Free2Secure http://free2secure.com Online Security for Solopreneurs, Independent Business Owners, Artists, and Authors Wed, 29 Jul 2015 21:08:32 +0000 en-US hourly 1 How your ISP enables hacks against your business http://free2secure.com/clean-traffic/ http://free2secure.com/clean-traffic/#comments Mon, 29 Jun 2015 08:00:47 +0000 http://free2secure.com/?p=557 Telcos and ISPs don’t really care (much) about denial of service attacks against you. Their motivation is simple: Sell you as much bandwidth as possible. The more you buy, the more they get paid. Not good bits and bytes. Just raw bandwidth. The more you buy, the more they (your telco or ISP) gets paid. [read more]

The post How your ISP enables hacks against your business appeared first on Free2Secure.

]]>
Hi i don't care THANK You text sign

How your ISP enables attacks against your online business and what you can do about it –  via Flickr

Telcos and ISPs don’t really care (much) about denial of service attacks against you.

Their motivation is simple: Sell you as much bandwidth as possible. The more you buy, the more they get paid.

Not good bits and bytes. Just raw bandwidth.

The more you buy, the more they (your telco or ISP) gets paid.

If your data pipes are filled with junk, your bandwith provider will happily sell you more.

The more you buy, the more they (your telco or ISP) gets paid.

Your bandwidth provider does care about denial of service attacks against you in two cases:

  1. If the attack is so bad that they themselves are experiencing a denial of service attack.
  2. If the attack affects some of their other customers enough so that those customers complain.

At which point they are either going to try to sell you a higher level of service (case 2) or suggest that you find a new ISP or telco really fast (case 1).

What should an ISP or telco provide?

Should ISPs and telcos be expected to totally stop denial of service attacks?

Absolutely not.

Unless you are purchasing for a pretty penny a very high reliability service.

On the other hand, ISPs and telcos should provide a basic level of reliability and a “clean connection” to the rest of the Internet:

  • Specify which ports and services will be routed to your server
  • Specify which ports and services will not be routed to your server
  • Specify which IP addresses will be routed to your server
  • Specify which IP addresses will not be routed to your server
  • Specify which IP addresses can be routed to specific ports and services
  • Specify which IP addresses will not be routed to specific ports and services
  • Specify which IP addresses can be routed to specific ports and services
  • Throttle / limit ports, services, and IP addresses
  • Be able to securely make changes to these connection settings at a reasonable pace
  • Ideally, ports, services, and IP addresses would be closed unless explicitly requested by you.

There are a lot of denial of service attacks that take advantage of misconfigured services on the Internet as well as services that you do not require. Ping flooding, for example is a service that you may not need on your server, so, this type of traffic shouldn’t get to your server. Another bad distributed denial of service attack relies on abusing the DNS protocol and use forged source IP addresses to saturate the target. Again, if your server is not supporting this service, you shouldn’t see the traffic.

Another area that you can limit is your global visibility. You may have no interest in people visiting from certain countries. If you don’t speak the language, can’t or won’t accept their currency, why bother communicating with them? Yes, you may miss some opportunities, but you may also avoid a lot of problems.

This would also help with regular data breach attacks. After all, if you do not routinely have the remote terminal protocol telnet enabled, attempted connections with this service should flat out be prohibited. If you need the service running for a special purpose (such as server maintenance), the service could be only enabled for the requested period of time for your specific IP address.

How do we get there?

It would be great to see industry best practices move in this direction. The same administrative tools that you use to configure your online hosting account or server at an ISP or network connections provisioned by a telco could be expanded to support these features.

Customers do care, but our longstanding habits of how we buy Internet services are getting in the way of how we should expect our online services to work.

We should have an expectation of a basic level of security.

One could see a “good housekeeping” kind of certification by independent groups to spur industry action. People who rate ISPs and telcos should include these factors in there reviews.

Legal and legislative action is also possible, if a bit imprecise. A class action suit by web hosting account holders could result in industry change. Courts are slowly recognizing the damage done by online attacks and outages.

On an individual basis, you can carefully review your contracts with your bandwidth service providers and get a better understanding of their capabilities. You should be able to push some of these security services onto them. Particularly in areas that you flat out don’t and never expect to require (perhaps blocking UDP if you are never going to stream audio or video from or to your site).

The cost of adding some of these services to your online site may pale in comparison to the impact of a denial of service attack or data breach or purchasing an enhanced “security solution” from a third party or higher-end ISP or telco.

Next Steps

Can you transfer any of your security needs onto your ISP, telco, or other service provider effectively today?

Are there any easy “belt and suspenders” ways you can strengthen your security?

Have you reviewed your contracts with your ISP, telco, or other service providers to identify any busines risks, security risks, or opportunities?

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post How your ISP enables hacks against your business appeared first on Free2Secure.

]]>
http://free2secure.com/clean-traffic/feed/ 0
ROBS – Protecting your businesss from Denial of Service with Resilience http://free2secure.com/robs/ http://free2secure.com/robs/#comments Wed, 24 Jun 2015 08:57:22 +0000 http://free2secure.com/?p=476 You’ve heard about denial of service attacks and distributed denial of service attacks. You may have been hit by one. You’ve decided to do something about it. You want to protect your business, but you don’t want to break the bank. Maybe you should do something, maybe you should just ride it out. Does it [read more]

The post ROBS – Protecting your businesss from Denial of Service with Resilience appeared first on Free2Secure.

]]>
Security - Man on Beach with head in sand

Denial of Service Planning – Making your business resilient online – Image via Flickr

You’ve heard about denial of service attacks and distributed denial of service attacks. You may have been hit by one. You’ve decided to do something about it.

You want to protect your business, but you don’t want to break the bank.

Maybe you should do something, maybe you should just ride it out.

Does it matter?

You need a plan.

You need a Resilient Online Business Strategy (ROBS).

Dead Air

In television and radio, there is nothing worse than dead air – silence and no picture is deadly.

If there is dead air, a listener or viewer won’t wait long.

And they may never come back.

That is the essential fear of any business, but it isn’t that simple for many companies. If your online site is simply a business card for your offline work, you may hardly notice an outage if it is less than a day. Heck, you may find out your site is down when someone calls you and tells you you’re out.

If you are a celebrity gossip site, being down for even a minute will cost you page views, advertising revenue, sponsorships, and affiliate click-throughs.

… and everything and anything in between.

It all gets down to time.

Outage or Attack, does it matter?

Some people get really concerned about who caused your site to go down. Or why. Or how.

Does it matter?

Of course, the two most likely causes of outages at your site are you and your ISP.

Not a denial of service attack.

But it doesn’t matter. It doesn’t matter if it was a simple denial of service attack or a distributed denial of service attack. It doesn’t matter if it is a criminal hacker or a disgruntled spouse or employee or simply a bad hard drive.

What matters is that your online business isn’t online.

Or at least part of it is out.

To minimize the impact of the outage, you’ve got to understand the impact to you and your visitors.

Start with a Resilient Online Business Strategy

It is tempting to dive into the details of denial of service attacks and the motivations of the attackers.

This is a technical and tactical view. It is interesting, it may even be important, but you will win big by having a good strategy to handle  denial of service attacks in general. You need to make your online business resilient.

If you have a strong strategic plan for making your business resilient in the face of denial of service attacks, you are less vulnerable to the tit-for-tat battle between hackers and security analysts.

A good strategy means you shouldn’t have to constantly keep up with every single new attack and attack variant, but go to keep running comfortably.

A common thread throughout this series on denial of service attacks and countermeasures is that your online business isn’t just a web site or server. I’ve used the term “denial of site” to try to get at the idea, but even that doesn’t capture the scope of all but the simplest online businesses.

This can work in your favor when you are under attack.

Because, even if you are under attack, what matters is what your customers’ experience.

First, I’ll discuss denial of service from your customers’ perspective, then I’ll go through the steps to develop your resilient online business plan.

Denial of Service and your customer’s experience

While we often talk about the technical and financial costs of mitigating a denial of service attack, at the end of the day, it is the business impact that matters most. And this business impact is what should drive your planning:

  • What customers won’t you acquire?
  • What customers will you lose?
  • What paying transactions won’t occur?

I use the word “customer”, but each stage of an online business really maps to a distinct customer relationship:

Visitors – individuals who come to your web site via organic search, ads, or referral links of some sort, but have no relationship with you. These are your most fragile relationships who you are most likely to lose forever if your site is down when they come to visit.

Users – individuals who value your site, but have no formal relationship with you (they’ve not set up an account or given you an email or other information). Because they are familiar with you and value what you offer, they may divert to your other services or sites when one is down if they are sufficiently motivated.

Prospects – individuals who have registered at your site and have given you an email address at a minimum.

Purchasers – individuals who have made a purchase from you, but have not yet established a strong relationship with your business. (This is an important distinction highlighted by Bryony Thomas in her excellent book Watertight Marketing.) Their relationship with your business is particularly fragile given the lack of proven support by your business.

Customers – individuals who have an established, paying relationship with your business.

Each of these categories of customers are going to respond differently to a denial of service attack and you have different opportunities with each to continue to serve them while your site is out.

Do you have a Plan “B”? What is your Denial of Service Response Plan?

