RedShield’s founder and CTO Sam Pickles was all about Denial of Service (DoS) and TLS attacks at 31c0n, hosted by Aura Information Security last week - and for good reason. The company has been doing a lot of research around attack techniques, so that they can better understand how to defend against them.
That research involves developing the attacks themselves and then forming the defensive techniques that stop them.
At 31c0n, he focused on attacks against TLS, which is a common encryption method used for web applications, mobile and pretty much everywhere. He showed what it looks like when you get attacked, how you can resolve it and how that protocol can be extended. In the world of DoS, there are also plenty of threats lurking.
“You’ve got a huge gap between organisations who have specialist DoS mitigation service providers and those who don’t. Those who don’t are relatively easy to knock offline for a determined attacker, and those who do have specialised service providers are much harder,” he says.
“What you have is enough companies that don’t have mitigation service providers in place that still make the attacker’s job fairly easy. The common attack is generally small, quite easy to launch and is quite likely to succeed.”
He says that despite the potential for DoS attackers to evolve, they may not actually evolve all that quickly, simply because they’re not being forced to do it and simple, common attack methods are still working.
“If you’ve got a whole lot of systems that are hosted in your data centre, and you’ve got a network pipe which will support 100 megabits per second, it’s pretty easy to generate that much traffic and fill the pipe. You don’t need any clever techniques to do that. All it takes is malicious intent.”
He says that while 100 megabits per second would be common in New Zealand, other countries would have much higher capacity, but it’s still not that difficult for someone who wants to generate an attack.
“Our focus of researching into more advanced DoS methods is really aimed at our own work as a service provider. Our primary aim is mostly resolving software vulnerabilities, but we end up inheriting DDoS as a problem as well. When a customer buys a service with RedShield, we end up in line in front of their systems and we have to stop whatever threats arise, and that includes DoS,” he says.
He says there have been specific instances in New Zealand that have involved extortion through DDoS, DoS or ransomware, but overall those attacks have no geographic boundaries.
It was also recently revealed that cyber attacks are the biggest threat to New Zealand businesses this year, and Pickles says it’s definitely on the horizon.
“Of overall business risk (competitive pressure, regulatory, natural disaster), I think cyber is extremely difficult for directors to make really good assessments on and whether they’re investing appropriately.”
He says there is a communication disconnect between the people who know the company’s progression in risk areas in great detail and those who make the decisions.
“There’s a breakdown between those who understand the technology and those who understand the overall business risk. Directors are taking one of two approaches: increase investment in cybersecurity initiatives or cybersecurity insurance.”
He says cybersecurity insurance has its own problems - the insurers can get a general idea of a company and its risks, but can’t tell whether it’s a disaster waiting to happen.
“So I think there’s a promising partnering trend between the information security industry and the cybersecurity insurance industry, where first there’s an assessment of risk and afterward there are post-breach claims.”
Commenting on New Zealand’s Cyber Security Task Force, Pickles says there’s a consensus that more skills in the cybersecurity industry is a positive step, but there’s more that can be done. It’s not just up to the Task Force, but the existing industry as well.
“There are other things beyond just supplying people into the industry; it’s also about modular and easily consumable services that are either partial or complete security outsourced for a customer.”
He says systems integrators are still needed for their project and architecture skills, but there’s a growing set of needs that can be met with off-the-shelf and customisable services that businesses commonly require.
Moving on to New Zealand’s data breach legislation, Pickles says it’s still developing.
“It’s not obvious which direction each country should take in terms of mandating mandatory disclosure. In general I’m a huge fan of it in concept. It’s healthy for consumers to be able to make informed choices about the security of the systems they’re using, and for those companies providing services to be held accountable for the security of their data.”
There’s no way for a user to know whether a website or other form of online media is safe, and mandatory breach puts the risk and responsibility directly on the organisation, he says.
And for RedShield, Pickles says that 2016 was an incredible year of growth - most notably its fundraising of $6.2 million.
“The traffic on our network has grown 6000% January to January. The team has been very busy.”