2014: "DDoS attacks can only get worse"

News by Steve Gold

Leading security consultant says DDoS attacks remediation more complex than many would observe.

2013 will go down in IT security history as the year when a large number of high-profile organisations were very publicly hacked. And in parallel with this, the integrity of tens of millions of debit and credit card holders' accounts around the world were put at risk because of these breaches.

It was with this in mind that we caught up with Professor John Walker, a Visiting Professor with the Nottingham-Trent University Faculty of Engineering as well as an IT security veteran consultant whose experience dates back the early 1990s, for his appraisal of the year just gone, and where he sees the main security threat attack vectors coming from in 2014.

Walker said that one of the key issues he has seen CSOs and CISOs express their concern about is the problem of DDoS attacks - which he predicts will only get worse in 2014, owing to the lack of defensive systems that most organisations have in place to guard against this type of attack.

The problem with denial of service attacks, he said, is not so much that people are not able to visit the company's web site or conduct business - bad though this issue is in revenue terms – but that brand reputation is damaged in the longer run.

"I have heard of instances where a company has been subjected to a DDoS attack and then been approached by the criminals with a request for money in return for details of how they accomplished their attack - and how to remediate against it," he said, adding that the sums of money involved - £20,000 or so - are often paid up in return for this type of information.

Paying an information ransom, he explained, not only sets a bad precedent in the industry, but - just as like the Somali pirates who kidnap the crew of sea-fearing vessels - the success of an attack means that the criminals behind it will likely go on to commit a similar fraud in the near future.

But even then, Walker said that there remains a strong risk that the cybercriminals will not pass all the information relating to their attack onto the company concerned, and will be back later on for more.

Because of this, Walker, who is also CTO of IT security consultancy Integral Security Xssurance, predicts that DDoS attacks are going to get a lot worse as 2014 progresses, as companies have proven themselves to be soft targets in this respect.

The solution to the DDoS problem, he told SCMagazineUK.com, is a lot more than simply installing the required remediation technology, or subscribing to a cloud-based service. He added that this is because the nature of the problem usually goes beyond the IT department of an organisation, with managers from multiple aspects of a business, such as Human Resources and the legal department often getting involved.

"And since they see the issue solely from their perspective, they cannot hope to develop an effective strategy to deal with this security problem," he said, for the simple reason they cannot get their head around the complete nature of the issue.

Walker added that, ideally, the government needs to get involved. After all, it should be clear to any onlooker that DDoS has become a weapon, used by the military in the recent Iraq war. As just one example, Walker himself has heard anecdotal tales of DDoS attacks being used to take down a radar system operated by the enemy.

And then, of course, he noted, we have Stuxnet, which has been a game changer in security terms, since it shows what taking an offensive cyber security approach against a given target can do.

"My own view is that we've only begun to scratch the surface with Stuxnet - and there will be other government sponsored malware of this type popping up in the future," he said, adding that because Stuxnet was so obviously government-sponsored, organisations may have to rethink their security strategy from the ground upwards if they are to begin to hope to counter the issue.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews