DDoS Ammunition: Are you protected?

Saar here, resident engineer at Myriad Supply. Today I’ll be discussing DDoS ammunition.

The FFIEC gives “recommendations” to banking institutions.  This is a non-binding recommendation, and there is no law per say that says you must have DDoS protection.  However, if someone suffers financial damages due to a DDoS attack on a bank, that person can hire an attorney who can then prove that the bank handled itself without due diligence in spite of government recommendations. So a reasonable judge will find the bank at fault and it would have to pay.  Add a class action, and you’re looking at a pretty hefty sum. In this article for example, http://www.scmagazine.com/banks-file-class-action-against-target-and-trustwave-over-massive-breach/article/339760/, the banks are suing Target for failing to have decent security, which cost them millions replacing stolen payment cards.

The FFIEC has recommended that banks adopt active DDoS protection measures because of the large number of attacks (if you’d like a copy of the 2014 annual DDoS attacks and impact report, email sales@myriadsupply.com so you can see the data on attacks and the market.)

As you can see, 50% of companies surveyed currently do not have a DDoS solution and rely on the wrong tools.

DDoS protection is expensive.  However, not being protected is more expensive.  The study states that the majority of the impact is on customer support.  You can’t access your Bank of America account, so you’ll call support and support personnel cost money, in addition to brand/customer confidence.  And if you can’t access your Target account, you’ll just open a new tab and shop on Amazon.  The cost of a DDoS attack can be calculated as a monetary figure:

 

For example, M5 ShoreTel sky is a cloud company.  Their clients must have the cloud available in order to use their phones. If you DDoS ShoreTel for two days, I estimate 10% of their clients will switch to another cloud provider. ShoreTel Sky hosted has a revenue of $12,000,000, so 2.1 million dollars would go down the drain!  That money would have bought them a lot of DDoS protection.

And for a summary of the FFIEC recommendation (you’re welcome):

The FDIC, as a member of the Federal Financial Institutions Examination Council (FFIEC), has issued the attached statement to notify institutions of the risks associated with the continued distributed denial of service (DDoS) attacks on public-facing Web sites and the steps institutions are expected to take to address the risks posed by such attacks.

Statement of Applicability to Institutions with Less than $1 Billion in Total Assets: This Financial Institution Letter (FIL) applies to all FDIC-supervised institutions.

Highlights:

  • DDoS attacks are continuing against financial institutions’ public-facing Web sites.
  • Financial institutions that experience DDoS attacks may face a variety of risks, including operational and reputation risks.
  • DDoS attacks may be a diversionary tactic by criminals attempting to commit fraud.
  • Financial institutions are expected to address DDoS readiness as part of their ongoing business continuity and disaster recovery plans and to take certain specific steps, as appropriate, to detect and mitigate such attacks.
  • The attached statement includes references to guidance and publications to assist institutions in mitigating the risks from DDoS attacks.

Suggested Distribution:

  • FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing:

  • Chief Executive Officer
  • Chief Information Security Officer

Attachment:

“How can Myriad help my company prevent a DDoS attack?” you ask?  Well it’s your lucky day because I can answer that for you!  Email sales@myriadsupply.com to talk to our team about:

That’s all for today! Until next time!

Saar Harel is a resident Engineer at Myriad Supply, and has been in the Networking Field for over 20 years. You can check out his Google+ and ask him questions!