Just days after NatWest Bank suffered a debilitating DDoS attack, a new survey has revealed that most businesses are still unprepared for this kind of threat. Some companies are unprepared for DDoS attacks Just days after NatWest Bank suffered a debilitating DDoS attack, a new survey has revealed that most businesses are still unprepared for this kind of threat. More than half the respondents to a survey by Corero lack adequate distributed denial-of-service (DDoS) defence technology. The study also reveals a lack of DDoS defence planning on multiple levels: nearly half of businesses have no formal DDoS response plan, 54 percent have outdated or non-existent network maps, and around one in three lack any clear idea of their normal network traffic volume. Furthermore, the survey slates businesses for under-investing in their security infrastructures, with around 40 percent of respondents still relying on firewalls, while nearly 60 percent do not test their DDoS defences regularly with network and application-layer tests. However, experts warn that DDos attacks are escalating and say that they can cause not only business disruption but also loss of IP, significant brand damage and a loss of customer confidence. Mike Loginov, CEO and CISO at independent security consultancy Ascot Barclay Group, told SCMagazineUK.com that figures from his firm and others show sharply rising numbers of successful DDoS attacks, adding: “These attacks are not necessarily undertaken by the perpetrator with financial gain in mind. However, they still leave the targeted business suffering costly damage repairs, loss of business and an undermining of the organisation’s capability to defend itself. Many attacks go unreported for fear of brand damage.” Andrew Miller, CFO and COO at Corero, which carried out the latest survey, agreed the threat is growing but stressed that companies are still not doing enough to protect themselves. “These denial-of-service-attacks (DDoS) are increasing and becoming more complex, but we’re still not seeing companies increasing their vigilance, investment and planning,” he told SCMagazineUK.com. “Across the board companies really need a combination of infrastructure investment, but more importantly putting in place plans to be able to detect what’s traversing companies’ networks.” Loginov agreed: “Generally speaking, IT departments, as the report suggests, are just not geared up to defend organisations against what cyber security professionals these days consider rudimentary attacks.” Miller said companies need “hybrid DDoS and cloud protection” but added that currently only “a small percentage” of companies have these defences in place. “What we’re seeing the more proactive customers doing is deploying a combination of both on-premises technology to provide 24/7 protection from denial of service attacks, as well as cloud protection services to deal with the high-volume ‘fill the pipe’ network-layer DDoS attacks – a combination of solutions rather than a single solution.” These warnings come just days after NatWest Bank was hit by a DDoS attack that left customers unable to access their accounts online. The 6 December attack disrupted NatWest’s website for about an hour and briefly hit the websites of the other banks in the RBS Group – RBS and Ulster Bank. The attack was focused on disruption rather than accessing account details. But Miller said organisations need to “understand it’s not just inconvenience, we’re talking about some loss of IPR. In the case of RBS, it’s obviously a significant issue from a brand and customer satisfaction perspective”. Miller added: “Denial of service attacks are often used as a smokescreen, a way of initially gaining entry into IT systems through a brute force-type attack, then following on from that the more sophisticated attacks which are aimed either at stealing customer information or intellectual property. We’re seeing banks in the US we’re talking to subject to these types of attacks on a daily basis.” In a statement to journalists, Jag Bains, CTO of DOSarrest Internet Security , said: “The transparency shown by RBS in admitting that they failed to invest properly in their IT systems is a common refrain amongst many enterprises, large and small. While each organisation may have multiple reasons for failing to invest, they all share the same notion that they won’t be a target until they get attacked. “With DDoS tools becoming more advanced and pervasive, all IT operations should work under the premise that they will be attacked and plan accordingly. Every stack and layer within their purview should be reviewed and they should identify cost-effective cloud solutions for their DDoS which provides much better performance and mitigation than expensive hardware.” The DDoS attacks on RBS came in the same week as an unrelated major IT failure, which hit the Group’s online and mobile banking, ATMs and debit card payments. As SCMagazineUK.com reported, RBS, NatWest and Ulster Bank customers were unable to use their cards to draw cash or pay for goods or services. RBS CEO Ross McEwan branded the outage as “unacceptable” and blamed decades of failure to invest adequately in new technology. Source: http://www.scmagazineuk.com/companies-still-ignore-ddos-attacks/article/324844/
View article:
Companies still ignore DDoS attacks
Much has been discussed about the damage that the Advanced Persistent Threat (APT) attacks cause to corporates and governments alike. It is estimate that at least 50% of Fortune 500 companies have been compromised by APT, and the potential financial damage to these organizations is almost impossible to quantify, but probably in the trillions of US dollars. Compared to this a crude Denial of Service (DoS) attack or its more advance siblings, the Distributed Denial of Service (DDoS) attacks and Distributed Reflector (DRDoS) attacks, their outcome seems pretty benign- your site is being bombarded by thousands of request for information, until the server gives up and no-one can actually use the site. Once the attack stops, access is possible again and no damage to your IT infrastructure has occurred, no data or money was stolen and hopefully your angry customer will believe it was just a “site malfunction”. But as attack methods have become more sophisticated AND more accessible (for example, now one can simply rent hundreds of BOT computer as a service, to carry the attack for him, using a simple interface, with no need to know how to actually hack), the industry had to act, and developed means to mitigate these attacks. Several methods of DDoS mitigation exist and multiple companies offer these as a service. Now a very dangerous equation begins to unfold, one where the attacker can use simple, cheap tools (a fairly typical rate for DDoS botnet rental hovers around the $200 for 10,000 bot agents per day), and the defender must invest much larger resources, both internal (maintaining a Security Operations Center or SOC) and external (service providers), creating an inherent asymmetry. This asymmetry means that organizations wishing to mitigate this threat will keep investing (or throwing, since there is no actual gain here, only minimizing the impact) money over time, until they are in serious economic pain. And this is exactly what Islamic terrorist have been trying to do in the recent global jihad campaign- making western countries bleed money in order to try and prevent sparse attacks carried by rudimentary means. As Osama bin Laden said: “It is very important to concentrate on hitting the American economy with every available tool … the economy is the base of its military power. The United States is a great economy but at the same time it is fragile.” The risk is that using offensive cyber means one can achieve this goal much faster (and one does not have to blow himself to pieces in the process, or hurt innocent people). Therefore, prevention and not only mitigation is necessary. Organizations must be far more proactive than they are now. Sure, investments in IT security and best practices are always a good idea, but also applying preventive intelligence to greatly reduce the impact of attacks. This, couples with harsher legislation and enforcement against both the suppliers and the perpetrators of the attacks will hopefully, in the end, balance this asymmetric equation. For protection against your eCommerce site click here . Source: http://defense-update.com/20131107_denial-service-ddos-cyber-attacks-using-logic-terror-threats.html