As recently experienced, data application security is a considerable issue for government agencies. The Office of Personnel Management (OPM) breach was not attributed to a specific code injection technique, but it was obviously a data-driven attack. The reality is that government agencies are under threat from these types of attacks on a daily basis.
According to our most recent State of the Internet – Security Report, Distributed-Denial-of-Service (DDoS) attacks are on the rise. For the past three quarters, there has been a doubling inthe number of DDoS attacks year over year. SQL injection (SQLi) remained one of the top application attack vectors, as they were in the previous report. SQLi attacks accounted for 26 percent of all application attacks, representing more than a 75 percent increase in the second quarter alone.
Although DDoS attacks aren’t included in the daily news, they are just as threatening, particularly for government agencies. As has been the case in recent quarters, our report identified malicious actors as the culprit for most of the DDoS attacks. Groups of computer criminals like DD4BC and copycats use DDoS as a means of extortion; to gain media attention and notoriety from peer groups; or to damage reputations and cause service disruptions in a number of industries. DDoS attacks are also often used as a distraction when other, more serious, attacks are occurring, such as data exfiltration through application attacks. In addition, DDoS attacks are popular for acts of hactivism, which pose specific threats to government agencies.
Service disruptions can be particularly painful for government agencies, some of which provide services directly to the public. When we’re talking about DDoS attacks, it is important to remember how much of what we do is connected to the Internet. A successful DDoS attack would not only take down your website, but likely your entire network — including your email and your phone. This could also affect remote or field workers, some of whom — in the public sector world — are in dangerous or critical situations.
So, after all of the tech speak, what practical steps can you take to help protect your agency from this rising threat?
- Know what all of the various attack vectors are and make sure you have protections in place for at least the top 10. The Open Web Application Security Project keeps track of these, but this is continually changing so make sure you check in often.
- Inventory all of your applications and the third-party plug-ins you use with each. Our report uncovered 49 previously unreported vulnerabilities with third-party WordPress plugins, proving that, while your applications might be subject to stringent security checks, the third-party plug-ins may not be monitored so closely. Know what vulnerabilities exist and if you discover any on your own be sure to reach out to the authors to fix them.
- Understand all of the protocols that are running on your network and eliminate those you don’t need. There may be obsolete protocols running on an old server that shouldn’t be, and these protocols could have security issues. Check everything and check often.
When adversaries are determined, the veracity and consistency at which they will attack is high. For example, according to our report, 95 percent of the Shellshock attacks — a Bash bug vulnerability first tracked in September 2014 that was leveraged in 49 percent of the web application attacks this quarter — targeted a single customer in the financial services industry in an aggressive, persistent attack campaign that endured for the first several weeks of the quarter.
There is no reason this type of attack could not be made against a government agency. While other attack strategies might garner more attention, there is every indication that DDoS attacks will continue to rise. Agencies will be well served to take the necessary steps to minimize their risks as much as possible.
Stuart Scholly is senior vice president and general manager of the security division at Akamai Technologies.