2 trains intentionally colliding in 1896

What is your “Plan B”? via Wikimedia

Whatever you do to make your business resilient against denial of service and other outages, you need a denial of service response plan (further details in a upcoming post).

Most technical measures to fight denial of service rely on getting your site available to  your customers quickly. Depending on the attack scenario, this may not be possible, fast, or affordable.

It may also not be necessary.

If you look at the customer categories above, the only one that is truly dependent on your site being “there” are the visitors. If your online business primarily caters to visitors, you know where your problem is.

Passive Diversion

However, once you have even the most minimal customer relationship, a basic site user, you have alternatives.

If you’ve applied the split site strategy or even have a Facebook page or YouTube channel (see my discussion on superscaling your business and the levels of denial of service defense), your users will likely redirect themselves to other parts of your business. Human interest and curiosity can help you without any further action on your part.

To implement this part of your plan, you should pepper your core site with references to your other sites and affiliated services that you use.

(It’s nice when your overall business strategy helps with security)

Active Diversion

Traditional denial of service defense strategies actively protect your site to keep it operating acceptably (great if it works). You can also take other active measures to direct your existing prospects, purchasers, and customers to your alternate, available service options. A simple email can steer any customers who have an active relationship with you where you need them to go while the denial of service attack is happening. You can also reach out to your users via social media which may have some positive collateral effects on your business as Oscar Wilde noted “There is only one thing in the world worse than being talked about, and that is not being talked about.”… though I suspect he probably didn’t always agree with his own quote.

These communications can even create a positive news story around your business.

Enhanced Protection and Recovery

If you’ve developed a thorough Resilient Online Business Strategy, you may decide that you are not going to spend many resources for enhanced, ongoing protection against denial of service attacks.

It may be just too much money.

With your plan, however, you may choose to “turn on” enhanced protection before an attack, during an attack, or permanently once you’ve been hit.

Is time on your side?

Outages can be short, intermittent, or extended. There have been denial of service attacks that have lasted just a couple of hours and others that have persisted for more than a month.

Short term attacks are really no different than the outages we are all, unfortunately, familiar with. For your users, this is just part of the Internet and so the consequences for you may be minimal (except, potentially, losing some visitors).

The longer the attack persists, the greater the consequences for you.

The trick, of course, is that  you don’t know how long the attack or outage will persist while it is ongoing.

Your strategic responses will likely escalate the longer the outage persists.

The questions you have to answer for your business related to time are:

  • Urgency – how urgent is the service that you provide to your customers in each part of your service? If you are providing stock trading for customers or serving ads to visitors, your business interactions are much more urgent than than information resource site like free2secure.com.
  • Uniqueness – are customers going to go elsewhere or wait for your site to come back?
  • Scope – what portion of your business is a specific outage going to affect? which portion of  your customers?

At its core, denial of service attacks all revolve around time. How long is your business down determines the significance of the outage.

Assessing your online business sites and services

Bette Davis smoking in Jim Beam whiskey ad from 1974

“Fasten your seat belts. It’s going to be a bumpy night” – Bette Davis via Wikimedia

Almost every business that is online today is much more than a web site. There is email (incoming and outgoing), multiple social media sites, audio and video hosted at multiple locations, cloud services, not to mention payment processors, customer relationship management systems, eCommerce storefronts, Internet infrastructure like DNS, and your administrative connection to your web host, and more.

The Internet has become so integral to both customer facing services and back office operations over time that we don’t even remember what all the pieces are or how they are wired together and dependent on each other.

Today is the day to step back and lay it all out.

“Fasten your seatbelts. It’s going to be a bumpy night.” – Bette Davis

Draw a picture. Make a list. For each site and service that you own, operate, use, connect with, answer the following questions:

  • How many customers in each category do have at this site or service?
  • How many customers in each category are solely associated with this site or service?
  • How much money do you make per week on this site or service (per customer category)?
  • How much money does this site/service cost per week?
  • How many new customers move up each step of your sales funnel / value chain per week?
  • Is this a free or paid service?
  • Is there meaningful customer support?
  • Is there an alternative site or service available?
  • Is there an alternative site or service that you have an existing relationship with?
  • For each relevant customer category, how long before an outage at this site will affect your business with this site?
  • What other sites or services that you use depend on this site or service?
  • Do you have a meaningful service agreement for this site or service? What is in it?
  • Where is this product or service? (server, data center, via API, etc.)

From this, you should have a complete picture (functional, textual, financial, and visual) of how your business operates on a day-to-day basis – both front-end and back office.

Now, start knocking holes in it. Knock out sites. Knock out servers. Knock out services. Knock out connections.

There’s a hole in my business

Some outages will have no immediate impact but will matter more over time. Some will start hurting you immediately. Some will ripple through your business in surprising ways. Some won’t matter at all. Some may be crippling.

Look at attacks of different durations – an hour, a day, a week, a month. Whatever time horizons are meaningful to capture the different impacts on your customer and business. For example, being out for 2 hours is likely to have twice the impact of an hour, while a day or a week may be qualitatively different for your business.

There are two business costs to assess at each time horizon:

  • Direct losses
  • Indirect business costs

IMPORTANT NOTE: Don’t look at the costs related to IT or security services to recover from the attack. This is a business assessment of how a denial of service attack itself until it ends for whatever reason.

I personally don’t recommend rolling up everything into a single dollar figure. I find this hides too many assumptions and aspects of the attack that may be valued differently by you and/or your company’s leadership team.

For example, lost new visitors is an important metric for many web sites rather than rolling the projected lifetime revenue from those new visitors into a single financial loss figure (via a present value analysis of conversion rates and revenues or whatever scheme you come up with).

Indirect costs include damage to your reputation. You may lose sales in the short term, but you may also suffer from increased customer attrition, reduced customer acquisition rates, etc.

SHOW YOUR ASSUMPTIONS! Lay out these models clearly for yourself and management. I’ve found that laying out the detailed model of security scenarios can lead to surprisingly significant real business impacts in a way that is both clear and supportable to decision makers (see Buying Security, Selling Security – Why we all suck).

With the business consequences of the different outages and attacks that can hurt your business, you’re finally ready to look at solutions.

Finally, some security technology (maybe)

Single points of failure that can cause the most significant business impact in the face of a short outage are the obvious top priority for countermeasures. A modest online membership community site was hit by a denial of service attack which took out his virtual server. Unfortunately, the company was hosting multiple sites on this single server, so the outage did not just knock out one part of the business, but several business lines.

On the other hand, the loss of your Facebook site for a couple of days may have little or no impact at all. (And, of course, you have no control over the health of your Facebook page).

Triage should be based on impact of the single outage, how quickly it matters, how costly it is to fix, and if it is fixable.

Some options may be cheaper than your current strategy. Rather than having a single virtual server hosting multiple web sites, it may be more sensible to have multiple independent basic web site accounts at different ISPs.

Active diversion strategies may make more sense than technical countermeasures – or not. This is where your business and technical teams need to come together to determine the best way to protect your business.

A living strategy for your evolving business

Your business is constantly evolving. Your marketing strategy will change. Your product lines will change. Hopefully, you’ll become a lot more successful and everything will change.

With these changes, your Resilient Online Business Strategy will change. Laws and regulations will change. Customer expectations are going to be radically different when you are 3 dude-ettes in a garage or if you’ve grown into a multi-million dollar firm.

Next Steps

Do you have a plan in place today to deal with denial of service attacks? Do you understand where and how your online business can be affected by an outage?

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post ROBS – Protecting your businesss from Denial of Service with Resilience appeared first on Free2Secure.

]]>
http://free2secure.com/robs/feed/ 0
No Data Breaches, No Excuses – You can end data breaches today http://free2secure.com/no-data-breaches/ http://free2secure.com/no-data-breaches/#comments Mon, 15 Jun 2015 18:42:48 +0000 http://free2secure.com/?p=567 3 critical US government data breaches in less than a month. Two that basically compromised the personal information on every US government employee (including my wife, thanks OPM!) and one at the IRS. Shameful. The government joins the private sector in gross data protection incompetence. Target, Home Depot, numerous health insurers. The list goes on and [read more]

The post No Data Breaches, No Excuses – You can end data breaches today appeared first on Free2Secure.

]]>
Data Breaches and Customer Relationship Security - Image of Sad woman on train

No Data Breaches, No Exuscs – Image via Flickr

3 critical US government data breaches in less than a month. Two that basically compromised the personal information on every US government employee (including my wife, thanks OPM!) and one at the IRS.

Shameful.

The government joins the private sector in gross data protection incompetence. Target, Home Depot, numerous health insurers. The list goes on and on and on and on.

And these are the ones we know about.

The bottom line is that organizations (government and private) just don’t care about your data.

The worst part of this, is that the problem is avoidable and fixable.

Today.

Without a bunch of new high-tech toys.

The Big Data Breach Problem

Data breaches are nasty.

  • The essential problem with data breaches is that the value of your information to governments and companies that have it is nowhere near what the information is worth to you.
  • The breaching organization’s only loss is a PR cost and a token fine (maybe eventually,)you live with an ongoing identity theft risk.
  • When your data is “stolen”, the only loss an organization suffers is to its reputation. It still has a copy of your data and has not lost ANY business utility.
  • The organization has no internal way to detect the theft as they don’t suffer any direct loss.
  • You suffer the loss, at some point perhaps, but you have no way of associating that loss with the offending organization.

