5 Ways To Avoid A New York Times-Style Website Attack4:00 PM EST Fri. Aug. 30, 2013
The New York Times website was disrupted for several hours on Tuesday after an online attack on the company’s domain name registrar. Twitter was also targeted in the attack. A hacktivist group targeted the newspaper's domain name system provider, MelbourneIT. But the problem stemmed from a security lapse at a domain reseller.
The attackers used phishing, social engineering and stolen account credentials. They likely searched though contacts, connections, vendors and clients for the weakest link in order to gain entry, said Ben April, a senior threat researcher at Trend Micro. Meanwhile, Kevin Houle, director of threat intelligence at Dell SecureWorks' Counter Threat Unit, pointed out that usernames and passwords are still weak links in the security stack. The security experts said some of the following measures could have avoided the attack.
Domain-monitoring services can detect changes to registration information and DNS resolution to IP addresses. Monitoring services won't prevent a DNS attack from being carried out, but they will issue an alert at the earliest stage of an attack, say security experts. Commercial monitoring services can send an alert if configuration changes are detected to major elements of high-profile domain names. Some companies with a mature IT staff and development team rely on a small shell-script to keep tabs on website resources, said Trend Micro's April.
Monitoring system logs is also important, according to Dell-SecureWorks' Houle. Administrators should ensure systems responsible for authentication are logging transactions, he said. In addition, proactive monitoring can detect a brute-force attack against a system and suspicious login activity, Houle said.
Domain-locking services come with an additional fee, but they prevent changes to the domain configuration that could result in a catastrophic disruption of key website resources. Trend Micro's April said it is very likely that Twitter had a form of domain locking in place due to the fact that Twitter.com remained available while Twitter's other utility domains were disrupted by the hacktivist DNS attack on Tuesday.
Attackers like to target the underlying partners of the business that they are attempting to breach, said Dell SecureWorks' Houle. Once a partner is breached, the attacker can create a more effective spearphishing campaign against executives at the company in their sights, Houle said.
It is difficult to uncover the full extent of an organization's security processes, technical controls and culture. Potential partners should be open to answering questions and show proof that their network and processes have been assessed and properly validated by an outside firm. The IT security and the company's legal team should be involved to review service level agreements prior to signing contracts, experts say.
Attackers are increasingly using stolen user credentials to gain access to systems, according to recent data breach studies, and the DNS attack illustrates that finding. Spearphishing a targeted email, crafted with a convincing message, is designed to trick users into freely giving up their credentials.
Awareness training can make end users more suspicious about messages with links and attachments, said Bit9 CSO Nick Levay. Clearly communicate that the IT team is always happy to vet the legitimacy of a message and would rather err on the side of caution than end up with a system compromise, Levay said. Best practices recommend training sessions that are sustained over a period of time. They should focus on specific topics and be relevant to employees.
Sensitive systems and underlying processes that could have a major impact on business continuity if they were breached should be protected by strong authentication measures, say security experts. Consider implementing two-factor or multifactor authentication for employees who have access to those resources.
A best practice advocated by security experts is to force employees to change their system passwords quarterly. A password should contain at least eight characters and contain a mixture of upper-case and lower-case letters, numbers and special characters. Avoid names and dictionary words.