This Week In Security #4
Security is looking past what you know. With new threats and vulnerabilities found every day we’ll try to give you an organized weekly dose of security news. This is Koda Ops TWIS#4
Major DDoS attacks, everyone brace yourselves.
First, it was Krebs on security with a whopping 665gb attack, then we found out that something huge was lurking in the shadows; the Mirai botnet which is capable of pushing 1tb or more of traffic to DDoS anyone at any given time. At first, we saw this as a way to censor our community, but we didn’t put much thought into it. We all know Krebs gets attacked all the time and his site is nearly unstoppable. So what’s the next best option? Attack the backbone. “DDoS attacks aren’t scary,” I tell many security researchers that. What’s scary about them is how the botnets are formed and what the attackers choose to attack. So who’s the victim in today’s DDoS attack? DynDns, an Internet performance management company, that offers products to monitor, control, and optimize online infrastructure, as well as domain registration services and email products. For any readers that aren’t familiar with how DNS works, I’ll give you the basic gist. DNS is how you gain access to a site; It’s the Facebook in www.Facebook.com. Without it, you’d just get the IP address and that would make website surfing annoying, but it also does a few other things like keeping sites online. As of now, we’re seeing intermittent outages with Twitter, Domain.com, Amazon, Netflix and much more. The attackers are trying to tell us something. Personally, I think they are giving us a warning to stop ignoring them, that they do have power and we need to step up our game sooner than later. I’ll be tracking this and most likely writing a follow-up.
Rik Ferguson says there isn’t a cyber-security skills gap
With millions of jobs openings and many people in the field without jobs, one man makes it clear that the so-called skill gap is a lie. Ferguson was speaking at the national conference of the Australian Information Security Association (AISA) national conference in Sydney. He says the real problem is too many organizations are busy hiring pieces of paper and not bust enough hiring people. It’s pointless to list things such as a master degree in cyber-security as a qualification for a job because that degree didn’t exist till recently leaving many people out in the cold because HR refuses to look at your resume without paperwork to “Prove your skill set”
“You’re being conned. There’s no such thing. It doesn’t exist,” says Rik Ferguson, vice president for security research at Trend Micro. He’s talking about the much-discussed skills shortage in the cybersecurity sector.
Here at Koda Ops, we hire people based on passion, past experiences and a drive to learn. Our goal is to take starters and make them pros and take pros and make them legends.
The security service failed their cyber-security test
After a recent security audit for the U.S secret service, it seems that they have a lot of work to do. The U.S. Secret Service received poor marks after an audit by the Office of Inspector General. The investigative report blamed the security issues on a lack of proper oversight and because the Secret Service traditionally has not prioritized cyber-security. A number of weaknesses were found, including inadequate system security plans, systems with expired authorities to operate and a slew of other flaws in their overall security system. Rebecca Herold, CEO of Privacy Professor, said she knew people trying to implement strong security in government agencies are not always getting the necessary resources.
“They often get a little budget, no authority or support, and plenty of blame when bad things happen,” Herold told SearchSecurity. “Congress typically cuts information security budgets; opposes strong security controls, such as encryption.”
Big data, Cybercrime and why you should care
Big data is a host of big problems looming. Cyber crime is using advanced analytic tools and techniques to more efficiently mine and monetizes stolen data. The problem is, we aren’t. RSA warned about the risks back in 2013, but little has been done to address the speed, sophistication, and agility that criminals possess when using big data analytics to improve fraud through data mining and automation. Massive data breaches require new tools to query and sort. OS has some great offerings enabling criminals to refine their huge troves of data and expand their customer base. As well, criminals have now harnessed automated bot-based attacks to overwhelm specific networks for long periods of time to create an Advanced Persistent Denial of Service or APDoS. Which we just experienced and should expect more of. Yes. It is serious. Recommendations are to employ behavioral analytics UBA.
This is this week in security I hope you enjoyed reading, please comment below and stay tuned for more TWIS.