Only days after a major DDoS attack on key domain name servers knocked out many top websites, AT&T issued a report telling enterprises they can still prevent greater than 90% of cyber attacks by consistently implementing basic security protections against known threats. (See AT&T: Most Cyber Attacks Easily Prevented.)
"The CEO’s Guide to Navigating the Threat Landscape," which you can see here, addresses the fact that cyber threats are now mainstreamed -- that is, almost anyone can download the necessary tools and instructions for launching attacks -- making it essential for IT security personnel to implement all known protections against well established threats.
The volume of threats is definitely going up: According to an AT&T Inc. (NYSE: T) survey that is detailed in the report, 90% of US organizations had at least one malware-related incident during the past 12 months while 63% faced a ransomware attack. Between July 1 and August 30 of this year, ransomware attacks were up seven-fold, an indication of the profit motives of those commercializing threats. Because this spike in attacks represents broad reuse of known threats, however, AT&T believes most can be stopped.
Last week's attack is an example of how a commonplace threat can be devastating, says Jason Porter, AT&T's vice president of security solutions. Distributed denial of service (DDoS) attacks are a long-known form of disruption that can be prevented, he notes. In this case, the attackers used a conglomerate of thousands of Internet of Things devices that had been left unsecured -- another known vulnerability -- to launch the DDoS attack on DNS provider Dyn.
By adding protection at the device level -- where the device has the power and processing capability to handle it -- and moving devices off the public Internet and onto private connections, attacks such as last week's can be prevented, he says. DDoS attacks, in general, can and are being stopped today. "People get really worried about unknown cyber attacks, being planned by some well-funded person who is a scientist and a whiz-kid," Porter tells Light Reading in an interview. "Those folks may be creating the attacks but they are then commercializing them, mainstreaming them and making them repeatable -- so you can download them and they come with kits that talk about how to do it."
If that sounds terrifying, it should -- but Porter quickly adds that the ability to prevent these attacks from doing damage is also well known and the tools are available to businesses. So instead of wasting time worrying about the unknown, businesses should be implementing the full range of protections against what can be stopped in what he calls a layered approach.
Of course, from the AT&T perspective, the hope is that businesses will buy managed security services that let the network operator deliver protection as a network-based service. One vivid example of the power of network-based services is provided in the report: A ransomware note sent to an AT&T security client threatens to shut down all of a company's servers at given time unless a specified amount of Bitcoin is paid, with the amount increasing the longer the outage persists. The note promises a one-hour demo of the attacker's power to show the threat is real.
In this instance, however, the attack never happened, because AT&T noticed the unusual activity that represented the attack demo and was able to quarantine the traffic and clean it before passing it on, Porter notes.
There also are sections in the report on phishing, which still happens way more often than it should, costing businesses $740 million last year, Porter notes, and on advanced persistent threats and more.
"If you prepare for the known, it represents more than 90% of attacks, and you are building a strong foundation for your security," he says.
— Carol Wilson, Editor-at-Large, Light Reading