High-profile, and often brazen, DDoS attacks against government and private organisations in the Middle East have over the last two years made regular headlines. Civil unrest in the region has given rise to organised cyber crime and an escalation in cyber attacks. The motivation and primary drivers of attack continue to evolve with attackers today now motivated by hactivism and ideology, using a site takedown as an electronic means of making a statement or taking a stance. With these factors providing motivation, it is difficult, if not impossible, to predict which organisation will be targeted next. Unfortunately, it is no longer what a company does that could make it a victim of attack.
And yet, despite this evident evolution on the part of hackers, those that are under attack are not nearly as prepared for cyber-attacks as they could or should be. This was pointed out in the eighth annual Worldwide Infrastructure Security Report by Arbor which clearly highlights this very point: Just over half (51%) of network operators surveyed don’t regularly perform preparedness drills for cyber-attacks. In a region wherein the rise in cyber crime has been a constantly growing concern, organisations in the Middle East remain shockingly ill prepared.
Arbor Networks’ tracking of DDoS activity in the Middle East through 2013 has revealed that the average size of attacks in the region is 2.376Gbps and the average duration of an attack exceeds an hour and ten minutes (Source: Arbor Networks ATLAS data). In today’s hyper-connected world, vital services such as e-banking, government eservices, as well as mission-critical production systems are all prime targets for attackers.
Organisations need to protect themselves against DDoS if they hope to keep business on track. Paying this problem its due attention will require wrapping DDoS mitigation strategies into overall business continuity and risk management plans. For many CIOs and IT managers, this will require a change in how they traditionally approach these exercises. Yet, the evolution in the region’s threat landscape has become the driving force for more enterprises to formalize IT security, placing it firmly within the context of enterprise risk management and business continuity planning.
Current financial realities require that companies incorporate IT security into their operational and financial planning to control escalating costs. At the same time, they must provide adequate resources to address their financially, regulatory and reputation-driven security priorities and incorporate all pertinent risk factors into their organizational security model. The abstract nature of risk management and business continuity planning can often make these processes daunting to planners and IT security professionals alike. In most cases, business continuity plans include detailed policies and procedures for keeping operations running in the wake of natural disasters such as fire, floods and earthquakes. But rarely do they incorporate contingencies for IT security incidents. This is a major oversight!
Actionable security practices are critical to business continuity planning, yet many business continuity plans do not include this element. Security incidents often have a negative impact on business operations, resulting in significant operational expenditure costs, lost revenues, customer satisfaction challenges and an erosion in brand reputation. Availability protection is the most important IT security practice to implement. It is also the most quantifiable and actionable. It is relatively easy to calculate the cost of downtime for e-commerce sites, customer support applications, content delivery systems and even brick-and-mortar online reference sites. Much of this information may already be available from often siloed high-availability studies/efforts related to existing business continuity planning efforts.
The threat to availability represented by DDoS attacks cannot be overstated. No business continuity plan is complete without taking into account the need to maintain the availability of critical online properties, even in the face of a concerted attack. Companies can successfully detect, classify and mitigate DDoS attacks with appropriate operational best practices and dedicated anti-DDoS solutions. Given the threat landscape in the Middle East today, network operators simply cannot afford to disregard DDoS attacks as part of their business continuity and risk management planning. The risk is too severe.
Author: Mahmoud Samy, Area Head, Middle East, Pakistan and Afghanistan at Arbor Networks