In the weeks leading up to the 2014 World Cup, several news headlines were circulating about hacking organization Anonymous launching distributed denial of service (DDoS) attacks against websites related to the sporting event. DDoS attacks are carried out by flooding a host server with so many requests that legitimate users cannot access the site, essentially knocking it offline.
But Matthew Prince, chief executive officer and cofounder of DDoS mitigation service CloudFlare, says that while the headlines surrounding DDoS attacks and the World Cup may sound frightening and generate interest, in reality, there’s no way of knowing whether those sites are actually under attack. What may appear to be a DDoS attack may really be a system issue, he notes. “They both create very large, stressful loads on your infrastructure, and your infrastructure has to stay online.”
Prince explains that the DDoS attacks that typically come out of individuals using Anonymous-like tools are relatively small, compared to the large-scale attacks that are being seen from other hacking groups. “While Anonymous gets a lot of coverage because it’s this faceless, nameless, scary entity–by its very nature, that means that anyone can say that they’re part of it, and that they’re going to launch an attack,” he says. “It makes a great headline, but there’s really scary stuff that’s going on right now that has nothing to do with the World Cup.”
One of the alarming trends Prince points out is an increase in extortion-based DDoS attacks. In those cases, businesses receive what are effectively ransom letters from the hackers, stating that they must pay a certain amount of money or be knocked offline with a DDoS attack. “We’ve seen extortion-based attacks for four years, but the breadth of the sites that they go after is changing pretty dramatically,” he notes. In the past these attacks went after fringe sites like gambling and escort services that were unlikely to draw much public sympathy. However, “recently there’s been a massive increase in the number of extortion-based attacks…that are targeting much more mainstream businesses.”
Igal Zeifman of Incapsula, another cybersecurity firm providing DDoS mitigation services, notes that the increasing Internet of things–a growing number of devices with Web connectivity–makes it easier than ever to launch an attack. “These hackers now have access to machines that can generate much more traffic and basically cause much more damage, endangering even large corporations.” He says sophisticated hackers causing the worst damage are people who make their living by launching attacks. “This is what they’re doing 24/7, so we also see more advanced tactics coming from them, specifically.”
Still, Zeifman points out that anyone can launch a DDoS attack if they are willing to pay the right price. “You can buy Bitcoin or open a PayPal account, open up an account in one of these DDoS-for-hire services, and here you go, you can attack someone.”
There are two ways of measuring the size of DDoS attacks. One is by the amount of bandwidth coming in, which organizations that provide DDoS mitigation such as CloudFlare can measure. The unit of measurement is gigabits per second (GPS), which measures the number of “pings,” or requests, hitting a server.
“We now see the largest attacks that come into our network getting up to 400 gigabits per second, and that’s a really large attack,” Prince says. Those attacks are referred to as layer three attacks, and they send more traffic to the network’s port than it can physically handle.
Botnets, machines remotely controlled by a host server, are used to send the requests. (The “layers” mentioned in the attack vectors are defined by the Open Systems Interconnection model, a cyber-industry standard for communication.)
The other way to measure the size of a DDoS attack is by the number of requests sent to the server. Each request must be answered by the host server–it's like having to answer the door at your house every time someone knocks. “So each of those requests could be really small, but you have to deal with them, and the largest request floods that we’ll see will get up into the hundreds of millions of packets per second that are hitting the edge of our network,” Prince states.
While those attacks may not appropriate much bandwidth, they can be more challenging to deal with. Campaigns sending large amounts of packets to the network are referred to as layer four attacks.
The final classification of attack, layer seven, forces the application to hold open the connection, effectively consuming the server’s resources. To get to that level, a hacker must be able to conceal the bot’s identity and pass as a legitimate user.
Protecting one’s network requires having more bandwidth to absorb the DDoS attacks. If a company has an in-house appliance that only absorbs 10 GPS, an 11 GPS attack will knock it offline. DDoS mitigation services provide that “extra” bandwidth for companies by pooling resources from all over the globe to create a huge network of protection that sits in the cloud. “If you have protections in place ahead of time, dealing with those attacks is fairly easy,” notes Prince. “If you try to set those protections up while you’re under attack, then it can be extremely difficult to mitigate the attack, and much more of a challenge.”
Zeifman adds that reputational damage can be irreversible for sites that come under DDoS attacks. “No [online] service is irreplaceable right now. There’s an alternative for everybody, and you need to be the better alternative. You need to be the more resilient one—you need to be the site that stays online.”
HACKERS IN HIGH DEMAND
From 1955 until 1972, two Cold War nations battled against one another in the Space Race. Both the United States and the Soviet Union strived to outdo one another in spaceflight capabilities, the fire being fueled largely by Russia’s launch of Sputnik, the first satellite to go into orbit, in 1957. This feat spurred fears for the United States that it did not have enough scientists, engineers, or mathematicians to beat the Soviets.
