Recent cyber attacks on major credit card companies, allegedly prompted by the Wikileaks controversy, have sparked other organizations to consider their defenses against these types of attacks. Critics claim the credit card companies were not prepared to defend against these attacks – known as distributed denial of service (DDoS) – which resulted in outages to their online sites. The critics further stated that more must be done to defend against DDoS attacks to ensure critical functions do not go offline.
However, in one sense the credit card companies’ defenses may have been both planned and appropriate. According to these companies, the websites that were taken offline were for informational purposes only and did not support any transactions or processing. In using a risk-based defensive strategy, they may have saved or kept key operational sites functional while sacrificing noncritical ones.
These types of DDoS attacks are not new. Organizations have been battling them since they became popular in the late 1990s. While techniques to defend against DDoS attacks have become more sophisticated, they still represent a difficult challenge and major risk.
Any defensive strategy should be risk-based and right-sized to match the risk. In a perfect world, every company could employ every defense possible to protect against every type of attack on every part of its infrastructure. In reality, however, time and resources are not unlimited. Defenses have to be selected and deployed based on a cost-benefit methodology. Why spend millions to defend a site that only provides brochures when you can devote those resources to protecting confidential data or transaction processing? A majority of organizations provide resources to protect critical infrastructure and their customers’ personal data rather than ensuring an informational website does not go down for a few hours. The controls must be appropriate to the risks.
Organizations should use formal risk analysis and cost-benefit analysis to help ensure their control environment is appropriate for their risk profile and appetite. The risk analysis should include several key steps.
First, perform a formal risk analysis to determine the actual business risk to the environment. The risk assessment should consider the value of the assets being protected, likelihood of probable threats and attack vectors, business impact of a successful attack, inherent risk of the condition, existing safeguards, and the residual risk.
Next, based on the results of the risk assessment, determine what areas of the business are operating at unacceptable levels of risk. Identify controls that can reduce the likelihood of the threat source or lessen the impact to acceptable levels. Perform a cost-benefit analysis to determine if the suggested controls provide an appropriate risk reduction benefit.
The next step should be to implement appropriate controls based on this analysis. Test the controls and likely attack scenarios to validate the controls operate properly and provide the desired effect. Employ monitoring, metrics and measures to ensure key controls continue to perform adequately and provide the expected protections. Continually update the risk assessment as new threats emerge, the business makes changes or other factors change that would affect the risk assessment results. The risk assessment should be updated at least annually to ensure it is still appropriate for the organization and the current environment.
Employ independent professionals to help in performing a risk analysis and provide unbiased, insightful analysis and advice. Internal staffs usually have great ideas but may be too invested or familiar with the existing control structure. Existing staff may also not have exposure to the latest threats and control techniques emerging in the industry. Outside help can strengthen your defenses and ensure they are appropriate to the risk profile of the business.
Specific controls to combat DDoS attacks can include:
These are just a few of the techniques that can be used to battle DDoS attacks. A combination of controls incorporated into a “defense in depth” strategy has the best chance of success. Defense in depth provides layers of controls so that if one control fails, others will still be in place to thwart the attack. When employing the defense in depth strategy, it is still important to consider the risk analysis to ensure the controls are appropriate for the risk environment.
About the Author
Scott Laliberte is a managing director with Protiviti (www.protiviti.com), a global business consulting and internal audit firm. Laliberte provides clients with information systems security services and is a Certified Information Systems Security Professional, a Certified Information Security Manager and a Certified Network Professional. He also co-authored a book about penetration testing and information security called HACK I.T., published in February 2002 by Addison-Wesley Publishing. Laliberte’s second book, Defend I.T., is a collection of case studies in information security and was published in the spring of 2004.