“Internet First” is a common strategy for many organizations, both large and small, but it comes with many security issues. In the words of renowned security expert Bruce Schneier, “the internet was never designed with security in mind.”[i] As it has evolved over time to support critical infrastructure and public exchange of sensitive information, the lack of security has become a much bigger concern. IT leaders need to understand both internal and external threats to their network security to ensure that their digital edge doesn’t become an Achilles’ heel.
A report by Risk Based Security found that nearly 85% of penetration attacks on network and IT infrastructure are external (internet and www), primarily aimed at the information, healthcare, finance and insurance and government sectors. The report also found that more than 15.1 billion records were breached by cybercriminals in 2019, a 284% increase over 2018.[ii] That is more than two personal records for each person on the planet. Moreover, Ponemon Institute estimates the total global value at risk from all types of cybercrime will grow to US$5.2 trillion cumulatively over the next five years (2019-2023).[iii]
Protect your Digital Infrastructure from DDoS Attacks
Find out how you can use Equinix Performance Hub® on Platform Equinix® to protect your infrastructure.Read More
Internal and external vulnerabilities
Conventional security tools and practices are not designed to anticipate proliferating vulnerabilities inside or outside an organization’s security perimeters. Zero Trust security is an approach “grounded on the concept that there should be no automatic trust of anything inside or outside the network and everyone and everything trying to gain access should be validated.” This idea of inside (internal) and outside (external) is helpful for understanding common vulnerability points. These include:
- Internal: end users or devices inside the organization network
- (External) Edge: IoT or other insecure internet-connected devices
- (External) Core: core internet protocols, particularly the Border Gateway Protocol (BGP) and the Domain Name Server system (DNS)
A recent cybercrime report by the World Economic Forum (WEF) outlines the most common threats faced by internet service providers (ISPs) and their customers. These include:[iv]
1. (Internal) Social engineering fraud – (phishing): The weakest link in most organization’s defenses is human vulnerability to phishing attacks. This is considerably easier to exploit than manipulating internet protocols, breaking passwords or cracking encrypted communications. As an example, cybercriminals have recently been exploiting public concern regarding COVID-19 in a wave of phishing campaigns, resulting in a spike of over 600% in phishing emails.[v] There are no moral boundaries for cybercriminals.
2. (Edge) Distribution and deployment of malware: While the total annual cost for all types of cyberattacks continues to increase, malware is the most expensive attack type for organizations and it continues to grow. In 2018, the cost was $2.6 million per organization, an 11% increase over 2017.iii IoT and other unsecured internet-connected devices are easy to install malware on, increasing the scale and effectiveness of distributed denial-of-service (DDoS) attacks.
3. (Core) Subverting internet protocols to conduct attacks: BGP hijacking and DNS poisoning exploit vulnerabilities in the internet core routing protocol and domain name servers to reroute internet traffic. These attacks fall in three categories: criminal, political and accidental and can cause widespread disruption. Current and historical status on route leaks and attempted BGP hijacks are continually updated on Cisco’s BGPStream.[vi]
Shoring up the defenses from the inside out
The WEF report emphasizes that internet service providers (ISPs) are in a uniquely influential position to manage risk and educate. It outlines four cybercrime prevention principles that ISPs and their customers can take to improve internet security. These also align with the common vulnerability points described above:iii
- (Internal) Protect customers from cyberattacks and act collectively with other ISPs to identify and respond to threats. (Blocking traffic types and criminal site URLs, DDoS mitigation)
- (Internal) Raise awareness and understanding about threats, helping to protect networks. (Security awareness/education, antivirus and firewalling)
- (Edge) Work with manufacturers of network and IT hardware, software and infrastructure to raise malware defenses and control botnet proliferation as many IOT devices are highly insecure. (DDoS mitigation)
- (Core) Take action to shore up the security of routing and signaling to reinforce effective defense against attacks. (Join the MANRS community and operate RPKI)
Internal: Education of end users is essential for shoring up internal defense. Many vulnerabilities are caused by end users inadvertently opening holes in network defenses by clicking on a link, opening an email attachment, disclosing credentials at a website. Once the network is breached, cybercriminals can access databases and personal records or install malware supporting various exploits.