No BS Data Breach Public Policy Changes

The only way to really change this situation is to change public policy.

I’m not talking some BS new security standard.

I’m talking real liability for loss of personal data:

  • Escrowed fines of $100 per compromised record immediately at the time the data breach is detected.
  • Tripled fines if it is found that the breach was not reported promptly.
  • Automatic, irrevocable fines if the breach was found to have persisted undetected for more than 30 days.
  • Minimum final fines of $10 per record for any personal information compromised.
  • Move liability for payment system breaches onto the payment providers away from the merchants.
  • The ability of organizations to transfer liability to an approved third party identity custodian.
  • No transfer of liability outside of the US (or your jurisdiction of choice).
  • Funds to be used for identity theft recovery, research, tracking, and enforcement.
  • The right to be removed from virtually any commercial or government database on request unless required for legal, ongoing business, law enforcement, or other reasons.
  • The requirement to annually notify all individuals that companies are maintaining records on them and the general nature and extent of those records (except law enforcement records).
  • All records related to an individual shall be removed from a company database within 1 year of their last transaction with the company or organization unless required by legal or contractual requirements.
  • All companies and organizations shall provide an annual report of their databases that contain personal information, their protective status, and any breaches or suspected breaches. This report shall be personally signed off by the chief executive of the organization.

And changes to how all of our identity systems operate:

  • Restructure ALL personal identity systems to be able to recover from a compromise within 30 days (including social security numbers).
  • Restructure ALL personal identity systems to regularly expire identity information (3 years maximum, perhaps 1 year maximum if electronic delivery is available)
  • Restructure ALL electronic payment systems to be pairwise systems so that compromises cannot be exploited by third parties.
  • Unified identity security monitoring and compromise reporting and recovery to make it easy and cheap for individuals to protect and recover from an identity breach.

This is just a start.

Alas, real policy changes are going to take time.

There are things you can do today today to protect personal data.

The personal data you protect may be your own.

Let’s start with a time out!

Given the state of data breaches today, it would be really nice if everyone who has personal, sensitive databases accessible online just pulled the plug until they figured out whether the data really needs to be online at all.

Set up an email address and a phone line until you get your act together.

Snip, snip. We’re happy to wait.

Protecting Personal Data Today

You can protect personal information today.

  • Take data offline.
  • Delete data that you don’t need.
  • Stop collecting data just because you can.

If the data isn’t online, it can’t be hacked. We’ll get back to problems with employee theft and misuse in another article (see Insider Attacks – Your 7 essential countermeasures for a start).

Organizations collect and store massive amounts of personal information. It is easy and essentially free and they think it might be useful someday.

If you don’t have a compelling, current business requirement to collect or store data, don’t.

At some point, you are going to find yourself sitting with a big legal liability hanging around your neck. Just don’t keep it.

Today’s data breach friendly system architecture

IT guys are lazy. And cheap. If you can throw every application and piece of functionality on a single computer, they’ll do it (see The Hacker Helpers- Obama, Sony, Snowden, and You).

They’re just like the rest of us.

This is the source of many data breach problems. Lots of data, all in one place. Lots of applications, all in one place.

Changes to anything can create changes in everything else. It is a sea of unexpected consequences. You update your online community software which opens a port allowing connections to your database that also happens to hold your customer information.

If you have a single database, a weakness in any application that uses that database can compromise the whole database.

Today, data designs are really simple. There is one big huge database with everything in it (just in case you need it). It is all online behind some “protected application interface”.

… and you get the problems we have.

Let’s look at a typical business site, though this is applicable to the OPM government records database as well.

Most of the data, most of the time is just sitting there in the big database.

There are three main types of legitimate interactions:

  • A user wants to see what’s in their record (open orders or vacation balance information)
  • A user wants to change information (billing address change or tax withholding update)
  • A backend system needs updates in response to user actions (a payment processor needs payment info or payroll needs an update).

Today, everybody basically talks to and queries the one database (your mileage may vary). A failure anywhere causes a breach everywhere.

One stop shopping (for hackers).

A better online data architecture – Archive-Active-Archive

If, instead, the database is largely offline (or better, multiple databases are offline). A user makes a request at the web site and it contacts the database to request the user’s information.

So far, just like today.

Except.

The archive database has two interfaces. One only allows it to send an encrypted copy of the user’s information to an “Active User” database at the website. The web site cannot access this data or do anything with it yet.

In parallel, the archive database formats an email to be sent via a mail application to the user at their known address. This email includes a URL to access the encrypted data and the key.

When the user opens the email and clicks on the URL with the key, the server can then decrypt the data allowing the user to view or change it.

If they don’t click on the URL, the encrypted data will eventually be removed from the web server. (Hopefully, fairly quickly).

If they do click on the URL, the encrypted data will still be deleted from the web server at the end of the user session.

Thus, the vulnerable web server will only contain a small amount of data at any given time radically reducing the scale of any compromise.

Where automated connections are required, intelligent use of cryptography by application either using email or another application to an intermediate “Active User” or “Active Transaction” database provides equivalent functionality.

Not perfect, not magic, but a much more robust system than we have today. And it can be done at modest cost and no new technology.

Next Steps

The good news is that many of these problems can be dealt with cost-effectively, if they are taken seriously.

The bad news is that almost no one bothers to actually invest in protecting themselves or other people’s information that they hold.

For more on any security issue or problem that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced an attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post No Data Breaches, No Excuses – You can end data breaches today appeared first on Free2Secure.

]]>
http://free2secure.com/no-data-breaches/feed/ 0
The “Script Kiddie” Myth, Advanced Persistent Threats and the real danger to your business online http://free2secure.com/script-kiddie-myth/ http://free2secure.com/script-kiddie-myth/#comments Fri, 12 Jun 2015 16:07:57 +0000 http://free2secure.com/?p=558 Do you know how to build a car? How about fabricate a gun? No? You can probably drive a car and, if you can’t right now, I suspect you could shoot a gun with modest competence soon enough. Certainly well enough to intimidate or rob someone (you’ve certainly seen guns used in movies). Script kiddie [read more]

The post The “Script Kiddie” Myth, Advanced Persistent Threats and the real danger to your business online appeared first on Free2Secure.

]]>
Security - Man on Beach with head in sand

The Script Kiddie Myth – Image via Flickr

Do you know how to build a car? How about fabricate a gun?

No?

You can probably drive a car and, if you can’t right now, I suspect you could shoot a gun with modest competence soon enough. Certainly well enough to intimidate or rob someone (you’ve certainly seen guns used in movies).

Script kiddie is a derogatory term that has polluted the discussion of computer security for more than a decade now. It refers to individuals who use pre-packaged attack tools to hit their targets.

You know, like guns.

Conversely, Advanced Persistent Threats is a term associated with “serious” hackers who have access to a “command and control system” that can run and coordinate a hack.

You know, like a car. Or your word processor. Or your cell phone

It is perverse that “computer security experts” continue to talk about “script kiddies” as if it is necessary to know how to implement an advanced hack against a computer yourself.

Similarly, it is insane to talk about “advanced persistent threats” as if they are tools of governments and advanced hackers.

Hacking in a box

We have long since left the world where hackers figure out how to break into systems in real-time. No longer are they hunched over a keyboard in the dark pitting their expertise against “The System”.

We are in the more dangerous world today. The same tools many of us use to automate and coordinate our lives online and off can be turned into command and control systems for running an attack against a company, government, or individual.

The security tools that we can buy (or download for free) can be used to find other’s online weaknesses as well as help usprotect ourselves.

There are still hackers who work out detailed exploits of different operating systems, devices, and applications, but they turn around and sell or package up their attack tools.

You know, like software, guns, and cars.

Adding to the fun, we have security researchers who seek fame, glory, and cash by researching systems and finding their weaknesses and publicizing them.

I’m a hacker, you’re a hacker

Hacking is becoming a commodity. Anyone with “issues” and a bit of cash (or bitcoins) can set themselves up and do some real harm:

  • You can rent a botnet for as low as US$38 per hour for a denial of service attack (via South China Morning Post).
  • You can outsource hacking tool development, a recent posting requested a hack for Microsoft Windows and Office… for between $250 and $700 (via Fast Company).
  • A suspicious wife was willing to pay $500 to get dirt on her spouse and a disgruntled renter was ready to fork over $2000 to break into his landlord’s web site, the same price as it would take to break into a competitor’s database… the glory of cheap Internet job listings at Hacker’s List (via Sophos). Listing fee, $3, if you’re interested.
  • Cheap hacking tools can go for as low as $30 to $50 with training support available at a bargain of $5 monthly (via Fast Company and a US indictment) .
  • And, of course, you can purchase legitimate computer security tools that have the same functionality with prices ranging from free for open source tools to $3000 or more.

New Game – You, Me, Crooks, and the Ministry of State Security

Today, there is no meaningful difference between an angry spouse, an identity thief, and a national intelligence service. We all have access to powerful tools to access anyone’s online information, take down their computers, and damage their reputations and business.

The only real difference is that the government probably is paying more for the capability.

