Have you read the 2014 Verizon Data Breach Investigations Report (DBIR) yet—all 60 pages of it?
Actually, if you’re pressed for time, you don’t need to read the whole report cover to cover. This year, Verizon made it easy on security practitioners by segmenting the report into 9 major incident patterns. So, you don’t need to read the sections on the incidents that aren’t likely to happen to your organization. For instance, if your company doesn't operate any point-of-sale (POS) devices, feel free to skip the sections on POS intrusions and card skimmers. Focus your time instead on the types of threats that pose a real risk to your organization. The 2014 Verizon DBIR covers the following incident types:
- POS Intrusions
- Web App Attacks
- Insider Misuse
- Physical Theft/Loss
- Miscellaneous Errors
- Card Skimmers
- Cyber Espionage
- Denial of Service (DoS) Attacks
Another change that makes this year’s report more valuable is that the authors have included recommended controls that companies should implement to address a specific kind of threat vector. Additionally, they have mapped the SANS Institute’s Critical Security Controls to incident patterns. Now there’s no reason to say “we didn't know what to do to mitigate the threat.”
For the first time, Verizon is including DoS attacks as a threat type in its report. This is unusual because the Verizon DBIR is focused on confirmed data breaches and their underlying causes, as opposed to security threats that cause disruption but no actual data loss. However, the authors say they decided to include analysis on DoS attacks because “these attacks are top of mind for many organizations,” especially since the spate of attacks against financial institutions in 2012 and 2013.
This report includes analysis of 1,187 total DoS incidents—none of which had confirmed data disclosure associated with them. Verizon collected quite a bit of data on the topic of DoS incidents, including from partner organizations that contributed to this year’s DBIR.
This report really doesn’t contain any new information about DoS attacks that occurred in 2012 and 2013 that hasn’t already been extensively reported on elsewhere. It does outline the shift of attacks being funneled through botnets of home computers to compromised servers with high bandwidth pipes. It also confirms that both the attack bandwidth and the packet count levels have steadily increased over the years 2011 to 2013. But we knew that already.
As with the other threat vectors, Verizon has provided a list of recommended controls to lessen or prevent DoS attacks against your organization. I’ll provide a summary here, but you can read the complete set of recommendations on page 45 of the 2014 Verizon DBIR.
- Isolate key assets – Segregate key IP/servers from non-essential IP space. In the event of a DoS attack, the attack won’t compromise your primary facilities/servers.
- Get comfortable with your anti-DDoS solution – Whether you contract for a service or have an in-house solution, test it regularly so you are comfortable in its capabilities.
- Have a plan in place – Know what you will do if an attack on your network begins. Make sure that people understand their roles and responsibilities and they are prepared to handle them.
- Ask about capacity – Ask your anti-DDoS provider about its upstream peering capacity to be sure your good traffic won’t get dropped along with the bad traffic.
- Incident Response Control 18.1: Ensure that there are written incident response procedures that include a definition of personnel roles for handling incidents. The procedures should define the phases of incident handling.
- Incident Response Control 18.2: Assign job titles and duties for handling computer and network incidents to specific individuals.
- Incident Response Control 18.3: Define management personnel who will support the incident handling process by acting in key decision-making roles.
- Network Segmentation Control 19.4: Segment the enterprise network into multiple, separate trust zones to provide more granular control of system access and additional intranet boundary defenses.
According to the Verizon, the industries that have been most affected by DoS attacks in the past have been Finance, Retail, Professional, Information and Public. I’d certainly add Gaming to that list as well. Then again, those categories are pretty broad and could include just about any type of business, which is why you need to be prepared and have your anti-DoS plan and defenses in place.