This post is also available in: עברית (Hebrew)
By Or Yaacov, EMEA Information Security Solutions Architect, F5
The DDoS attack on the OVH hosting company in September 2016, that used breached IoT devices, has been another example of the increasing threats faced by organizations. The hackers created a BotNet that used tens of thousands of connected devices in order to perpetrate a DDoS of more than 1 terabyte. This has been one of the largest attacks from this type so far.
The array of security threats has been increasing in quantity and sophistication, thus the chances of businesses to be attacked are higher than ever. During this year, several trends will prevail, and organizations should be aware of them in order to develop future defenses:
- Encrypted Traffic
The volume of encrypted traffic has been increasing dramatically. Within several years most of the traffic in the net will be encrypted. Encryption protocols are changing and getting reinforced, and so are the recommendations to organizations. Among other trends, there is an advance in adopting advanced encryptions based on ECC – Elliptic Curve Cryptography, transfer to TLS 1.2 and later to TLS 1.3 in order to prevent data exposure by taking advantage of the weaknesses of old encryptions and the existence of an unauthorized “listener” – Man in the Middle.
Organizations’ security equipment has become obsolete in many cases, and the organizations are called to adopt technologies against malware while complying with new standards.
- European Union’s GDPR Regulation
The new European law for the defense of private information, GDPR, will not be effective before May 2018, but most of the organizations will need many months to prepare. This issue should be on the agenda of Israeli organizations that offer services to European Union citizens.
The new law requires the organizations’ compliance with cross-organizational regulation for the benefit of preserving clients private information. Organizations that will not comply and will treat their clients’ information security with negligence will be subject to high penalties reaching 4% of their annual turnover. Negligence includes, among others, information exposure, information exploitation by third parties or refuse to erase existing and historical information upon customer’s request, thus disregarding the “right to be forgotten”.
The regulation will be valid for every organization that holds, manages or processes European customers’ information. There are many of these in Israel, including companies from the high-tech and financial sectors.
- Application and Cloud Infrastructure Security
The cloud-incorporated security services allow organizations to consume the same defenses and information security solutions taken locally only with a better business model, based on use and consumption.
The accessibility of the best solutions in addition to convenient business and technical model will improve the organization’s information security.
- DDoS-IoT Attacks
IoT devices are on the rise but not the security solutions. Vulnerabilities in the devices that flood the market make them easy targets. Any device connected to the net is under a hacking risk. The cellular and internet suppliers must also consider the risk brought about by home IoT devices. Businesses and communications suppliers should verify that they have got the strategy to confront DDoS attacks and a clear plan in case they are attacked.
- Applications Security, Mainly API
The rise of mobile applications, IoT etc. gave a boost to the use of API as a convenient means to link, consume and share information over the net in all fields. Inter-organizational processes are also starting to use API and many teams use it for the automation of infrastructure, network and information security.
This shift brings about many security challenges – from the accessibility to the API, e.g. identification, secure connection, to the breaching and the exposure of sensitive information through it.
Organizations should acknowledge the changing trends and make effort to incorporate them in their business plans. Adopting relevant trends will increase organizations efficiency in operating new services and will contribute to the accomplishment of their growth targets while confronting future risks. It is possible to improve 2017’s chances to be a successful year from information security point of view.