In-Depth
Complex Attacks Bypassing Enterprise Safeguards
Enterprises are increasingly being targeted by complex attacks designed to bypass existing safeguards.
Enterprises are being targeted by complex attacks designed to bypass existing safeguards. Not only are these safeguards sometimes insufficient, but IT managers are themselves often unaware of where they're most vulnerable.
That's the conclusion of a recent report sponsored by F5 Networks Inc.
F5 has a stake in things; it markets technologies that the company says thwart such attacks. Even so, the study, conducted by Applied Research in September 2011, suggests that ignorance might be as big of a problem as complexity.
F5 solicited telephone responses from 1,000 organizations in 10 different countries. Although respondents are identified as holding "senior IT management" positions and are familiar with a wide range of attacks, a surprising number aren't aware of many common types of attacks.
For example, though a majority of respondents were aware of DNS attacks, 26 percent were not. As many as 37 percent of respondents didn't know about directory traversal attacks, while a similar tally (35 percent) professed ignorance of cross-site request forgeries.
Meanwhile, a staggering 32 percent didn't know about cross-site scripting.
The rub, according to F5, is that these and other attack types are being used in combination to circumvent existing safeguards.
F5 came up with a "Cyber Attack Index" to account for the frequency, difficulty of safeguarding against, and overall impact of attacks.
Based on the F5 Cyber Attack Index, four of the top five attacks were complex -- or blended -- attacks designed to exploit a mix of DNS, network layer denial-of-service (DoS), data encryption, security misconfigurations, or application layer DoS vulnerabilities.
DNS vulnerabilities were by far the most popular exploit-type, used in 100 percent of all complex attacks. Network layer DoS vulnerabilities -- which were a component of 98 percent of all complex attacks -- were likewise extremely popular, followed by data encryption (83 percent), security misconfigurations (64 percent), and app layer DoS vulnerabilities.
In half the cases, successful attacks resulted in lost productivity.
In addition, just over two-fifths (43 percent) of respondents cited data loss, while almost one-third (31 percent) cited lost revenue. Elsewhere, 30 percent cited loss of customer trust, a quarter (24 percent) cited regulatory fines, and almost one-fifth (19 percent) cited the theft of money or goods.
"The highest monetary loss was attributed to 'loss of customer trust,' which
out at $506,385, quickly followed by lost productivity ($492,334) and regulatory
($343,358)," the report indicates. "Further, the average organization reported losses of $682,000 in the past 12 months."
Just how are existing mechanisms unable to protect against complex attacks?
According to the F5 study, almost half (42 percent) of shops say a network-layer DoS attack caused a firewall to fail. Meanwhile, more than a third -- 36 percent -- say an application-layer DoS attack achieved the same result.
Elsewhere, 38 percent confirmed that their existing technologies handle traffic content "less than somewhat well," while almost as many -- 36 percent -- said the same thing about their ability to protect against complex threats.
On both the network and application layers, IT security managers are less than thrilled with their existing coverage: 19 percent described themselves as "neutral" with regard to the efficacy of their existing network-layer security technologies, and 21 percent said the same thing about the application layer.
Meanwhile, 7 percent of respondents said their existing security safeguards do "somewhat poorly" or "extremely poorly" with network-layer protection; 5 percent said the same thing about application-layer protection.
Shops are also struggling to protect and serve: more than half (53 percent) described the network performance impact caused by their existing security safeguards as "somewhat" or "extremely" challenging.