 

It is time to change how we all think about security. There is a habit in the computer security field to separate “threats” and “vulnerabilities”. Threat assessment includes an attempt to determine the willingness and capability of an adversary to exploit a vulnerability or weakness in your systems and operations.

Basically, security staff and management use “threat assessments” to avoid dealing with vulnerabilities that they don’t want to spend money and time on.

Today, if you have a vulnerability, it can probably be exploited for a lot less than you think by a lot more people than you can imagine.

It may be personal, it may be an employee, it may be a crook, it may be your government (or someone else’s).

But, you aren’t assessing a threat or managing a risk by avoiding dealing with the problem.

You’re just praying that nothing happens.

Next Steps

The good news is that many of these problems can be dealt with cost-effectively, if they are taken seriously.

The bad news is that almost no one bothers to actually invest in protecting themselves or other people’s information that they hold.

For more on any security issue or problem that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced an attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

 

 

The post The “Script Kiddie” Myth, Advanced Persistent Threats and the real danger to your business online appeared first on Free2Secure.

]]>
http://free2secure.com/script-kiddie-myth/feed/ 0
Denial of Service Tactics – Floating Relays http://free2secure.com/floating-relays/ http://free2secure.com/floating-relays/#comments Tue, 09 Jun 2015 14:12:15 +0000 http://free2secure.com/?p=488 The essence of a denial of service attack is stopping legitimate traffic to your online business. The hackers do this by saturating your network, your server, your web server, your app server, or your database. Whatever it takes to knock you out. But, what if you can keep the hacker away from you? Many denial [read more]

The post Denial of Service Tactics – Floating Relays appeared first on Free2Secure.

]]>
Denial of Service - Many cards with "No"

Denial of Service Tactics – Floating Relays – Image via Pixabay

The essence of a denial of service attack is stopping legitimate traffic to your online business. The hackers do this by saturating your network, your server, your web server, your app server, or your database. Whatever it takes to knock you out.

But, what if you can keep the hacker away from you?

Many denial of service attacks rely on finding your server and hitting it with everything they’ve got (or bought or bot).

What if you are never there for them to see?

The FBI and Me

A long, long, long time ago before 9/11 or even Y2K, in a previous job, I was asked to help the FBI’s Computer Crime Squad to come up with a system to do online investigations. (They seem to have solved this problem, sort of)

At the time, though, their computer investigations were very hands-on. So, I proposed an entire online investigation system so that they could carry out their investigations remotely (as I said, they seem to have this in hand, or at least other people do).

There was a catch to running investigations online. I was worried that hackers or criminals or others would be able to determine the location of our online service and launch denial of service or other attacks against it.

Floating Relays

The technique that I proposed was to simply have multiple relay servers that were the system’s public face to the Internet. These would be the IP addresses that our investigation software would use to send information back to the central servers. The servers could have multiple, disposable IP addresses so that if one was identified, it could be easily replaced… as easily as you change a phone number.

Hey, if an idea might work for the FBI, how about you?

The idea is essentially the opposite of load balancing. Instead of spreading out traffic between multiple servers behind one address, you have a number of relay addresses in front of a single server. The more addresses you spread traffic out over, the harder it is for your main server to get knocked out.

These are not additional IP addresses on your main server, but actual relay servers between your actual server and the public Internet.

If a hacker learns one of the IP addresses and saturates it with traffic, you take it offline and tell everyone else a different address.

If certain countries or source IP addresses are suspect, you allocate them to a “suspect site” IP address.

If you know certain IP addresses are good, you allocate them to a “good guy” IP address.

The relays point back to your actual server.

Or to a different server.

Or to nowhere.

And, of course, you can cycle IP addresses on the relay servers regularly so that even if a hacker gets access to a “good guy” IP address, that information is not useful for long.

The relay server might not even be in the same location or serviced by the same ISP as your primary server.

A hybrid tactic for high resilience

Where does the Floating Relay tactic fit in your overall high resilience site plan?

  • Single Site – the typical option for many sites. There may be one or more servers involved (such as the classic 3-tier web architecture: web server – app server – database server).
  • Multiple IP Addresses / Single Site – Multiple IP addresses that point to a single site (server or server stack) are the easiest option to implement. If you can’t have multiple computers, have multiple addresses. You are still vulnerable to weaknesses in the site architecture of your ISP or data center, so if there is enough traffic to knock out your local network segment, you are still in trouble.
  •  Floating Relay Servers / Single Site – This option is more complicated as you have to add IP relay software, but the relay servers are very simple and so should be relatively low-cost. This option has some advantages for portions of your online business that truly need a single site to provide your service or if the expense to replicate your core single site is very high.
  • Multiple sites – This option is more robust, but your online service does need to work in an actually distributed manner. Database integrity can be a challenge in these architectures.
  • Floating Relay Servers / Multiple Sites – More robust still.
  • Peer Systems – Very robust, but often there are control, directory, shared data, or coordination elements that can be vulnerable to denial of service attacks. Can be tricky to design and operate and are not practical.

All of these higher resilience solutions are based on a robust DNS service. The other dimension of improved business resilience is based on using external services as described elsewhere.

(Oh, and the end of my FBI story: they did nothing with the system that I designed for them… or at least they didn’t hire us to build it.)

Next Steps

Which resilient online architecture are you using today? What is your target architecture?

Can you simply replicate your site?

Do you have a DNS server or service provider that will support this type of site architecture?

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post Denial of Service Tactics – Floating Relays appeared first on Free2Secure.

]]>
http://free2secure.com/floating-relays/feed/ 0
Denial of Service attacks hit 37 percent of UK businesses in 2014 http://free2secure.com/dos-uk-37percent/ http://free2secure.com/dos-uk-37percent/#comments Wed, 03 Jun 2015 19:12:58 +0000 http://free2secure.com/?p=542 Over one third of all companies in the UK, large and small, were hit by at least one denial of service attack in 2014, according to a PWC survey according to ZDNet. Pretty grim. The overall rate of security breaches is very high with most organizations reporting between 4 (smallish organizations) and 14 (large organizations) [read more]

The post Denial of Service attacks hit 37 percent of UK businesses in 2014 appeared first on Free2Secure.

]]>
Denial of Service - Many cards with "No"

Denial of Service hit 37 percent of UK businesses in 2014 – Image via Pixabay

Over one third of all companies in the UK, large and small, were hit by at least one denial of service attack in 2014, according to a PWC survey according to ZDNet.

Pretty grim.

The overall rate of security breaches is very high with most organizations reporting between 4 (smallish organizations) and 14 (large organizations) incidents per year.

The survey looks like it was really oriented towards tracking data breaches of customer data. There does not seem to be much reporting on the loss of business and reputation from an outage associated with a denial of service attack.

Terrible Security ROI

What is really depressing is that the losses from security incidents match or exceed overall security budgets seemingly showing a disconnect between security planning and performance (check out the Impacts numbers vs. the Investment numbers).

If your security breach costs are close to your total security budget, why is there no growth in your security budget?

Are you investing well in security?

The numbers imply that businesses just don’t know how to measure security return on investment.

I do wonder about the cost models. Companies can measure their IT costs pretty well, but how are they modeling lost business?  Check out my cost model for the Target data breach. While the legal settlement costs were around $19 million, my estimated one year costs, with very conservative numbers was $68.4 million in profit, not sales.

How do you sell or buy security?

How do you choose what security to buy? Based on features, fear, or business benefits?

What works and what doesn’t for getting your security paid for?

Next Steps

Security needs to move beyond fear to a business basis, the Bulletproof Security Bootcamp is my approach to helping you make better business security decisions so you can make more money.

To keep up, sign up for the latest free security answers to your security questions.

If you’ve experienced a Denial of Service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

 

The post Denial of Service attacks hit 37 percent of UK businesses in 2014 appeared first on Free2Secure.

]]>
http://free2secure.com/dos-uk-37percent/feed/ 0
The 5 things you should do immediately if your web site is being hit by a denial of service attack http://free2secure.com/dos-now/ http://free2secure.com/dos-now/#comments Tue, 02 Jun 2015 08:06:40 +0000 http://free2secure.com/?p=376 Your site is down. You are being hit with a denial of service attack (or you think you are). What should you do? The one thing you shouldn’t do is spend a ton of time verifying that you are being hit by a denial of service attack. Even if you have a denial of service [read more]

The post The 5 things you should do immediately if your web site is being hit by a denial of service attack appeared first on Free2Secure.

]]>
Mushroom cloud on road

5 things you should do immediately in case of Denial of Service attack – Image via Pixabay

Your site is down. You are being hit with a denial of service attack (or you think you are).

What should you do?

The one thing you shouldn’t do is spend a ton of time verifying that you are being hit by a denial of service attack. Even if you have a denial of service strategy, you need to know what to do when you are under attack.

If your site is out, it is out.

Time to take action.

Stop or throttle site expenses

1. Control Web Site Costs

If your site is under attack, you may be hitting CPU quotas or page view quotas very quickly. No doubt your ISP will happily upgrade your service so that you can pay for more page views and a bigger server. If you are on a cloud service, you are paying per click, so, set your daily budget and stick with it.

Stop or throttle real-time service expenses

2. Stop your ads

There is no point in sending people to your site if your site is out. Suspend any ad campaigns you are running. Save your money, you may need it for other things soon enough.

