Keeping Your Remote Workers Safe from Denial of Service Attacks

Denial of service attacks are hitting remote workers hard – how can you keep yourself and your work safe? 

With organizations implementing remote working for all staff, and many others restricting travel and encouraging employees to work from home, attacks on enterprise – especially Denial of Service attacks are on the rise. DoS attacks have the potential to overwhelm organizational security and cause connectivity or application outages for employees, which is why it’s crucial to have a clear plan in place to combat these attacks before they happen.

What is (DoS)?

A Denial of Service (DoS) or Distributed Denial of Service (DDoS – an attack on multiple systems) are attacks that prevent Internet facing systems from processing or responding to legitimate traffic or requests for resources and objects. These attacks attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks utilize multiple compromised computer systems as sources of attack traffic.

Exploited machines can include computers and other networked resources such as IoT devices, which can disrupt business processes for organizations as they implement large-scale remote working plans for employees.

Types of attacks include:

• SYN Flood: Disrupts the standard three-way handshake within the TCP protocol stack

• Smurf: Spoof broadcast ping request with ICMP

• Fraggle: Spoof broadcast ping request with UCP

• Botnets/Zombies: Controlled by malicious software to perform a wide range of attacks (spam, Phishing, etc.)

• Ping of death: Employs oversize packets which result in buffer overflows and loss of connectivity

Traditional on-premise DDoS defenses, which are still widely used, and load-balancing products are not able to protect organizations against large-scale attacks, as these malicious data tsunamis can be several hundred times bigger than the available bandwidth on the main corporate Internet connection, bringing everything to a standstill instantly.

There are, however, various open source tools available, including:

• FastNetMon, a DDoS analyzer with sflow/netflow/mirror support
• InfluxDB, a scalable data store for metrics, events, and real-time analytics
• Grafana: Provides metric visibility dashboards and editors
• Redis: An in-memory database that persists on disk
• Morgoth: Provides metric anomaly detection for Influx databases
• BIRD: A fully functional dynamic IP routing daemon

Any of these could help to protect a new mobile workforce seeking to increase security and reduce risk of failure during this time.

Some of the best ways to mitigate the risk of disruption from DDoS attacks are to:

1. Install a VPN

2. Keep your computer security patches up to date

3. Leverage an enterprise cloud provider platform, such as Service Now, to boost security measures

Preventing and Responding to attacks with ServiceNow

ServiceNow employs a significant range of detective controls to monitor and prevent potential Dos/DDoS attacks from impacting the ServiceNow private cloud environment. This includes the implementation of in-house Dos\DDoS protection mechanisms, provision of significant Internet bandwidth connectivity, and the use of third-party services to mitigate against such attacks. Trusted Security Circles consist of groups of organizations within the same line of business, divisions of the same corporation or corporate hierarchy, or groups of organizations that want to share threat intelligence. The only requirements for organizations to belong to a circle are that they have a valid organizational profile.

Through integrations with security monitoring tools, AI-based Threat Intelligence notes indicators of compromise on your network (or in an operating system) and checks threat feeds to find intel on new vulnerabilities, software errors, hack groups and so on to enrich your security incident records with more relevant information.”

This gives security specialists the insight for detecting and analyzing deep- lying threats better. To help recognize if any security incidents, indicators of compromise or observables relate to a targeted attack campaign, Threat Intelligence allows consolidating these entities to be handled as joint security cases.

Additionally, ServiceNow imports suspicious activities in your infrastructure from your security tools like QRadar, Splunk, Rapid7, etc. The Security Incident Response module automatically converts these activities into security incidents, uses your CMDB to prioritize them and later assigns them to security responders. Using an intuitive workspace, security teams bring incidents from analysis and investigation to containment and remediation. To increase your security team’s productivity, ServiceNow breaks down each security incident into separate tasks while supporting the usual task completion paraphernalia like automation workflows, notifications, SLAs, escalation rules, etc.

Vulnerability Response compares information from vulnerability scanning tools with the information in your Configuration Management Database (CMDB), putting the scan data into the context of your business and IT services. Click To Tweet

Then, it filters the pool of detected vulnerabilities and prioritizes them according to factors like business impact and technical severity. This module enables your security agents to quickly remediate business-critical vulnerabilities while collaborating with the IT team to request and enact needed changes in the IT infrastructure.

The world of work is constantly changing; now more than ever, businesses should seek a security partner to protect their assets, and ServiceNow technology can help leaders realize their goals faster by automating incident and threat reporting in the cloud.

Take Cask’s Business Continuity Maturity Survey to see how mature your organization’s BCP is!