The Importance of Performance Monitoring In Preventing Attacks
In today’s era of cloud applications it can be tempting to provide users with an API to enable additional functionality on your website. Unfortunately as discussed in a previous article, when done improperly, such functionality can pose a significant threat to your company. Aside from the permissions aspects, another way attackers can use an API to gain unauthorized access to your server is by gaining sensitive information by overloading your servers.
The Evolution of DoS Attacks
Denial of Service (DoS) attacks alone typically do nothing more than bring systems to a halt. Today however, attackers have found ways to use DDoS attacks combined with other tactics as a way to gain access to networks without being detected. This is done through many methods however the most notable ways are discussed below:
~- Overwhelming Security Systems
As a server becomes overloaded during a DoS attack, the security systems on a server can become overwhelmed causing them to not properly respond to threats, to hang, and/or make it impossible for administrators to make sense of the traffic hitting the server by flooding the logs with garbage data. In many cases, security systems will fall back to secondary systems, however such systems often aren’t kept in sync with all the latest security information which can provide attackers with additional opportunities for access.
~- Exposure of Flaws
In some cases, a DoS attack could be used to expose procedural or other security holes within your network. For example, during a DoS attack your system administrators might have to roll out updates on the fly without testing them for compatibility. ~~~ As these updates are being rolled out, an attacker can use the upgrade window as a way to gain further access to the server. For example during the update process, error messages might be visible to non-employees.
~- Execution of Unauthorized Code
By overwhelming a server, an attacker can force a reboot of the system leading to the execution of malicious cron jobs and other assets previously loaded on to the system. In a worst case scenario, an attacker could execute a script designed to overrun the drive partition on boot. In other cases, an attacker could load backdoors (spying software) into the system to gain access later on.
~- The Importance of Performance Monitoring
While the previously mentioned attack scenarios might seem intimidating, one of the ways to protect yourself from threats is by implementing a performance monitoring suite on your server to spot any potentially unwanted activity on your network. By monitoring systems for abnormal process usage, you can spot trouble before it gets out of hand. It also is one of the best ways to mitigate the threat of an attacker using a public API to gain elevated access to your systems.
By tracking the network activity level per user, system administrators can take appropriate action to pinpoint the source of the issues at hand.
Even if you have existing safeguards in place to handle known attacks, performance monitoring can be a vital component in a strategy to protect against zero day threats and attacks performed by parties specifically targeting your networks – both items which would not be within many off the shelf security tools.