleged to have been done by Russian government hackers, while North Korea was the presumed perpetrator of the 2014 attack on Sony Pictures. China is a perennial hacker of both government and business systems.

3. Criminal organizations

The third type of hacker, criminal syndicates, commit by far the most attacks on IT networks: 72.4 percet of all cyber attacks in August 2016 were by crime groups, according to They do it for the same reason all criminals commit break ins – money.

When it comes to stolen data, crime pays – sometimes a lot. One set of stolen login credentials to a $2,000 bank account will net a thief $190 on the Dark Web, while login credentials to online payment services like PayPal (News - Alert) can bring in $20 to $300, depending upon the balance. Credentials to an online auction account can go for as much as $1,200. Imagine those numbers multiplied by the thousands.

But the real moneymaker in cyber crime is patient health and insurance data, because that data includes pretty much everything that criminals need to commit identity theft. With insurance information, a criminal can buy prescription drugs and resell them for significantly more, as well as apply for new credit cards, or just resell the data online to other criminals. Patient data can net from $500 to $1,800, depending upon the age of the person and his insurance coverage. Last year Banner Health in Phoenix, Ariz., was hit with an attack that affected 3.62 million individuals (patients, health plan members and beneficiaries, and even those who bought food and beverages with a credit card). NewKirck, a vender that issues insurance cards for payers in the health care insurance industry, was hacked, affecting 3.47 million individuals. And 21 Century Oncology Holdings’ network server was hacked, affecting 2.21 million individuals.

Federal authorities reported that the mishandling of HIPAA-protected data generated more than $9 million in fines in just the first six months of 2015 alone. Health care businesses and their associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit, according to the U.S. Department of Health and Human Services Office for Civil Rights. This includes an enterprise-wide risk analysis and corresponding risk management plan. As a result of these types of violations, recently Triple-S Management Corp. agreed to pay $3.5 million to settle OCR probes related to deficiencies in the company's HIPAA compliance program that were uncovered after multiple breach reports. Triple-S reportedly experienced at least eight separate breaches since 2010, five of which occurred in 2014. The breaches exposed protected health information of more than 1 million people.

For victims, it’s far worse than the theft of a credit card or banking password, because they can’t stop the fraud with just one or two calls. It can take years to repair a case of identity theft. The Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies accept, process, store, or transmit credit card information maintain a secure environment. The PCI (News - Alert) DSS applies to any organization, regardless of size or number of transactions. PCI is not, in itself, a law. The standard was created by the major card brands Visa, MasterCard (News - Alert), Discover, AMEX, and JCB. At their acquirers’/service providers’ discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, and brand damage, etc., should a breach event occur.

But even with these documented breaches, bots still do much of the work for cyber criminals. More than 50 percent of web traffic is from bots, and about 30 percent of this is malicious, according to Imperva. A network of bots can be programmed to do repetitive tasks such as testing out passwords or querying databases. Bots are faster and more efficient than humans and botnets can continuously probe networks for weak spots, spam computer users with malware, or launch repeated DDoS attacks.

The growth of the Internet of Things has, unfortunately, provided criminals with a whole new army of potential bot devices, from web cameras and routers to smart building controls, most of which have weak security. IoT botnets make it possible to conduct much larger DoS attacks.

According to the Federal Trade Commission, as of January 2017, 25 billion objects were reported to be already online worldwide, in the process of gathering information by using sensors and communicating with each other via the internet. That number is rapidly increasing as consumer goods companies, auto manufacturers, health care providers, and other businesses invest in the latest connectivity technology. Advances have created devices that can help monitor health, make highways safer for driving, and make homes more energy efficient. But the FTC (News - Alert) says that as companies strive to make these smart devices easier to use and more efficient at gathering and sending data, privacy and security are becoming even more serious concerns.

To make the point in several extreme cases:

  • In a first of its kind case, police in Bentonville, Ark., recently investigating a murder requested the audio information collected by an Amazon Echo.
  • French hosting provider OVH suffered the largest attack yet in September, which reached 1 Tbps from several simultaneous attacks, and a single attack that reached nearly 800 Gbps. Unsecured IoT devices provide hackers with the firepower to bring down large, well-guarded networks.

Perhaps the scariest development, however, is this: DDoS attacks are increasingly deployed as smoke screens to provide cover for the real crime, typically a massive theft of data. While the IT staff is scrambling to identify and stem the DDoS attack, these professional criminals are quietly hacking in, under the radar.  Some recent examples:

  1. Hackers bombarded Carphone Warehouse with online traffic while they stole the personal and banking details of 2.4 million people.
  2. Cloud provider Linode recently suffered more than 30 DDoS attacks that appeared to be a ruse to distract attention from a breach of user accounts.
  3. As far back as 2011, hackers used massive denial of service attacks to distract Sony’s IT team, while they stole account information from millions of customers.
  4. The FFIEC has warned banks about the use of DDoS as a diversionary tactic “by criminals attempting to commit fraud using stolen customer or bank employee credentials to initiate fraudulent wire or automated clearinghouse transfers.”

Currently, about one third of all DDoS attacks are multi-vector ones that include more subtle invasions that never cross the IT security radar until it’s too late. It can take months of traditional manual effort for a team of security technicians to detect intrusions, during which time the thief may be clandestinely stealing data. However, with the arrival of artificial intelligence, the dawn of better security defenses is here.

AI allows security teams to constantly analyze data to detect breaches, and to improve upon performance. In other words, it can detect minute pattern differences, such as logins from Paris when the company's facility is located in Dallas. Besides identifying these threats, it can also use the information it gathers to improve upon its own functioning.

This technology surpasses the human capacity. Technician would never be able to filter through the copious amounts of constantly streaming information bits including logins, computer usage, and system infrastructure. They would never be able to keep on top of all that, let alone assess it. AI, on the other hand, can analyze it all quickly and effortlessly, 24 hours a day – never even taking a coffee break –while also studying for a PhD. Quite simply, AI can outsmart, outlast, crunch more numbers, detect more differences, and work much longer than any technician ever did on his or her most productive day.

So, how does an organization protect itself and its clients from this kind of break-in? The sophisticated nature of these multi-layered attacks make them more difficult to defend against. To insulate data, corporate security strategies must become equally as sophisticated to thwart cyberattacks. Here are the most effective steps an organization can take to prevent cyber theft:

  1. Identify the most critical portions of your business and make them a priority for protection.
  2. Move protection as far to the data center edge as possible.
  3. Don’t put data traffic protection in blocking mode.
  4. Stay aware of changing compliance requirements (PCI, HIPAA, GLBA etc.) in regard to protecting against attacks.
  5. Use a combination approach to ensure protection.
  6. Vet security products to ensure they are based on best practices rather than a new algorithm.
  7. Stay informed about promising new technologies such as bot classification and why they are so important.
  8. Seek out third-party cloud scrubbing tools, which help make DDoS attack prevention more affordable.

With cyberattacks growing more numerous, and much more harmful, than even a few years ago, CIOs must be constantly vigilant for new types of threats and educated on the best methods of protection. Remember, it’s not a matter of if you will experience a breach, it’s a matter of when. Insulating your company from hackers is a perpetual activity.

Edited by Alicia Young
Get stories like this delivered straight to your inbox. [Free eNews Subscription]