Slam the door on the bad guys

Organized crime is alive, well and scouring cyberspace for easy pickings. That message is repeated time and again to companies that conduct business over the internet, but the messengers aren't sure everyone is listening.

While there is a whole range of online possibilities for the less-than-honest to choose from, distributed denial-of-service (DDoS) attacks, where e-commerce sites are flooded with useless information to the point where they become overloaded and have to shut down, have become the weapon of choice for many extortionists.

"It's a great crime if you are a bad guy," says Alan Paller, director of research at the SANS Institute. "On Saturday you take a company down for 15 or 20 minutes, then you send them a email saying 'Did you like that? We can do that all week – unless you pay up'."

Perhaps not surprisingly, businesses are uncomfortable discussing their experiences with DDoS attacks, but reports of some experiences have entered the public domain. Credit card processing company suffered a DDoS attack lasting several days last September.

While the company provided little more than a minimum of information on the attack, and did not say if it was an extortion attempt, it did admit it had turned to the FBI for help. It has also increased spending on what it called "industry-leading solutions designed to negate the impact of [DDoS] attacks."

"These installations are successfully thwarting a current and sustained attack with no DDoS-related degradation to our service whatsoever," says in a statement on its website.

The fact that was out of business for at least five days naturally annoyed its customers, some of whom had no sympathy for firm's plight.

Several of those customers expressed surprise and disappointment that a company the size of, which has around 90,000 mainly small-business customers, was not better prepared.

Its reputation was tarnished by the episode and, according to technology risk consultant Susan Orr, "the loss of confidence and trust is extremely damaging."

Orr has just completed a white paper, DDoS Threatens Financial Institutions – Get Prepared, for ReymannGroup, a consultancy set up by Paul Reymann, co-author of the Gramm-Leach-Bliley Act. She touts reputational damage as a good reason why businesses in general, and financial institutions in particular, should prepare more seriously for DDoS attacks.

"Basically, I don't know if an institution can recover from that [reputational damage]," she says. "Certainly, it will take a lot of money to repair a system, but how much is it going to cost you to repair your reputation?"

There is still a reluctance on the part of the consumer to embrace e-commerce. Nearly seven in ten respondents to RSA's annual survey on consumer confidence a recent survey said they do not feel that firms they deal with online do enough to protect personal information.

The survey also reveals that, because of consumer concerns, a quarter of those interviewed had reduced their online purchasing in the past year, and just over a fifth refused outright to conduct business with their financial institutions online.

The ReymannGroup white paper offers practical advice for banks and other finance firms to help them fend off DDoS attacks.

For instance, it focuses on the establishment of an effective business continuity plan (BCP), which should not only ensure availability of services at all times and minimize risk, but should also address the risk of a DDoS attack.

Gone are the days when a BCP was little more than a disaster recovery plan. Nowadays it expands that function to include a process to identify foreseeable risks and threats, as well as to detect and mitigate logical disruptions, such as DDoS attacks.

The BCP should reflect the current risks facing the business and its ability to respond to emerging technological and cyberspace security threats. In addition, the BCP and infrastructure security should be tested periodically to ensure they remain effective over time, and employees should be trained on all procedures and controls.

Companies should develop, test and implement procedures for handling DDoS attacks, and put in place an organized incident response plan.

Any business aware of the potential for such attacks should proactively coordinate with its ISP to develop and implement detection and mitigation strategies. These would include the ability, in the case of an attack, to redirect traffic from internet-facing systems, and for rapid notification and channel redirection of customers and employees.

Talking to U.S. financial institutions, Orr was surprised at their unpreparedness. So she developed a BCP self-assessment checklist to help them conduct a high-level review of their readiness.

The checklist includes questions asking whether the organization has a BCP that covers prevention, detection, mitigation, and recovery of critical IT, as well as whether there are real-time attack detection strategies in place. Also addressed is whether there is a process for monitoring risks and threats, and whether there are mitigating controls for identified threats.

Orr stresses that a business's ISP provides a vital first line of defense against DDoS attacks. She says ISPs such as MCI, AT&T, and Sprint have launched managed DDoS mitigation services to nip such attacks in the bud.

Paller at SANS agrees. He says a primary concern should be to choose an ISP wisely, by picking a provider that can respond quickly to DDoS attacks.

Second, a business should agree procedures with its ISP for dealing with attacks, should they occur.

But finding a good ISP is not easy, says Paller. Those with savvy security staff as well as the technology to beat off attacks are few. "It is sophisticated work to stop these attacks and, say, route them into a black hole. It's not just flipping a switch."

Many companies that see their futures tied to e-commerce are not just relying on ISPs to fight the good fight.

At Continental Airlines, for example, e-commerce is ever more important. Online sales now account for nearly a third of ticket sales, up from less than ten percent just a couple of years ago.

Andrew Dana, the airline's senior IT manager, says the hope is that all tickets will soon be sold through its web portal. "It is absolutely critical that the service is up and running for customers to book their travel," he said.

Continental now offers online check-in, a huge boon considering the number of airport hassles now facing passengers.

To ensure that the portal isn't knocked out by a DDoS attack, the company has installed Radware's intrusion prevention technology to protect all online efforts, including its B2B supplier relationships.

Dana acknowledges that hackers do attack the airline on a regular basis, but he says they are more mischievous than malicious. But he is pessimistic that any safeguards a company might take can fully deal with the problem.

"Threat developments happen a lot quicker and more frequently than technology. Technology is always reactive," says Dana. "You can be proactive, you can prepare for it, but I don't think we are ever going to stop the determined criminal."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.