Anticipating, Preventing and Managing DDoS Attacks

A Q&A with Jag Bains of DOSarrest Internet Security
DDoS (distributed denial of service) attacks are a major threat and risk exposure facing any business with an internet-facing server. They can be especially devastating to companies that primarily conduct sales through the internet, resulting in a network crash that can disrupt business and diminish profits and cause irreparable damage to a brand. Research firm the Yankee Group estimates that an average size company ($10 million in annual revenue) can lose $150,000 in a successful DDoS attack. I spoke with Jag Bains, CTO of DOSarrest in Vancouver, Canada, about the very real threat of DDoS and how organizations can mitigate their exposure to these attacks.

What is a DDoS attack in lay person language?
It’s simply an attempt to take an organization’s internet presence offline, exhausting all resources so that the general public can’t access the site or services, usually by overwhelming the site’s network connection or server with traffic. The typical example is an ecommerce website rendered inaccessible so that the company cannot process transactions and loses revenue for a time. They might also be cut off from suppliers or partners. There are a myriad of motivations and situations for these attacks but a couple common ones we see are trying to put a company out of business so that shoppers go to a competitor; or making a political statement by downing a campaign site. Either way, the idea is to have a significant impact on web presence.

Has this threat been growing? What are the trends you are seeing?
The rate and frequency of attacks has indeed been growing quite a bit. For 13 years or so, you could count on seeing attacks mostly aimed at commerce or gaming sites. Lately, we are seeing more political attacks on campaign sites and social media. Sometimes it’s not just an individual targeted but an entire government department. Another trend is that the firepower has changed quite a bit. Most people have heard of drones that recruit thousands of home computers to launch an attack but now hackers can do this with a much smaller subset of more powerful computers. That makes it easier to get into the game and it creates greater havoc. Attackers are also more sophisticated in terms of being able to target specific elements of websites—most recently we have seen an increased frequency of the “application layer” style of attack. They can hide behind what on the surface seems to be a legitimate set of connections. Every site has its own unique vulnerabilities and now the attackers are very deliberate and focused as opposed to the raw flood attacks we saw in the past.

What can happen to a business that doesn’t try to prevent DDoS attacks?
The most obvious consequence is lost revenue, and the longer the site is down the more transactions are lost. But another consequence that people don’t often factor in is the impact on SEO (search engine optimization). If the site is down for an extended period of time, such as three to five days, the interruption will be reflected in its ranking on search engines such as Google and Yahoo. That can be the difference between appearing on page one and page seven in search results, which, in our clicky world, is a major setback.

How can DOSarrest help?
We have designed our service to help any size company, in any region around the world. Our whole focus is a cloud product, so that the end customer doesn’t need to install software or hardware—all they need to do is change the DNS record for the targeted website. When there is an attack, we take it out of the customer’s infrastructure and/or hosting provider and bring it to our networks where we are able to apply technology to mitigate the damage. In the meantime, we keep the customer’s infrastructure hidden from the rest of the world. The majority of customers come to us reactively, when they are under attack—they may be down a few minutes or a few hours or even a day before they make a decision to get some help. However, we are seeing a trend where the marketplace is starting to understand the effects of DDoS and some companies are creating preventative strategies, which can include enlisting a specialist such as DOSarrest. Customers also have the ability to hop on and off of our services but most stay on as a preventative measure as we can deflect the vast majority of attacks and monitor performance in real time, enacting configuration changes if needed. That makes us unique in the industry and it allows us to offer high tech, high touch support around the clock as a defense against DDoS.

In summary…
Any organization concerned about mitigating their first-party cyber risk exposure—or revenue loss due to business interruption—should be aware of the growing prevalence of DDoS attacks and set in place solutions such as DOSarrest to manage this peril.

eRisk Hub Members Only: To learn more about DOSarrest and Jag Bains, view Jag’s presentation on DDoS threats from the 2012 NetDiligence Cyber Risk & Privacy Liability Forum. The video is available in the Learning Center of the eRisk Hub. There is also a Business Interruption cost calculator in the Risk Manager Tools section of the hub.


Protecting Tax Information

A Q&A with Christopher Watson
The IRS Safeguards Program was designed to ensure that federal, state and local agencies properly protect federal tax information, and the requirements cover computer security, among other things. I spoke with Christopher Watson, senior manager of internal audit and risk advisory services at Schneider Downs & Co. in Columbus, OH, to find out more about the Program and what it entails.

What is the IRS Safeguards Program?
It’s a set of requirements created to ensure that local, state and federal governments and any sub-processors or vendors are appropriately securing federal tax information and records. It’s been in effect since the early 2000s, but there have been revisions along the way.

Who must comply with these requirements?
It applies to any government agency dealing with tax information and anyone to whom they might outsource their collections or operations. Who’s involved can also change depending on governments and politics—for instance, in Ohio, we’ve seen some administrations prefer to use more outsourcing than others. Wherever there’s more outsourcing, the IRS will take a harder look, because there’s additional risk. There’s no distinction between local, state, or federal agencies—they are all required to fill out an initial document and then update that every year to demonstrate their compliance.

What controls are covered?
The controls are around the custodianship and security, both physical and logical, of the information. There are a couple hundred specific controls included but the biggest ones are around the protections of records and destruction of information that the agency no longer needs. Another big area is making sure that sensitive or confidential information is not communicated to outside parties, and that it’s stored securely while at rest.

What if I am a vendor or contractor receiving federal tax information from or on behalf of government agencies?
Smaller contractors typically have less sophisticated resources and fewer internal staff, so they often need more assistance and outside expertise in this area. It’s important to take a proactive approach to make sure the information is protected. For one thing, I recommend that contractors don’t use any paper files—if they are accessing information electronically, there’s no reason to print it out and create a paper record.

What are you seeing in terms of penalties for noncompliance?
It’s different from IRS audits, because there are not necessarily financial penalties in these cases, but if the IRS goes through several audits with a contractor or agency and they are not taking the compliance seriously, then the IRS can cut off access to the information, and that will certainly create problems for that entity. The IRS will make themselves available to anyone who wants more information on improving their security. We also offer consulting services here in Ohio, and help agencies do a gap assessment and create tailored remediation plans or policies achat viagra en france.

In summary…
Mr. Watson draws attention to yet another federal government mandate requiring prudent security practices—in this case, securing federal tax information whether it’s digital or on paper. Given that tax time is right around the corner this topic is especially relevant for any business that supports local, state and federal agencies with the processing of IRS governed tax records. Even Al Capone learned not to mess with the IRS!

No more posts.