3. Turn off or throttle your CDN

If you are using a content delivery network (CDN) to improve the performance of your site, turn it off. If you are using a free service, you are likely to hit your paying threshold quickly and you may never be able to return to the free service. If you are paying already, why in the world would you pay for malicious traffic?

Don’t turn a denial of service attack into a Denial of Cash attack too!

If you have any other services that you pay for in real-time that incur real-time costs, shut them off as well.

Protect your key real-time revenue and relationships

4. Contact your key customers

If you have major, known customers who do business with you via your site, contact them promptly. Hopefully, give them an alternate way for you to service them (these kind of customers may merit an alternate site on a separate server to make this type of attack less likely… if you had a Denial of Service plan in place). Maybe you can take care of their needs by phone or email. Whatever it is, make sure these customers can be helped or at least informed.

5. Contact sponsors and other real-time business partners

If you have people who are depending on your site to do their business, you need to let them know what is going on immediately. You don’t want them to find out your site is out on their own or from someone else. As the incident progresses, these partners should be kept informed before anyone else. In fact, depending on your business, it may be more important to keep them happy than your customers.

Back to the Attack

This is only the very beginning of what can be a long, expensive, painful process. Do not let anyone tell  you otherwise. Unless you’ve planned for a denial of service attack and built, bought, or rented an infrastructure that can absorb it, you are going to be in for a rough ride. It could be a couple of hours, it could be a couple of days, rarely is it more than a month, but it is going to go on….

and don’t forget that there may not be an attack going on at all.

Onward

Denial of Service Response Plan

There are seven phases in your denial of service attack response.

Immediate Actions – As described above, what you need to do to handle a serious site outage no matter the cause.

Assessment – Determine if you are actually getting hit with a denial of service attack. Reviewing the actual impact on your business. After all, you may only be losing a fraction of your online business and presence. Determining what you can recover, how you can recover, and what you may have really lost.

Response – Implement your response to the attack. In addition to your technical response, you may be reallocating business to your other online channels, communicating with your customers, PR if you have to deal with PR, bringing up a second site or moving your site, anything and everything to keep working while the attack continues.

Monitor & Adjust – As you respond, you may find that your attacker is sufficiently motivated to expand or resteer his attack. Some of your tactics may not work. Your customers may get really angry. You may show up in the news. Your ISP may cancel your contract.

Rethink – Eventually the attack will end. You may want to rethink your anti-denial of service strategy. You may want to create a denial-of-service strategy. You may want to fire your ISP.  You may want to fire your IT lead (probably not a good idea, you probably gave him a “lean” budget).

New Normal – You’ve been attacked and gotten through it. Back to business. Hopefully, a bit wiser. You’ve got some bridges to rebuild with your customers and partners. Maybe you can turn the incident into a business opportunity.

Next Steps

What else would you need to do to immediately respond to a denial of service attack on your site? Do you have a denial of service response plan? Do you have an overall plan to ensure your business can operate effectively in case a denial of service attack happens?

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post The 5 things you should do immediately if your web site is being hit by a denial of service attack appeared first on Free2Secure.

]]>
http://free2secure.com/dos-now/feed/ 0
Denial of Service – Attack Vectors – Who’s attacking you? http://free2secure.com/attack-vectors/ http://free2secure.com/attack-vectors/#comments Tue, 26 May 2015 07:50:49 +0000 http://free2secure.com/?p=494 Hackers, the Cloud, the Internet… we are all amazingly vague when we talk about the Internet. It is a dangerous delusion. We feel helpless when we shouldn’t and miss opportunities to protect ourselves and improve the services we offer to our legitimate users. Hackers are specific individuals with specific motivations. The Cloud and the Internet [read more]

The post Denial of Service – Attack Vectors – Who’s attacking you? appeared first on Free2Secure.

]]>
Denial of Service - Many cards with "No"

Denial of Service – Who’s attacking you? – Image via Pixabay

Hackers, the Cloud, the Internet… we are all amazingly vague when we talk about the Internet.

It is a dangerous delusion.

We feel helpless when we shouldn’t and miss opportunities to protect ourselves and improve the services we offer to our legitimate users.

Hackers are specific individuals with specific motivations. The Cloud and the Internet are specific computers and other devices in specific countries connected together in a specific way.

Denial of service attacks and other hacks don’t live in isolation. If you are boxing and you get hit by a right hook or a jab, it matters if it is Mohammad Ali or George Foreman or you or me.

Similarly, these attacks come from somewhere. The source matters because it affects the impact of the attack as well as the countermeasures you can take.

Malaria, Quinine, Mosquitoes – Finding the Attack Vector

Malaria has been a plague on humanity throughout history. It depopulated rural areas and may have contributed to the decline of Greek civilization and had a huge impact in Africa, South American, and other land areas near the Equator. The first meaningful treatment was Quinine, a bark that Indian’s used to treat the disease that was isolated in the early 17th century. The treatment worked without understanding the illness. You still got sick, but you got better.

The malaria parasite was identified in the mid 19th century, but the real key to taking on the disease was Ronald Ross’s discovery that mosquitoes are the vector by which the parasite is spread. (In 1905, 21,000 of the 26,000 Panama Canal workers were hospitalized with malaria, by 1912, the cases had shrunk to 5,600 hospitalizations out of 50,000 workers).

The history of the fight against malaria is really about understanding how the disease is spread, not really about the mechanics of the infection.

Once you know the attack vector, you can start to eliminate the disease.

Denial of Service Attack Vectors – Direct and Indirect

In the case of denial of service, hackers are the malaria parasite. Unfortunately for us, there are a number kinds of mosquitoes.

These vectors are the real bugs we’ve got to clean up.

Direct Attack Vectors

Direct attack vectors are computers either willingly or unwillingly under the control of the hacker. We can divide them into the following groupings:

Hacker computer – attacking directly from the hacker’s computer. This is unlikely for all but the most complicated attacks as it exposes the hacker’s identity and location. Slightly more likely, the hacker will only use his own computer to run reconnaissance against the target site, service, or network. Most likely, the hacker computer may be found by forensic analysis of the other computers or services involved in the attack.

Hacker community – sometimes, it is a village of hackers working together. These individuals are often united by a political or social cause against the target (no matter how flimsy). They may not be sophisticated, but they are enthusiastic and can be very numerous. The problem with fighting them is that they can be located in a number of jurisdictions making identification, isolation, and prosecution more difficult.

Outsourced, low-cost attackers – the dark side of globalization is that it is possible to hire people online at very low-cost from developing countries to do all sorts of work online. Outsourced attackers have been used for CAPTCHA cracking, there is no reason not to use them for a denial of service attack. They may not be aware that they are part of an attack, though more complicated attacks will likely require active collusion by these attackers.

Zombie computers (Botnets) – there are many computers that are no secured and they are prime targets for hackers. These computers can be bought or leased from existing criminal hackers or software tools are available so that the aspiring hacker can create his own botnet (see Denial of Service – Rent or Buy a Botnet?)

Outsourced cloud criminal computers – A hacker doesn’t actually need to infect a computer, he can use the same superscaling tools that the rest of us use. Welcome to the cloud-based crook. It is unlikely that this criminal is going to be paying for his cloud-based attack with real money, but, instead, use stolen credit cards, other payment cards, or compromised cloud user accounts to run hist attack.

Indirect Attack Vectors

WARNING: if the direct vectors for denial of service attacks frustrate you, the indirect attack vectors are likely to really make you angry.

The first two forms of indirect denial of service attack vectors are the core of most denial of service attacks as well as other hacks.

Protocol Abuse – All communications on the Internet are based on protocols and software. For example, the basic web protocol, http, is used by browsers and web servers. Some Internet protocols and many proprietary protocols are not designed well at all. And, even worse, are designed as if the Internet is a benign environment of good people and computers. For example, the Smurf attack sends out an ICMP message with the forged source address of the attack target to many computers. Each of those computers automatically sends a response to the attack target automatically.

Software Abuse – There are almost always flaws in software. Many hacker attacks against computer software are based on exploiting those flaws. So far, so bad. The reason for many of these flaws comes from programmers not considering software failures, much less imagining that hackers will target their code. The final major problem with software is that it often is shipped in an insecure state because it is the easiest to install and run. Really, software should “ship secure”as a default. Software abuse can lead to hackers being able to take over the target computer, cause it to do “bad” things, or simply crash it.

The next category of indirect attack takes advantage of “features” of different protocols and software:

Reflection, Amplification and Redirection – Because denial of service attacks work by chewing up the processing power of your server and the capacity of your network connection, protocol and software abuse can work by inducing spurious communications or redirecting network traffic to a target computer.

Do you have a low cost router? Have you ever used open source software? If you have an Internet connected device in your home, it may have a whole bunch of software installed and running.

That web site for your fancy refrigerator may mean  you are part of the problem.

Internet Device Abuse – When people build Internet appliances, they use often standard software distributions that include a tremendous suite of programs that will let you do pretty much anything you’d like. Unfortunately, too often developers leave this software in the appliance and it may even be running by default. Since this software is not part of the functionality that the appliance officially uses, it is never detected or tested until it is used as part of an attack. This problem is only going to get worse as we move to the Internet of Things. We are likely going to see an explosion of connected devices that are much more powerful (and potentially dangerous) than we expect.

