DDoS Attacks: A Checklist

The current attack on the DNS provider Dyn has once again shown that companies must expect ever greater threats. According to media reports, the latest attack was based on around 300,000 unsecured IoT (Internet of Things) devices as a botnet, via which a DDoS attack with a data volume of 1.2 terabits per second was generated.

This was the largest attack of its kind to date. Numerous websites were paralysed in the current attack on Dyn, for example Twitter, Spotify, Netflix and Amazon. Swiss customers were also affected when they were blocked from searching and resolving web addresses. How can customers now ensure that they have a defence strategy against DDoS attacks - or have a clear plan in place in the event that they fall victim to an attack?

The threats increase

There is no doubt that security threats are becoming ever more extensive and sophisticated. Unfortunately, it is becoming increasingly likely that Swiss companies will be the target of an attack. Security specialist F5 has summarized the five most important trends that companies should keep an eye on in the coming months so that they are sufficiently prepared.

1.) Locate any IoT hardware

IoT devices are currently on the rise - but security measures are not keeping pace. Vulnerabilities in smart networked devices make them easy prey for cybercriminals. They are hijacking more and more devices such as surveillance cameras, home routers and baby monitors and using them for their own purposes. With just a few clicks, they can generate massive DDoS attacks.

There needs to be a growing awareness in the enterprise of the vulnerabilities of any IoT devices, which offer many benefits but also provide another attack vector for cybercriminals.

2.) Basic Data Protection Regulation GDPR

Although the GDPR will not take effect until May 2018, it is likely to take most companies several years to implement, so they should address this issue now. With the threat of penalties, such as a fine of four percent of annual global revenue, they need to adapt their IT infrastructure quickly.

Parts of the GDPR, such as the right to be forgotten and data portability, can cause problems. After all, many companies don't even know exactly what customer data they store and where. The biggest challenge is determining how much data they are responsible for. But data breaches or claims by their customers can cause painful losses to company profits and damage customer relationships.

3.) Optimal cloud usage

Companies are increasingly migrating their infrastructure to the cloud. However, many security concerns remain unresolved. Do companies know how to work securely in the cloud and who holds the key to their data? Current technologies enable a secure transition to the cloud.

For example, cloud access security broker (CASB) solutions apply strict security policies across multiple cloud services. This gives IT teams control over who can access cloud services and ensures that corporate data is encrypted securely enough.

4.) App security

There is a wide range of mobile apps available today that allow users to access corporate data from a variety of devices in different locations. Any vulnerability in this network, such as a malware-infected mobile phone, can give cybercriminals access to the company. If they succeed in obtaining an employee's login data, they gain access to all data accessible to the employee.

Therefore, to better protect themselves, companies need to optimize security at the app level as well as place more emphasis on educating employees and not rely solely on the good old firewall approach.

5.) Identity and access control

Today, employees can access a variety of online portals - from financial services to expense reporting - with a single sign-on account. If an employee leaves the company, they can still access critical data using their credentials, unless their user accounts have been deactivated in time.

Therefore, it is imperative to use federated services technology that supports a single sign-on approach. Here, authentication takes place at the employer and employees are redirected to the cloud service when accessing the applications. This way, companies are in control of their employees' credentials and are better protected against fraud.

Further information is available at www.f5.com