Comment: preparing for DDoS in the legal sector
by Paul Vlissidis, technical director at NCC Group*
Distributed denial of service (DDoS) attacks are a growing concern for legal firms. Regularly orchestrated by a single person, these attacks infect computers around the world and use these compromised devices to attack a website. In the short term your site will be knocked offline, but it can also cause serious damage to back end systems.
One of the most destructive DDoS attacks in memory had a law firm as its victim. In 2010 ACS:Law* was knocked offline by hacker group 4chan. When the site eventually came back online an error caused an archive of internal emails and financial information to be available on the home page. The archive spread across the web like wildfire, causing the company serious damage.
When distributed denial of service (DDoS) attacks first started appearing in the late 1990s, the response from businesses wasbroadly similar to that of most new cyber threats. A shrug of the shoulders and an “it won’t happen to me” attitude.
Then, as they became more prevalent, companies began to take notice. Yet until relatively recently, products that could successfully defend against a DDoS attack weren’t available to many businesses. Businesses that did get hit had no option but to grin and bear it.
Vendors now offer a wide range of mitigation solutions that offer protection to companies that find themselves under siege. While their effectiveness can’t be guaranteed, it allows firms to beproactive and put together defence strategies, instead of simply waiting to be targeted.
The frequency of DDoS attacks is growing at a frightening rate, with one report claiming a 200 per cent annual increase.
A week rarely goes by without the media running a story about a high-profile victim of a successful DDoS attack. And as an online presence for legal firms has increased in importance, the threat has becomemore acute.
This increase in attacks and greater public awareness has moved DDoS onto all organisations’ risk dashboards.
But simply putting mitigation measures in place and hoping for the best isn’t enough.
It’s been suggested that defending against a DDoS attack can cost as much as ￡2.5 million. Although this may be an overestimation, businesses do need to be certain that their mitigation investment will pay dividends.
In other areas of cyber security, the cost effectiveness of this type of investment can be assessed. For instance a penetration test can measure how effective a network’s defences are and pinpoint vulnerabilities. But with a DDoS attack, how do you know that yourinvestment is worthwhile, until it’s too late?
And there’s practical preparation to think about too. Do IT employees and service providers know what a DDoS attack will look like? Do they know the signs to look out for, and do they know their role during an attack scenario?
In the workplace, we all know what to do if there was ever a fire because of fire drills; we run over the steps we’d need to take so that, should the real thing happen, we are prepared.
And that is exactly the mindset that law firms should have when it comes to DDoS attacks, and why we’ve created a DDoS fire drillservice.
Building on our DDoS Assured simulation service – which emulates a real attack through our own botnet in a secure, controlledmanner – we can hit businesses with a controlled, low level DDoS attack and allow them to test their response processes.
While we control the attack, businesses can examine staff and supplier reaction and ensure realistic procedures are in place to manage not only the attack itself, but also discourse with the supply chain without having to wait until a real attack occurs.
For instance, working out whose responsibility it is to phone the necessary third parties and clients might seem like an inconsequential issue, but if employees don’t know their roles or have never had a chance to practice then it shouldn’t be assumed.
What about the mitigation solutions that aren’t fully automated? Whose role is it to man them, and do they know how? With the DDoS fire drill, everyone can learn exactly what part they’re expected to play.
When the fire alarm goes off, employees know exactly where to go - it should be the same once the tell-tale DDoS signs appear.
Being prepared and ready is paramount when it comes to any emergency, and cyber security is no different. It’s crucial that legal organisations aren’t caught out once a DDoS attack starts. But prepare and practice accordingly and it is possible to minimise the damage.
* NCC Group is a global information assurance firm, working with 15000 clients worldwide and over 90% of the FTSE 100. It delivers security testing, audit and compliance services, software escrow and verification, and website performance and software testing. www.nccgroup.com
* Here’s a link to the ACS:Law DDoS story www.techweekeurope.co.uk/news/file-sharing-law-firm-exposes-personal-data-10071