Page 27 - EngineerIt April 2021
P. 27
CYBER SECURITY
If adoption of a new method will take years, what should businesses do in the when attacking a single target, he didn’t
meantime? Outlast the attackers by denying them their most precious resource: think he would be caught recycling
time. Attackers conducting credential stuffing are usually financially motivated resources across different targets.
and don’t have infinite capital. If an organisation can significantly increase the time it takes We know this is how attackers think
them to monetise their attacks, most cybercriminals will abandon the pursuit in favour of because this exact situation occurred
weaker targets. in 2018 to four of Shape’s customers.
Because they all operated on a shared
Introducing more time into the credential stuffing kill chain defence platform, an attack on one of
A good first step is to make credential spills more difficult to decode. It might seem obvious, them was, in effect, an attack on all of
but every company needs to upgrade its password security methods. If passwords them. Because the attacker recycled
are being hashed with MD5, organisations need to upgrade to something more secure resources and behavioural patterns
like bcrypt. This would ensure that when an attacker manages to breach their database, it across all four companies within a very
will take a reasonable amount of time for attackers to crack the compromised credentials short time period, Shape was able to very
before they can even launch an attack. quickly gather enough data to identify the
Organisations should also explore how they can force attackers to develop unique attack. Thus, bundling the attacks actually
attacks for each target. Suppose a sophisticated attacker has gotten his hands on worked to the attacker’s disadvantage,
100,000 decrypted credentials that they are fairly confident no one else has access to, but only because intelligence was shared
at least for the moment. The attacker knows that 100,000 fresh credentials should lead across different targets.
to, on average, around 1,000 account takeovers on a large website. Now, for such a
sophisticated attacker, taking over 1,000 retail accounts might not be worth the several Don’t give up!
weeks of time it would take to develop, test, launch and monetise the attack. However, It is impossible to detect 100 percent
it would be worth his time to attack multiple targets simultaneously, breaking into tens of of attacks instantaneously, 100 percent
thousands of accounts at once. The key would be to find companies that could be attacked of the time. What is possible is to
using the same software — in other words, targets with similar infrastructure. make attacks so costly that attackers
As a result, this attacker targets not just one company, but several simultaneously — give up quickly or don’t even try again.
in this case, a retailer, bank, social media company or ride-hailing mobile app. He has Cybercrime is a business — attacks are
developed an attack that targets the Android version of mobile apps that have been built organised based on a predictable rate of
on the same framework. The attack is very sophisticated, not reusing any resource more return. If there is one thing that holds true
than twice and evading any rate-limiting measure the targeted company has implemented. across the worlds of cybercriminals and
Yet, while the attacker was too sophisticated to reuse something like an IP address businesspeople, it is that time is money. n
APPOINTMENTS
Nutanix EMEA AppCentrix appoints executive for
appoints senior business development – public sector
director Musa Mahlaba has been appointed business
multi-cloud business development executive – public sector at AppCentrix.
development His responsibility will encompass the AppCentrix public
Nutanix, a leader in cloud sector go-to-market strategy, supporting customers and
computing in private, hybrid and partners in the government space across the AppCentrix
multi-cloud environments, has core offerings, including the company’s flagship service,
appointed James Karuttykaran Smart ICT. Smart ICT provides business performance
as senior director, Multi-Cloud Business Development, management and monitoring and is closely aligned to government compliance
EMEA. In his new role, he will be responsible for requirements and the drive for digitisation and 4IR.
developing strategic partnerships with leading players
in the public cloud.
He joined Nutanix at the creation of the French Johan Made appointed chief
office in March 2014 as a pre-sales engineer. He commercial officer at IFS
quickly rose through the ranks to become Nutanix’s IFS has appointed Johan Made as chief commercial
senior director of systems engineering for Southern officer. In the newly created role, Made will be
Europe and French-speaking Africa, responsibilities responsible for driving IFS’s growth strategy through
he held prior to this new promotion. inorganic investments and development initiatives,
With an initial training in electronics and industrial including mergers and acquisitions. The appointment
computing at the University of Cergy Pontoise, is a further signal of IFS’s ambition to extend its
Karuttykaran continued his training with a work-study leadership as the technology platform of choice for
programme in computer science at the CFA Léonard de companies wanting to create and deliver amazing moments of service for
Vinci at Veritas Software, a company he later joined in their customers. Michael Ouissi, IFS’s chief customer officer, will continue
2003 as a technical support engineer. to focus on driving growth organically.
EngineerIT | April 2021 | 25