Finally, the same services that we use to take advantage of the massive scale of the Internet can be turned against us.

Scaling Service Abuse – Content Deliver Networks, spiders and crawlers, and other web services allow web sites to scale very efficiently, unfortunately, some of these services can be induced to create massive amounts of traffic, just like the Internet devices described above, but potentially on a larger scale in a highly efficient manner.

Location, Location, Location

Denial of service attacks are highly correlated with certain parts of the world, often developing countries that have rapidly expanded Internet access. If you don’t have legitimate or paying customers in these locations, you may be able to radically reduce the impact of denial of service attacks simply by not responding to traffic from these locations. This threat vector will evolve both with your business and as the Internet itself evolves (the Internet of Things could easily become a major denial of service attack vector).

Attack Vectors and Efficient Countermeasures

By understanding your attack vectors as well as your legitimate users you can efficiently clean your incoming traffic. In fighting denial of service, efficiency is the key. The more easily and rapidly you can separate attackers from legitimate users, the more easily you can weather an attack.

Next Steps

Where are you at with your Denial of Service attack security? Can you efficiently characterize your legitimate users? Potential attackers?

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

 

 

The post Denial of Service – Attack Vectors – Who’s attacking you? appeared first on Free2Secure.

]]>
http://free2secure.com/attack-vectors/feed/ 0
8 CISS Levels of Denial of Service Attack Security http://free2secure.com/ciss/ http://free2secure.com/ciss/#comments Wed, 20 May 2015 15:54:42 +0000 http://free2secure.com/?p=455 Denial of service attacks and distributed denial of service attacks are probably the biggest challenge for protecting your business online. Not because they are very common, but because they are so hard to respond to. It is pretty easy to break out the commercial offerings for denial of service countermeasures (see Denial of Service – Available [read more]

The post 8 CISS Levels of Denial of Service Attack Security appeared first on Free2Secure.

]]>
Denial of Service - Many cards with "No"

Denial of Service – 8 Levels of Protection- Image via Pixabay

Denial of service attacks and distributed denial of service attacks are probably the biggest challenge for protecting your business online. Not because they are very common, but because they are so hard to respond to.

It is pretty easy to break out the commercial offerings for denial of service countermeasures (see Denial of Service – Available Products and Services), but this doesn’t really map back to what these products and services are doing for to protect your business.

So, to help you see where you are at, I’ve proposed the following CISS framework. It is inspired by the RAID levels for high reliability disk drives.

CISS – Coordinated Independent Sites System

These levels are intended to give you a sense of where you are at and where you can get to for making  your online business resilient in the face of a denial of service or distributed denial of service attack.

CISS Level 0 – No DOS Security

You’ve got to start somewhere. No plan, nothing. Just a “bare-naked” web site.

CISS Level 1 – Contingency Plan

You have a plan in place for how to respond to an attack. It may be you are going to upgrade your site or move it, it may be you have a robust back up… at least you have something.

CISS Level 1.1 – Contigent Site

Your site’s implementation can make it more vulnerable to denial of service attacks. Content Management Systems (CMS) like Drupal and WordPress are inherently more vulnerable than static web sites (see Denial of Service – Is WordPress the problem?).

CISS Level 2 – Proxy Security

You have a third party (usually) server in front of your site. This proxy intercepts incoming connections and attempts to block denial of service attacks.

CISS Level 3 – Network Protection

You have an appliance in front of your site that processes all of your network traffic to block incoming attacks. This is may be provisioned by your Internet Service Provider (ISP) as a service.

CISS Level 3.1 – Multiple Servers

A traditional load-balancing appliance in front of multiple servers can also help by improving the scalability of your site.

CISS Level 3.2 – Upstream Network Protection

Instead of having the network protection within your site or data center, you can shift it to the far end of your network connection(s) to keep your traffic clean(er).

CISS Level 4 – Distributed Services

Using third party services for part of your business offering. Ideally, these services are highly scalable and do a good job of protecting themselves from denial of service (and other) attacks.

.X Level – Multiple Locations

Servers in different locations are inherently more robust against denial of service attacks. Each location can, in addition, have its own, location-specific denial of service capabilities.

CISS Level 4.1 – Scalable Service

Content Delivery Networks and cloud-based or grid services are built to scale on-demand. That is the good news. You are paying for the scaling, so you may face a “denial of cash” attack.

CISS Level 4.2 – Securely Scalable Service

CDNs, clouds, and grids could conceivably integrate denial of service features to keep you from paying full freight for an incoming denial of service attack. Check your service level agreements (SLAs). Some services are inherently securely scalable, such as email services as you have positive control over who you send mail to. The payment processing service provided by Paypal is securely scalable as you essentially “pay-as-you-go” for the service.

CISS Level 4.3 – Superscalable Service

Massive online services like Facebook, YouTube, Google+, and LinkedIn provide an infrastructure that  your business can ride on. Even apps are superscalable as the app store typically is responsible for distributing your content. You do need to be aware of the “unscrewing problem” with these services, but denial of service essentially ceases to be an issue.

CISS Level 5.x – Split Site

Denial of service is, in some sense, obsolete. Virtually every business seems to have a presence on Facebook, Google, and one or more of the online service as well as using email to connect with their existing customers. Formally splitting your site by categories or function can help make your business resilient even if individual sites can be taken down. This can work against you if you host all of your sites on a single server with a single IP address.

CISS Level 6.x Multi-Site

Formally spreading out your business over multiple locations with identical capabilities means that an attacker is going to need to attack all your sites to take out your online business. This can be tricky as coordination of user state and sessions across sites can be difficult.

CISS Level 7 .x Multi-Site DNS

You’ve got multiple locations, it would be nice if DNS naturally spread your users around. If you are running through apps, you can do this yourself, but, your going to have to wait for the public DNS to help you here (see Denial of Service Tactics – Getting Through to Your Site).

Next Steps

Where are you at with your Denial of Service attack security? Does this framework help you see where you are at and what you can do?

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post 8 CISS Levels of Denial of Service Attack Security appeared first on Free2Secure.

]]>
http://free2secure.com/ciss/feed/ 0
Denial of Service Tactics – Getting Through to Your Site http://free2secure.com/muli-site-dns/ http://free2secure.com/muli-site-dns/#comments Wed, 20 May 2015 15:53:42 +0000 http://free2secure.com/?p=449 Denial of service attacks hit you by using the open nature of the Internet – if someone know’s where you are, they can choke your site with too much data. Many of the solutions I’ve described are ways you can give your users another way to get to you or reduce the impact of malicious [read more]

The post Denial of Service Tactics – Getting Through to Your Site appeared first on Free2Secure.

]]>
Seattle phone operators

Getting through to your site during a denial of service attack – Image via Flickr

Denial of service attacks hit you by using the open nature of the Internet – if someone know’s where you are, they can choke your site with too much data. Many of the solutions I’ve described are ways you can give your users another way to get to you or reduce the impact of malicious traffic on your site.

It would be kind of nice if the Internet itself would help.

Our Insecure Directory System

The Domain Name System (DNS) is the directory of the Internet. It has been around a long time and is pretty simple. It is basically a directory of directories matching domain names to IP addresses (just like a phone book which matches people’s names to phone numbers).

Today, there are two ways that you interact with the DNS:

  • DNS provisioned by your Internet Service Provider (ISP).
  • Separate, third party DNS service.

Most of us don’t think too much about DNS, just like we don’t think about the phone directory (unless we buy an ad).

But, it does matter. There is a category of web site attacks called “DNS poisoning” or “DNS spoofing” where your site’s DNS entry is altered to point to a different site. This is part of how web site filtering can work for organizations. It is also part of “The Great Firewall of China” – undesirable domains are simply redirected to a preferred destination.

We’re not going to solve the security problems of DNS, but it could help with Denial of Service attacks.

The Fantasy – Multi-site DNS

There is really no reason that the DNS system itself could not help with denial of service attacks. Instead of returning a single site in response to a domain name look up, it could return a list of sites. This list could be structured in several ways to express the preferences of the domain:

  • Sequentially – where a browser or application client would start with the first entry in the list and try the sites sequentially until a successful connection is made.
  • Geographically – where the browser would compare the locations of the sites with its own location to determine the nearest site.
  • Random – where the browser picks one of the sites at random and, if it fails, switches to another.

The DNS standard could be updated to add this capability. But, this would require a standards change… who knows how long it could take.

 The Potential Reality – Multi-site DNS provider

A third party DNS provider could provide much of this capability today.

Such a provider would not use the off-the-shelf DNS software, but rather would run its own version of the multi-site DNS system described above. The main changes between the systems is that the DNS provider would have all of the “smarts” for handling the different site selection options. So, when a user contacted the DNS provider for the location of a domain, it would provide the appropriate single IP address back to the user.

Technically, you can run your own DNS service. It only makes sense for the largest online services and it can, itself, be a target of attack (including denial of service attacks).

Next Steps

Do you use a third party DNS provider? Do you run your own DNS?

Would you be interested in a service like this?

Share your answers with me and other online business owners.

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

 

 

The post Denial of Service Tactics – Getting Through to Your Site appeared first on Free2Secure.

