BLACKFOOT QUARTERLY - PAGE 5DDoSDDoS attacks are back and are more powerful than ever. Attacks have evolved quickly from 'stresser' sites designed by gamers to profit by slowing other players down to a global industry. New variants marshal internet-facing devices, such as CCTV cameras, smart TVs and baby monitors, to overwhelm target sites with fake traffic and knock them offline. With internet-facing devices proliferating and more than two billion new devices coming online every year, this shows no signs of abating.For the most part, DDoS attacks are made up of bots. A bot is a simple piece of code that can be embedded in an internet-connected device, controlled by a malicious actor to target a specific IP address or web service.Whereas attackers previously needed specialist skills to launch DDoS attacks, a number of off-the-shelf tools now exist. The user simply pays for an attack and enters the details of the intended target. As such, DDoS attacks are increasingly being considered as a business continuity risk; not just an information security or IT issue.There are a number of options for protecting your business from the potential disruption of a DDoS attack. The level of disruption and risk of an attack determines which of the following would be most appropriate:1. Screen e-mails Screen e-mail attachments automatically and quarantine dangerous attachments (i.e. not just anti-virus fails but executables and so on).2. Train staff Ensure staff are trained on current phishing attacks and consider a periodic phishing test to reinforce awareness.3. Restrict outbound web browsingRestrict web browsing to whitelisted categories to reduce the chance of staff visiting sites that could contain malware payloads.4. Control admin controlsOnly use privileged accounts for internal administrative activity, not for web browsing, social media applications or any activities that do not require privilege. Ordinary users should not have local administrative accounts or be able to install software.5. Filter outbound egressConsider blocking egress to all UDP destinations at the firewall and restricting access to all IP destinations outside of ports (80, 43) unless there is a business requirement. This can prevent malware infection, but more importantly malware activation and communication with command and control servers on the internet.6. Segment networksUse network segmentation to contain and minimise the spread of malware in the event of an infection.7. Control USB useBlock access to unencrypted USB sticks.8. Back up data Back up regularly and verify the integrity of those backups. If real-time replication to a secondary site is used as a backup, ensure that a contingency still exists to recover files if malware is replicated to the secondary site.9. PatchEnsure you have a strong patching policy and update regime, and that devices reflect this.10. Buy insuranceCheck whether your business insurance policy includes ransomware protection and adjust your cover accordingly. Finally and failing all else, find out how quickly can you buy Bitcoins should you decide to pay a ransom, or want to hold some just in case.Here are our top ten tips for protecting yourself against ransomware attacks: Host-supplied DDoS protection ISPs and hosting companies may offer DDoS protection as part of their external hosting or co-location services. On-premise hardware appliances Generally the best solution for those looking for real- time or near real-time attack detection and mitigation, as well as the most costly. Cloud-based solutions An alternative to on-premise hardware appliances, cloud-based DDoS solutions come in two main flavours: always-on and on-demand. Hybrid solutions As the name suggests, a combination of hardware appliances and cloud-based DDoS mitigation with fail-overs. Cyber insurance policies While it does not protect your business from attack, cyber insurance complements preventative, detective, response and recovery controls. Do nothing There are DDoS protection solutions to meet all budgets and requirements, so is the 'do nothing' option really a credible option?
PAGE 6 - BLACKFOOT QUARTERLYOne-click or frictionless check-out online could be a thing of the past if the European Banking Authority (EBA) gets its way. The regulator published its long-awaited consultation paper on strong customer authentication and secure communications under the revised Payment Services Directive (PSD2) in August 2016. The EBA set out its vision for the authentication procedure to "remain fully in the sphere of competence of the ASPSP (account servicing payment service provider)", i.e. the issuer in the case of card payments.With very few exceptions, issuers are required to perform strong customer authentication on every transaction. Strong customer authentication is defined as two or more of the following: something you know, something you have or something you are.Acquirers and merchants are not able to authenticate consumer payment transactions, acting alone or together. This jeopardises the use of one-click models currently used by Amazon and PayPal for PSD2 payments, unless separate contractual agreements exist with each ASPSP used by European consumers.The EBA is currently considering the responses received to its consultation. The future for those selling in Europe or to consumers based in Europe remains uncertain.NEWS IN BRIEFFrictionless check-out under threatPCI London, Thursday 26 January 2017We will be presenting at PCI London, Park Plaza Victoria, 239 Vauxhall Bridge Road, London SW1V 1EQ. If you are planning on attending, it would be great to see you.New incident reporting video added to Blackfoot training suiteWe have added a new video to our training course. Please contact your Blackfoot account manager for more information.We round up recent industry newsAward winningtrainingPCI ExcellenceAward 2017