IT security professionals have to worry about defending against ever-evolving cyber threats and, increasingly, the C-suite has to worry about following cybersecurity laws. The year 2018 will be marked by increasing regulations, and discussions about regulations, that are intended to protect cyberspace. In the US, the next wave of National Institute of Standards and Technology (NIST) guidelines could impact how Federal agencies safeguard the information contained in their systems and ensure that these systems operate securely and reliably. In addition, there is increasing talk among politicians and federal agencies about whether and how to hold IoT device manufacturers to build more secure IoT devices, which would make it harder for hackers to harness those devices into botnets that are then used to launch distributed denial of service (DDoS) attacks.
The idea behind the proposed Internet of Things (IoT) Cybersecurity Improvement Act of 2017) is that if IoT manufacturers build in better security, then end-users won’t have as much responsibility to install updates and change default passwords. But if this bill ever gets passed by Congress, by the time that happens billions of new, unsecured IoT devices worldwide will already be produced, and hackers will have harnessed millions of them into zombie botnet armies. The US government can influence or regulate only US manufacturers. It’s not a bad idea to enforce better IoT devices, because it will help reduce the number of vulnerable IoT devices. However, it won’t eliminate the problem of IoT botnets.
By far the most pressing regulation is already set in motion, and it will go into effect near the end of May 2018; that is, Europe’s General Data Protection Regulation (GDPR). Organizations around the world who have European data in their systems are no doubt scrambling to make sure that they comply with this far-reaching set of regulations. For more on this topic see “Personal Data Security a Priority with New EU Regulations.”
Alongside the GDPR, many IT pros must be worrying about the implications of the European Union Network and Information Systems (NIS) Directive, which will also go into effect in May of this year. It could mean monetary fines for critical infrastructure organizations that experience service outages due to a cyberattack. And yes you, dear reader, probably already know that volumetric DDoS attacks can lead to service outages.
In their efforts to prevent a data breach or a service outage, one of the proverbial boxes that IT security teams should be sure to check off is “DDoS protection.” Why? Simply because cyber criminals frequently use a low-threshold, sub-saturating DDoS attacks as a way to take down a firewall and map a network’s vulnerabilities or install malware. In short, a DDoS attack is often the first step in the process of a security breach.
Compliance with regulations is important to keep out of legal trouble, but resilience is important to protect your data. The thing to remember is that cyber hackers don’t care if you are compliant according to the letter of the law; they will keep inventing new ways to hack into your systems. You can dot all your i’s and cross all the t’s when it comes to compliance, but if you fail to actually mitigate the risk of a security breach you may have to face not only legal but also financial and operational headaches.