]]>
http://free2secure.com/muli-site-dns/feed/ 0
Denial of Service Tactics – The App Option http://free2secure.com/app-option/ http://free2secure.com/app-option/#comments Mon, 18 May 2015 08:02:57 +0000 http://free2secure.com/?p=234 Apps are everywhere. They started on  your phone and now have spread back onto your computer. It is a big change from pushing more and more of your content onto your web site. And they are a great way to fight denial of service attacks. They can be used in conjunction with pretty much every other [read more]

The post Denial of Service Tactics – The App Option appeared first on Free2Secure.

]]>
Denial of Service - Many cards with "No"

Fighting Denial of Service with Apps – Image via Pixabay

Apps are everywhere. They started on  your phone and now have spread back onto your computer. It is a big change from pushing more and more of your content onto your web site.

And they are a great way to fight denial of service attacks.

They can be used in conjunction with pretty much every other tactic that I’ve mentioned for web sites and client applications (as they are just a specific type of client application).

Superscaling visibility

App stores are essentially another communication channel for your business. When users search for apps on a subject, you are there. An app store is essentially another search engine to find you.

Superscaling Content Distribution

Since the app store or end user pays to download your app, you can pre-load your content, product, and services into the app itself.  You have to be careful, however. Some apps are essentially proprietary web browsers that still pull most of their data from your site. The less live content that the app needs, the less traffic that hits your servers.

You can also add push notification and distribution and other rich distribution and transaction features.

… none of which has to be hosted at your own web site or can be dynamically re-hosted anywhere, so, no single denial of service target (see Denial of Service Tactics – Split Your Site).

Reducing Site Traffic

The more visitors use your app, the less traffic your site has to handle, if you do things right. Essentially, your site becomes a front door for new visitors… ideally, steering visitors to download your app!

App Limitations

Apps don’t create any security problems, but they do have some general limitations that are worth noting:

Incomplete – a lot of apps have reduced functionality compared to the actual web site. I have this problem myself with my email app and my banking app. If the app is incomplete, your users may prefer your web site, essentially eliminating the benefit that the app provides.

From a business perspective, it probably makes sense to provide full functionality in both your web site and your app. If anything, it is probably better that the web site, not the app, is less capable to steer users towards the app. (Though there may be a customer service cost for this approach for users who, for whatever reason can’t or won’t install your app.)

Two Products – there is a cost for having both an app and a web site. You need to ensure that you develop for both and test for both or the two products are going to get out of synch with each other. There is no magic bullet to this, just a cost of development. A number of apps are built as HTML 5 pages, essentially, ya version of your web site is embedded in the app. If you can use the same HTML code for both your web site and your app, you should be able to minimize your development and support costs.

Next Steps

Do you have an app? Are you planning on adding one? What platforms are you building your app for and how does that compare with the platforms your existing customers use?

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

 

The post Denial of Service Tactics – The App Option appeared first on Free2Secure.

]]>
http://free2secure.com/app-option/feed/ 0
Insider Attacks – Your 7 essential countermeasures http://free2secure.com/insider-attacks/ http://free2secure.com/insider-attacks/#comments Fri, 15 May 2015 21:16:43 +0000 http://free2secure.com/?p=427 Insider attacks. Employee theft. Data leaks. It all comes down to real losses to your business courtesy of your employees. In 2008, a University of Florida study estimated that these losses were 1.52 percent of sales in the US retail, while similar studies in Europe estimated losses of 1.27 percent with 1.2 percent in Asia (Wikipedia). [read more]

The post Insider Attacks – Your 7 essential countermeasures appeared first on Free2Secure.

]]>
Security - Man on Beach with head in sand

Insider Attacks, your 7 essential countermeasures- Image via Flickr

Insider attacks. Employee theft. Data leaks. It all comes down to real losses to your business courtesy of your employees. In 2008, a University of Florida study estimated that these losses were 1.52 percent of sales in the US retail, while similar studies in Europe estimated losses of 1.27 percent with 1.2 percent in Asia (Wikipedia).

These attacks can be divided into active theft or data disclosure by employees and accidental losses enabled your staff (or business partners, vendors, or consultants).

The Cost of Insider Attacks – Theft

How do you prevent it is the 15 billion dollar question.

And, if your business is online, or even more challenging, selling digital goods or services, how will you even know what is lost.

Formally, these losses are usually found via inventory reconciliation – that tedious process where sales, purchases, and inventory are matched up and discrepancies identified.

Too often, digital goods and services are not really tracked separately from the payment process making meaningful audit analysis difficult, if not impossible. And, to make things more challenging, because digital good sales are so profitable, no one really bothers to set up good tracking systems.

Smart Tactic – Catching problems and errors is much easier if you have independent systems. Separating payment processing from product distribution, preferably on separate systems administered by separate teams is going to make it much easier to find problems and harder for any single attacker to subvert. You still need an independent audit function to look for problems, but independent systems make this much easier than looking for logical inconsistencies within a single system.

Data Disclosure & Accidental Losses

Insiders can disclose proprietary company, business partner, or customer information. The direct costs can be hard to calculate, usually, the damage comes from losing current customers and future business (see Buying Security, Selling Security – Why we all suck).

The cost can be a lot bigger than you think.

It really doesn’t matter whether they do it intentionally or accidentally, the damage is the damage.

Ask any parent of a teenager who has a car accident.

Four countermeasures you can implement today

Before you do anything else, there are three key ways to minimize insider threats, and you can implement them all today without ever talking to your security team:

  1. Hire great people.
  2. Pay them well.
  3. Treat them well.
  4. Give them meaningful work.

Good, happy, satisfied workers are going to make fewer mistakes and be less likely to do bad things.

It’s not rocket science.

Idiots, Criminals, or Children

Software security systems tend to be designed to treat everyone as idiots, criminals, or children. If you’ve worked in an organization that has a filter to the Internet, they automatically block sites that your IT organization has determined are inappropriate.

There are a number of problems with this:

  • The filters are not very sophisticated.
  • Your IT department doesn’t know your job and doesn’t care.
  • The method to bypass the filter is typically arduous.

So, what happens?

People circumvent the system. They find a way around it either by using their own Internet access, finding a proxy to get past the filter, or simply outfoxing the tool.

Imagine treating your employees like trustworthy adults (try).

Instead of blocking access to any site, you could simply provide a three part warning:

Practice Safe Computing!

  1. When you visit a site, they will know where you are coming from, please don’t do anything that will reflect badly on the company.
  2. This is a suspect site, if please provide a reason for visiting it or let us know if it has been labeled inappropriately.
  3. Beware, there are sites which may install malware on your computer just by clicking on links, please be cautious where you visit online.

Also, provide each employee with a weekly report that has list of the different sites that they are supposed to have visited and time spent on those sites in case of unauthorized access to their machine. And, of course, management reports with the same information.

Same tool, different treatment, probably better results. Certainly, happier employees who can get their jobs done.

Three long term strategies

Applications are too often designed badly. Three principles of good software design will also help with protecting you from insider problems:

  1. Make it easy and quick to do things right.
  2. Make it hard and obvious to do things wrong.
  3. Keep it clean – Don’t give access to gratuitous information or capabilities

If you require your customer support staff to write database queries to get their jobs done, you probably have a problem. Standard situations should be a simple click or button push. While they may sometimes need to get “underneath the hood” of your business applications, that should be the exception, and should be logged (and perhaps require confirmation by a manager or countersigned by a peer). Tracking such exceptions should be useful feedback for your software maintenance team to simplify them if they are routine.

Your staff should know that they are trusted, but accountable. No account sharing, clear, transparent tracking, and other indicators should be present so that they know any funny stuff is going to get flagged fast.

Unfortunately, customer support for applications is often an afterthought, even though it is a substantial part of the ongoing cost of the product or service. Little time is spent on building the tools out to help your front line support staff do their jobs properly and too often the people who are the main face of your company to your customers are paid and treated badly.

It should be no surprise that problems arise inside.

Next Steps

How well do you treat your staff? Do you treat them like children or crooks?

What have you done to make your applications easier to use properly?

Do you have independent systems that can actually be audited? Do you audit them?

For more on insider security issues and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post Insider Attacks – Your 7 essential countermeasures appeared first on Free2Secure.

]]>
http://free2secure.com/insider-attacks/feed/ 0
Denial of Service Tactics – Short Link Security http://free2secure.com/short-link-security/ http://free2secure.com/short-link-security/#comments Thu, 14 May 2015 09:40:16 +0000 http://free2secure.com/?p=226 Short links have become quite the rage in marketing, you take long URLs and turn them into very short links that can be tailored to your individual user or tied to your newsletter or marketing campaign. Not only that, short links can help your denial of service security. But, we’re going to have to get [read more]

The post Denial of Service Tactics – Short Link Security appeared first on Free2Secure.

]]>
Short Cut Road Sign

Using Short Links for Security – Image via Flickr

Short links have become quite the rage in marketing, you take long URLs and turn them into very short links that can be tailored to your individual user or tied to your newsletter or marketing campaign.

Not only that, short links can help your denial of service security.

But, we’re going to have to get a little technical.

