The 4th installment of our annual Global Application & Network Security report. The report provides a comprehensive review of 2014 cyber-attacks from both a business and a technical perspective. Gives best practice advice for organizations to consider when planning for 2015
Data and information for the reports is collected from 3 different sources A major contributor to the report is a quantitative survey that Radware conducts which had over 330 respondents globally from organizations of different size and across various industries. You’ll see that its very different from other threat reports that other vendors are publishing. Those tend to be more Network/ISP focused and more US centric. With our report, we provide a very global analysis that appeals cross industry to both enterprise and carriers, ISPs and hosting providers. Also this year we conducted for the first time a set of interviews with top security officers to gain their perspectives and experiences with cyber attacks And finally we have data and experience gained by our Emergency Response Team. The ERT is a dedicated group of security specialists that actively monitor and mitigate attacks in real time. They are the first responders to cyber-attacks and help customers overcome challenges in dealing with attacks.
Imperva, Prolexic – more US Arbor – only carrier provider responses, no insights from Enterprise
We see cyber attacks getting stronger, longer, more complex and targets are expanding so what we thought was safe before, isn’t anymore.
We boiled down a pretty substantial report to 8 key findings.
I’ll walk through each one of these in the next slides.
Attacks are continuing to evolve and getting longer, larger and more complex. And while we still have respondents reporting week-long and month-long attacks as we did in previous years, the new thing this year is that a healthy amount – almost 20% - are reporting that they are continuously under attacks in 2014. There is no start and stop. This trend challenges the traditional concept of incident response, which assumes a normal state without attacks. It also exposes a security gap. When respondents were asked how long they could effectively fight an around-the-clock attack campaign, 52% said they could fight for only a day or less!
The Cyber-Attack Ring of Fire maps vertical markets based on the likelihood that organizations in these sectors will experience attacks. Organizations closer to the red center more likely to experience DoS/DDoS and other cyber-attacks and to experience them at a higher frequency. Red arrows show which verticals have changed position since last year’s report. This means that the overall number of cyber-attacks, as well as the frequency and intensity of these attacks has increased in 2014.
Two new industries were added to the Ring of Fire this year – Healthcare and Education – as we’ve seen organizations in these industries become targets of DDoS attacks this year. Also, likelihood of attacks is also heating up for Gaming, Hosting & ISP companies.
Other verticals face consistent levels of threat, expect one – Financial Services – which actually moved from “High” to “Medium” risk. Change from OpAbabil where every financial services company was attacked to a slightly calmer 2014 so reduction in risk profile.
Now looking at the point of failures in DDoS attacks. Every year, the results have been largely consistent: Points of failure are divided among three main entities – the server that is under direct attack, the Internet pipe itself when it gets saturated, and the firewall which often fails even sooner than the server. In our 2014 survey, we found that the Internet pipe has increased as a point of failure, and for the first time, is the #1 point of failure. This is most likely because of the increase in User Datagram Protocol (UDP) reflected amplification attacks.
Continuing a four-year trend, cyber-attacks were again split evenly between the network and application levels. That’s because attackers’ “interest” lies in multi-sector blended attacks.
Web attacks remain the single most common attack vector; for every four web-based attacks, three target HTTP and one is an HTTPS attack.
Reflective attacks started heating up in 2013 and remained a persistent threat throughout 2014. While most of 2013’s reflected attacks targeted DNS, we saw more UDP based (NTP, CHARGEN) reflective attacks in 2014. Which is why we see UDP attacks in general increased from 7% in 2013 to 16% in 2014.
What makes reflective attacks effective is the ease with which they can be generated— and the impact they can have on a network. Reflected attacks make it comparatively easy not only to generate an extra-large attack but also to sustain it for an extended period.
Ddos is the #1 concern – at nearly 50%. Very closely behind were APT and unauthorized access. Yet, with all of the threat types fairly well represented, the threat landscape appears to vary depending on each organization’s industry and business concerns.
Another trend we are following is the increased momentum with hybrid solutions. Essentially there is an acknowledgment from the market that hybrid solutions have proven themselves.
In the survey we see 36% of respondents are already using a hybrid solution and by 2015, nearly half will employ hybrid protection.
A big indication from our prospect base that a lot are asking and seeing the benefit in hybrid.
Security controls and protection is challenged by three macro IT trends. The shift toward cloud computing, the growth in the “Internet of Things,” and the rise of the software-defined network – all these are disrupting longstanding assumptions on how business and customers interact and really challenging the automated systems and security tools designed to protect.
Cloud migration continues. This essentially means that the Enterprise perimeter and traditional IT is dissolving and a new approach is required.
IoT - The ability to connect to anywhere from almost anything will drive dramatic efficiencies in the way we work and live. Yet, this “Internet of Things” will also introduce new and tremendous risk and threats. Close to 60% of respondents see IoT as increasing the attack surface and close to 50% see the need to increase detection requirements with this trend.
SDN – with the virtualization of the network, security professionals will face the need to protect information across unique and dynamic traffic routes. Nearly 50% of respondents believe that the centralized controller is a potential single point of failure during attacks and that the technology is immature and full of software vulnerabilities.
This year Radware launched our inaugural qualitative study to explore the most pressing problems and persistent challenges facing senior information security and technology executives around the globe.
In our qualitative study, nearly three-quarters of executives told us that security threats are now a CEO or board-level concern. C-levels are motivated by negative press coverage and the potential impact on their business.
In thinking about the top trends, cloud and BYOD were cited by more than one-third of executives who believe they increase security risks for their organizations. IoT was selected by more than a quarter of executives, while less than one-fifth cited SDN.
Looking back on 2014 and ahead into 2015, we identified 5 areas of what we call “the fearful five”
Attacks that kill – Based on what we’ve seen this year, its not hard to think that future cases will lead to loss of life. In the Boston Children’s Hospital case that we have in the report, some of the attacks they experienced can actually put people lives' at risk. They were in life threatening situations for some of their patients.
Reduced sense of urgency - Relaxed urgency – numb to the claim, the problem
As we’ve seen the targets expanding, critical infrastructure will also continue to build in terms of outages and with more frequency.
Cyber hostage taking will continue – basically taking control of the availability of your data, your systems, your network until certain demands are met.
Laws – as government faces an increasingly dissatisfied, frustrated constituency—as well as growing threats around state-sponsored espionage—legislators will begin the process of writing laws on cyber-attacks. So we think there will be major advancement in this area as well.