In a worrying new cyber threat trend, the record for largest DDoS (Distributed Denial of Services) attack has been broken, not once, but twice, over the past week. A DDoS attack, in essence, is an attempt to make an online service (such as your business’s website) unavailable by overwhelming it with traffic from various sources. Last week, the coding repository GitHub was briefly taken offline in a 1.3 Terrabits-per-second DDoS attack. This wasn’t entirely unsurprising, as DDoS attacks have been steadily building throughout 2018, but March has definitely been the worst month so far. Now, an unnamed US service provider has reported experiencing an even larger DDoS attack, which hit 1.7 Terrabits-per-second, only a few days after the previous record had been broken. This could pose a significant threat for many businesses that operate memcached database servers, which typically have high-bandwidth access and can be badly impacted by DDoS attacks.
Norton has just released their annual Cyber Security Insights Report, which analyses the effects of cyber crime around the world. One of the key findings of this report is that when it comes to cyber security, “consumers are overconfident in their security prowess, leaving them vulnerable and enabling cyber criminals to up the ante this year, which has resulted in record attacks”. Over the course of 2017, the report estimates that over 978 million adults in 20 countries around the world experienced cyber crime. These attacks cost consumers an estimated €150 billion.
While most people stated that cyber security was important to them, one third of people stored their passwords insecurely and one fifth admitted to using the same password across all sites they use. Over half of the respondents reported either they or someone they knew had been a victim of cyber crime, with the average cyber crime victim spending almost three full working days recovering from the attack.
“When it comes to cyber security, consumers are overconfident in their security prowess, leaving them vulnerable and enabling cyber criminals to up the ante this year, which has resulted in record attacks.”
2018 certainly knows how to make an entrance. The Christmas turkey has barely been finished and we’re told that nearly every electronic device on the planet with an Intel processor (from servers to PCs, smart devices and more) are susceptible to not one, but possibly two of the worst critical hardware related flaws ever known (Meltdown & Spectre). Flaws that can allow a hacker to steal your data without a hint of detection. In cases like these we often hear “but I have the latest next generation antivirus software”, but it’s not going to help you here I’m afraid. “And I have the latest next generation firewall and a state of the art SIEM solution just installed” – no good for fixing this either. You may even be really good and have your staff trained in security awareness and your systems backed up offsite – but unfortunately neither will address the root cause of this global issue. Even Santa couldn’t help fix this one – that’s how serious this is.
The hardware flaws have been aptly named “Meltdown” and “Spectre”. They sound like something straight out of a James Bond spy movie – and to be honest – the names aren’t far off, given if exploited, spying on you is exactly what a hacker could do. Predictions have already come in from experts that this could be the biggest disaster in IT history, and similar to the KRACK WiFi vulnerability of last year, Meltdown and Spectre could take years to fully fix. While important workarounds are available in some cases and must be put in place (see below) , only a hardware redesign in processor architecture will truly lay these bugs to rest.
To make matters worse, now that the crafty hackers know about it and with the EU GDPR data protection regulation coming into force on the 25th May – we predict, this year is going to see some considerable cyber-attacks that will try to take advantage of at least one of these flaws which may result in some pretty serious data breaches and some serious GDPR related fines. Its time like these one would think “Why did we ever go paperless?”.
GDPR is coming. Rapidly, as it so happens, and at the time of writing there is just over 6 months to go until the 25th May 2018 deadline for compliance. Since the GDPR was adopted by the EU in 2016, businesses have been trying their best to understand the impending data protection regulation and, ultimately, ensure they are compliant. The GDPR is no straight-forward matter, though, as much of the phrasing is purposely vague to allow for possible technological advances, and to ensure that the regulation itself does not become obsolete in the near future. The idea is that if the GDPR specified which technologies were to be employed by a business in order to safeguard its data, it may be superseded by new technologies – thus reducing the effectiveness of the regulation. A key GDPR requirement, under Article 32, states that data controllers and processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing”. But what exactly does state of the art mean?
The EU has specifically worded some GDPR requirements in a vague manner, to ‘future-proof’ them from technological advances
Traditionally, cyber security has been seen as an IT department’s problem. They make sure everyone has antivirus on their PCs and take care of the firewall – and as long as they’re doing it right, then everyone else is safe… right? This has lulled users and business owners into a false sense of security of late, believing that cyber security simply isn’t their area or that it’s not in their job description. However, this attitude is now being taken advantage of in a big way by cyber criminals, who have discovered that individual users are much easier to target and deceive. As a result, users often takes actions which inadvertently allows the hackers to bypass the IT security systems. Traditional antivirus is dead, and even more advanced next-generation antivirus simply can’t stop the most deadly attacks. Now, everyone in an organisation has a part to play in keeping it secure, from the bottom all the way up to the CEO.