Solving such a shortage would start with a young person in the United States being inspired to enter one of the above fields; say an individual who was in seventh grade when the race started. By the time that person obtained a master’s degree, the year would be 1969, when the Space Race was slowing down. By 1972, “the era of endless growth came to a shuddering end; many layoffs ensued. Had this individual stayed the course over an entire career, there would have been ups…and downs, and it all may have ended well, but not nearly as well as it looked when the educational commitments were made.”
That’s the example used in a report, released in June by the RAND Corporation, titled Hackers Wanted: An Examination of the Cybersecurity Labor Market, to illustrate a real possibility for the high demand that exists now in the United States for cybersecurity professionals. However, while it outlines the Space Race comparison, the study calls such an outcome “unlikely,” mainly because there is a growing reliance on networks, enormous government interest in the field, and ever-evolving, advanced threats in cyberspace. “As long as the threat exists, there would seem to be sufficient demand for cybersecurity services,” the study states.
The RAND report looks at the job market for cyber professionals with a particular focus on those who are “employed to defend the United States,” including federal government and private-sector jobs, then examines the responses currently underway to solve that shortage. It makes several recommendations for potentially addressing the problem.
The study begins by examining a number of comprehensive reports on the “cybersecurity manpower needs,” conducted by companies including Booz Allen Hamilton, the Center for Strategic and International Studies, and the Department of Homeland Security’s Homeland Security Advisory Council. One message the report makes clear early on is that a rigorous definition of a cybersecurity professional does not exist, due to the various cyber issues that need addressing, and the different ways in which agencies and enterprises classify job functions. But, as the report states, “Their underlying message is the same: A shortage exists, it is worst for the federal government, and it potentially undermines the nation’s cybersecurity.”
Martin Libicki, senior management scientist at the RAND Corporation and a coauthor of the study, says that the United States did not get into the shortage overnight, and that it will not be solved in as much time, either. “The creation of additional supply, which is to say the creation of people who are adept at cybersecurity, takes a long time,” he tells Security Management.
He compares the lack of cybersecurity professionals to shortages in the oil market—if the price of oil doubles today, it will take a while before the increase in demand is met. “You have to find the reserves, drill the wells, extract it, refine it.”
The challenges faced by enterprises when hiring cybersecurity professionals are varied. Larger companies, especially in the private sector, are able to pool existing resources and train employees through in-house programs. “The larger organizations—both private and public—have found ways of coping with tightening labor markets, in large part through internal promotion and education, a route that is less attractive to smaller organizations that (rightly) fear that those they expensively educate will take their training to other employers,” the report states. Often, large organizations can also offer more competitive salaries to attract the most talented, experienced workers.
While some government organizations have difficulty competing with private-sector companies, large military defense entities such as the U.S. Air Force or intelligence agencies like the National Security Agency (NSA) have a lower turnover rate for cybersecurity professionals. RAND researchers conducted interviews with the Air Force and learned that the organization is “satisfied that they can get their basic cybersecurity needs met, but this may be true, in our observation, because they do not rely on attracting upper-tier professionals to do so.” While the NSA is more likely to outsource its IT security jobs, RAND found in interviews with the agency that it loses no more cybersecurity professionals “to voluntary quits than to retirements.”
There are a number of policy changes the report explores to solve the shortage. One of those is the oft-touted concept of altering U.S. immigration policy to make it easier for foreign nationals with cyber skills to enter the country. “Despite the general merit of such ideas, it is easy to exaggerate how much this would help,” the report states. “A large share of cybersecurity work can be carried out overseas…and requirements for U.S. citizenship limit the help that increasing the number of such individuals would provide to meeting national security needs.”
Importantly, RAND points out that more secure system and software programmers are needed to create more hardened networks from the start, which could possibly decrease the demand for cybersecurity professionals. The study says that education policy plays a large role in addressing the shortage. Libicki says getting students interested and involved in cybersecurity earlier in life, especially during the middle and high school years, could help address the shortage over time. He points out that universities have recently stepped up to the plate in providing more cybersecurity-focused education. The report states that schools are getting more specific in their cybersecurity offerings. “Universities have also done a credible job finding individual niches to explore: among those we interviewed one specializes in industrial control systems, another in applications at scale, a third in cybersecurity management, and a fourth in cybersecurity public policy,” it reads.
One company getting involved with students and cybersecurity is ESET, which hosts an annual Cyber Boot Camp for high schoolers at its North American headquarters in San Diego. The students spend a week learning “ethical hacking” skills in a network that replicates a corporate environment. Students must sign an agreement stating they will only use the skills learned at the camp for good. “When we bring students into what you could call a hacking school, we take very seriously the need to direct them appropriately,” says Stephen Cobb, senior security researcher at ESET.
Cobb says that the RAND report does tackle many of the challenges in cybersecurity staffing, but fails to address one critical component fully enough: cybercrime. “I would have liked to see more analysis of the relative merits of dedicating resources to cybercrime reduction rather than staffing for cybercrime response, particularly as cybercrime is the primary driver of demand in the private sector,” he says.