Distributed denial of service (DDOS) attacks, the weapon of choice for hackers, political "hacktivists", cyber-extortionists and international cyber-terrorists, are threatening Internet availability and the viability of online business.
Yet Internet service providers (ISPs), it seems, have no accountability or de facto responsibility to their business customers to protect them from denial of service and other network-based attacks.
The board of the organisation delivering the service has overall accountability, with its IT organisation responsible for the company`s overall security strategy and programme, according to Gary Middleton, manager of DiData`s security practice.
"It`s about managing and mitigating the business risk," says Middleton. "If a Web site is attacked, the company providing the online service will suffer the loss. ISPs are definitely not accountable and it is not an ISP`s responsibility to mitigate this risk on behalf of its customers."
He adds, though, that while accountability will always rest with business, responsibility can be deferred to an ISP through strong SLAs. The person who is accountable to the board, such as the CIO/CSO, will then be expected to manage these SLAs.
DDOS attacks, however, are among the most difficult to protect against. These are designed to elude detection by today`s most popular tools, since they look like legitimate network traffic. Responding appropriately and effectively also poses a tremendous challenge for all Internet-dependent organisations.
Instead of gaining access to steal information, which is often more easily achieved using simple trickery (such as phishing) rather than technical network penetration techniques, denial of service attacks paralyse networks by flooding them with bogus traffic.
Given the cunning nature of DDOS attacks and the fact that many IT managers still lack the knowledge to effectively deal with these threats, one could assume that ISPs would provide at least a "certain level of security" against them - whether their customers ask for it or not.
"Not really," counters Middleton. "An ISP`s business is to provide connectivity to the Internet. Anything else is considered additional services that customers should request and pay for."
Exactly how companies can ensure these "weapons of mass disruption", as Cisco refers to them, do not compromise business, is not a straightforward matter either.
"Successful security policies do not end with simply installing firewalls, anti-virus, intrusion detection and incident response systems," says Middleton. "Reactive measures, such as log file analysis and access control are layered on top of these systems and need to be properly configured. This task usually requires expert assistance, even though graphical user interfaces for such tools are improving."
Still, these tools only defend against certain disruptive attacks. While important components of an overall security strategy, network devices and traditional perimeter security technology, such as firewalls and intrusion detection systems, do not provide comprehensive DDOS protection by themselves.
For the best defence against the DDOS onslaught, for both ISPs and their business customers, Middleton recommends a purpose-built architecture. "One that includes the ability to specifically detect and defeat increasingly sophisticated, complex and deceptive attacks."
This, he adds, is where security management plays a role. "There`s no clear strategic view to what is happening overall. Thus managing statistics on incidents and uptime, costs of security programmes, policy performance and adjustment - all of these are critical to managing a company`s overall security posture," he concludes.
Share