Some companies are unprepared for DDoS attacks
Some companies are unprepared for DDoS attacks

Just days after NatWest Bank suffered a debilitating DDoS attack, a new survey has revealed that most businesses are still unprepared for this kind of threat.

More than half the respondents to a survey by Corero lack adequate distributed denial-of-service (DDoS) defence technology. The study also reveals a lack of DDoS defence planning on multiple levels: nearly half of businesses have no formal DDoS response plan, 54 percent have outdated or non-existent network maps, and around one in three lack any clear idea of their normal network traffic volume.

Furthermore, the survey slates businesses for under-investing in their security infrastructures, with around 40 percent of respondents still relying on firewalls, while nearly 60 percent do not test their DDoS defences regularly with network and application-layer tests.

However, experts warn that DDos attacks are escalating and say that they can cause not only business disruption but also loss of IP, significant brand damage and a loss of customer confidence.

Mike Loginov, CEO and CISO at independent security consultancy Ascot Barclay Group, told SCMagazineUK.com that figures from his firm and others show sharply rising numbers of successful DDoS attacks, adding: “These attacks are not necessarily undertaken by the perpetrator with financial gain in mind. However, they still leave the targeted business suffering costly damage repairs, loss of business and an undermining of the organisation's capability to defend itself. Many attacks go unreported for fear of brand damage.”

Andrew Miller, CFO and COO at Corero, which carried out the latest survey, agreed the threat is growing but stressed that companies are still not doing enough to protect themselves.

“These denial-of-service-attacks (DDoS) are increasing and becoming more complex, but we're still not seeing companies increasing their vigilance, investment and planning,” he told SCMagazineUK.com.

“Across the board companies really need a combination of infrastructure investment, but more importantly putting in place plans to be able to detect what's traversing companies' networks.”

Loginov agreed: “Generally speaking, IT departments, as the report suggests, are just not geared up to defend organisations against what cyber security professionals these days consider rudimentary attacks."

Miller said companies need “hybrid DDoS and cloud protection” but added that currently only “a small percentage” of companies have these defences in place.

“What we're seeing the more proactive customers doing is deploying a combination of both on-premises technology to provide 24/7 protection from denial of service attacks, as well as cloud protection services to deal with the high-volume ‘fill the pipe' network-layer DDoS attacks – a combination of solutions rather than a single solution.”

These warnings come just days after NatWest Bank was hit by a DDoS attack that left customers unable to access their accounts online. The 6 December attack disrupted NatWest's website for about an hour and briefly hit the websites of the other banks in the RBS Group – RBS and Ulster Bank.

The attack was focused on disruption rather than accessing account details. But Miller said organisations need to “understand it's not just inconvenience, we're talking about some loss of IPR. In the case of RBS, it's obviously a significant issue from a brand and customer satisfaction perspective”.

Miller added: “Denial of service attacks are often used as a smokescreen, a way of initially gaining entry into IT systems through a brute force-type attack, then following on from that the more sophisticated attacks which are aimed either at stealing customer information or intellectual property. We're seeing banks in the US we're talking to subject to these types of attacks on a daily basis.”

In a statement to journalists, Jag Bains, CTO of DOSarrest Internet Security, said: "The transparency shown by RBS in admitting that they failed to invest properly in their IT systems is a common refrain amongst many enterprises, large and small. While each organisation may have multiple reasons for failing to invest, they all share the same notion that they won't be a target until they get attacked.

“With DDoS tools becoming more advanced and pervasive, all IT operations should work under the premise that they will be attacked and plan accordingly. Every stack and layer within their purview should be reviewed and they should identify cost-effective cloud solutions for their DDoS which provides much better performance and mitigation than expensive hardware.”

The DDoS attacks on RBS came in the same week as an unrelated major IT failure, which hit the Group's online and mobile banking, ATMs and debit card payments. As SCMagazineUK.com reported, RBS, NatWest and Ulster Bank customers were unable to use their cards to draw cash or pay for goods or services. RBS CEO Ross McEwan branded the outage as "unacceptable" and blamed decades of failure to invest adequately in new technology.