Edge: With simple operating systems and minimal security, IoT and edge devices are prime targets for malware. They are increasingly being used as vectors for reflection/amplification and DDoS attacks on a massive scale. Equinix is working with a number of specialist Internet security providers to deliver innovative DDoS prevention and internet scrubbing services.
Nearly 85% of penetration attacks on network and IT infrastructure are external (internet and www).
Core: Technically capable cybercriminals are also increasingly subverting core internet protocols. So even if an enterprise gets everything right in terms of firewalling, antivirus and educating end users not to click on links, a DNS exploit or BGP hijack can redirect internet connections to bogus servers. The legacy Internet routing protocol BGPv4 operates no origin validation natively, making it possible for cybercriminals to spoof IP addresses and internet destinations.
Hijack prevention requires the cooperation of multiple service providers. While ISPs have been reluctant to collaborate in the past they are beginning to come together globally to prevent bad actors from exploiting this core vulnerability in BGPv4. The Mutually Agreed Norms for Routing Security (MANRS), a global initiative supported by the Internet Society, advocates implementation of the Resource Public Key Infrastructure (RPKI) by ISPs and internet exchanges. MANRs continually updates the list of ISPs and internet exchanges who have committed to MANRS and taken the actions outlined for filtering, anti-spoofing, coordination and global validation.[vii]Equinix is a MANRS participant and supports RPKI efforts.
Best practices for minimizing edge and core threats
Given the current state of vulnerabilities, here are some best practices businesses can take to safeguard against edge and core attacks:
- Ask your ISP if they operate RPKI and what their policy is toward invalid announcements from peers and customers. You can also check to see if they are participating in MANRS.
- Review your company’s strategy for mitigation of DDoS attacks. Equinix offers a number of highly effective solutions in partnership with leading security service providers.
- Connect nearer to the core through internet exchanges such as Equinix Internet Exchange™ for improved performance and security.
- For mission-critical infrastructure and applications handling sensitive traffic, leverage colocation and direct physical interconnection. Multicloud and distributed data is also best accomplished through direct private connections to the public clouds. Equinix Cloud Exchange FabricTM (ECX FabricTM) extends this model to a private distributed architecture.
Leveraging an interconnection platform such as Platform Equinix®, combined with a zero-trust security model, allows for control of all business communication through traffic exchange points—with local private data repositories and multicloud application and services integration. This enables you to manage constant change in any cloud or partner, while maintaining control at the zero-trust exchange points.
Listen to my podcast with Innopsis about the business considerations for pursuing an internet first approach, and read the white paper to learn more about how to protect your digital infrastructure against DDoS attack.
You may also be interested in reading:
Securing the Core of the Internet for the Next-Generation of Services
Internet Peering + DDoS Mitigation = Resilient Security
Our other blogs on DDoS and distributed security
[i] Schneier, Bruce. Click Here to Kill Everybody: Security and Survival in a Hyper-connected World, W. W. Norton & Company, 2018. ISBN 978-0-393-60888-5
[ii] Risk Based Security, 2019 Year End Report: Data Breach QuickView, landing page and report, 2020.
[iii] Ponemon Institute with Accenture Security, The Cost of Cybercrime, landing page and report, Mar 2019.
[iv]World Economic Forum, Cybercrime Prevention Principles for Internet Service Providers, Jan 2020.
[v]Infosecurity Magazine, #COVID19 Drives Phishing Emails Up 667% in Under a Month, Mar 2020.
[vii] MANRS, https://www.manrs.org/, ISP participants and internet exchange participants.
More than 15.1 billion records were breached by cybercriminals in 2019, a 284% increase over 2018.
Zero Trust security is an approach “grounded on the concept that there should be no automatic trust of anything inside or outside the network and everyone and everything trying to gain access should be validated.”