A Quick and Dirty Guide to Short Links

Short links replace the direct URLs at web sites that we are used to with shorter web sites that either go to a third party site, like Bitly or to your own web site (I’ve used Pretty Links within WordPress).

Once at that site, the short link processor redirects the visitor to the link that you’ve specified directly at your site. It is based on the same technology that ad servers use to track user actions.

For marketing purposes, these short URLs can be processed for marketing purposes (gathering statistics on click-through rates, using the URL for identifying who did the clicking, etc.).

Basically, it gives you the power that cookies have given to track users within the link to your site.

For our denial of service protection, we just need to add one more wrinkle.

Dynamic Link Virtualization – sending your users anywhere

To review, basic short link technology has 2 pieces:

  • Static Short Link Generator
  • Link Processor and Redirector

The Static Short Link Generator actually creates the short links for your site. In most short link products, this is done in a static tool for insertion into a web site or for batch processing to be included in an email. You input the target URL into the link generator and it builds the ShortLink for you to use and sends it to the link processor (ShortLink, target URL).

When a user clicks on a shortened link, the ShortLink the Link Processor essentially looks up the ShortLink, finds the associated target URL, and sends that to your user as part of a “redirect message” that sends them on to their desired destination. You sometimes see this when the Internet is running a bit slow and you’ll have a pause and a message down at the bottom of your browser “redirecting…” or some such.

To fight denial of service, we’re going to upgrade both components:

  • Dynamic Short Link Generator
  • Dynamic Link Processor and Redirector

And add a server/site specific tool:

  • Site URL Guardian

Dynamic Link Processor

Let’s start with the Dynamic Link Processor. Instead of sending the visitor to a target URL, the Dynamic Link Processor can do two things:

  • Load balance between servers and domains.
  • identify users

The Dynamic Link Processor knows the location of your actual servers (of which you can have as many as you like at as many ISPS as you like), it then builds a new target URL for the site that it redirects the visitor to. This new target URL includes both URL location, but also can include encrypted authentication information (see forthcoming article on positive IDs as well as the presentation Piracy Protection and Online Identity Security with Digital Duplicate Detection  for an explanation of the underlying technology).

The site specific URL would look something like:

http://specificsite.com/userauthenticationinfo/relativeURL

It is, of course, also possible to have multiple Dynamic Link Processors run by the web site itself or provided by a third party service.

Site URL Guardian

The Site URL Guardian sits “in front” of the web server at each site server. It processes the incoming target URL and pulls out the identification information. If the user has not been authenticated, she is served a static page (which may be the home page) to start the authentication process. Tools like bot detection or a simple “click to enter site” message can be used – forcing all users to come through the Dynamic Link Processor.

If the user is authenticated, she is based on to the target URL page which is either retrieved from cache or generated by the web site.

It can even send users to different URLs based on A-B testing or other adaptive personalization features of the site.

Dynamic Short Link Generator

In addition to building short links that can be included in emails, web ads, and other external services, the site itself will have a Dynamic Short Link Generator that will build user specific links to be included on each page on the fly. There are some marketing tools that are moving in this direction as jurisdictions like the EU are restricting the use of cookies. Instead of a server specific URL, however, this tool will generate a new short link for the Dynamic Link Processor:

page link = http://shortsite.com/updatedautheticationinfo/targetURL

Forcing every page click to be processed through the Dynamic Link Processor (your new denial of service target, but it can be highly optimized and itself load balanced).

If you have multiple physical sites, each could have its own Dynamic Link Processor combined with a Site URL Guardian to spread out the load across all of your servers without using a third party site. Basically, only the initial connection would always go to your “shortsite.com” link. Subsequent connections could be bounced across all of your sites.

… contact me at steve@free2secure.com if you have further questions, I’ll send you a more detailed technical paper.

Even better, you can use the analytic information for marketing, as the existing third party link shorting services do already, as well as security.

Maybe, you can get someone besides your security team to pay for a security feature 😉

Go with what you’ve got

All of the technical bits I’ve described above do require work. You can start getting the benefits of short links today by simply using the existing tools. The available third party services, like Bitly or its competitors, can give you a lot of benefit right now as you split your site – another superscaling option for improving site performance at low cost or free.

Next Steps

Are you using any link shortening tools today? If you have multiple sites, you may be able to help spread the load in case of a denial of service attack.

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

 

The post Denial of Service Tactics – Short Link Security appeared first on Free2Secure.

]]>
http://free2secure.com/short-link-security/feed/ 0
Understanding Available Denial of Service Products and Services http://free2secure.com/denia-ofl-service-products/ http://free2secure.com/denia-ofl-service-products/#comments Tue, 12 May 2015 18:04:19 +0000 http://free2secure.com/?p=294 What can you buy to help you deal with a denial of service attack? What do these products and services do to help you? If you’ve been following this Fighting Denial of Service Attacks series so far, or even if you haven’t, there are 2 keys to dealing with denial of service attacks: Denial of [read more]

The post Understanding Available Denial of Service Products and Services appeared first on Free2Secure.

]]>
Denial of Service - Many cards with "No"

Understanding Denial of Service Products and Services – Image via Pixabay

What can you buy to help you deal with a denial of service attack? What do these products and services do to help you?

If you’ve been following this Fighting Denial of Service Attacks series so far, or even if you haven’t, there are 2 keys to dealing with denial of service attacks:

  1. Denial of Service attacks are cheap and (mostly) brute force.
  2. Denial of Service defense has to be strategic and specific to your online business.

This is a problem for most most vendors. It is like trying to use a computer to stop someone from throwing rocks through your windows.

There seem to be three types of solutions on the market.

  • DDOS Appliances
  • Proxies & Content Distribution Networks (CDNs)
  • ISP Services

DDOS Appliances

DDOS Appliances are special purpose devices that sit in front of  your servers or router which basically use try to keep bad traffic away from your business by filtering it out. They use known information about malware, filter out funky traffic that can mess up your server, and otherwise try to keep things clean. Some even work at the application level to adaptively knock out attackers as they are detected by your server.

For many of you, this solution is irrelevant. If you don’t have a rack of servers in a data center (or your own data center), you aren’t going to be renting or buying one of these guys.

If you are, the remaining question is whether your entire data center or communication link can be swamped at your remote connection (your ISP or telecommunications company data link). Multiple connections, alternate routing paths, and locating your DDOS (distributed denial of service) solution on the far end of your data pipes to keep them clean are your main options.

I do think that even big guys who are considering these options may get more bang for their buck by having multiple low cost servers in many locations so that there is no single target to overwhelm.

… but, at this scale, your mileage may vary a lot.

Proxies & Content Distribution Networks

If you don’t have a real server rack, act like you do. Basically, a proxy hides the address and content of your real server behind a high performance machine and network. There are two questions about these systems:

  1. Are they true proxies?
  2. Are you really behind them?

Ideally, a proxy server will sit between you and all of your external network traffic. Nothing can get past them or go around them. Just like a DDOS appliance (in fact, they may be a DDOS appliance).

In reality, some proxy servers may do some sort of preliminary handshake to attempt to detect whether an incoming connection is malicious and then redirect the user to you if they are valid. Basically, your server is always publicly on the Internet, it is just that your domain name is being redirected to the proxy at first.

Basically, like a phone answering service.

Except instead of forwarding the call, they give the user your direct line once the call is approved.

This is great, if the proxy is right, terrible if it is wrong.

All You Need is a Smart Hacker – Recon Account

When someone is attacking you, they aren’t using all of their resources to execute the denial of service attack. If they are even slightly serious, they may have a legitimate account with your service and act very innocuously on that account to collect information about your business and site.

If  you are using a proxy service or DDOS appliance that is not truly part of all network connections and is not “smart” at the level of your business application, the hacker and/or his accomplices and/or botnet can convince the DDOS appliance or proxy service that they are legitimate users and still knock you out.

The worst case is if the DDOS proxy or appliance is only inline when users are being validated as legitimate and then passes them along to the public IP address (which is not otherwise advertised) of your server. Then, the hacker and his crew and botnet can start hitting your semi-anonymous server directly.

Like everything else,  at best, you get what you pay for.

Content Distribution Networks – Denial of Dollars

Content Distribution Networks (CDNs) offload your static content (typically) to their servers. This is an advanced form of caching that takes advantage of CDNs having multiple servers spread around the Internet so that the performance of your site is based on your connection to your nearest CDN server instead of your actual server.

It is pretty cool. And fast. And lightens the load on your server.

At a price.

CDNs get paid to publish your data fast to anyone who asks. They can take the load off of your servers so that they won’t be affected by a denial of service attack. But, you pay for every megabyte downloaded.

CDNs typically assume that anyone pulling from their cache for your site is legitimate. Their job is to get data out fast.

As a result, your site may be “up”, but your wallet is being emptied instead.

Many online businesses may prefer to go offline.

Make sure you have throttles and alerts for your CDN so that abnormal traffic spikes get handled in a way that doesn’t hurt you financially.

ISP Services

Internet Service Providers are uniquely positioned to help you manage a denial of service attack. Some may offer a subscription service that is basically insurance that will automatically add network level controls (typically) to help mitigate the effects of an attack on your site or a higher rate service that is activated on demand when you are actually facing an attack.

This service is usually only available from higher end ISPs whose infrastructure is also likely to be more robust, so you are getting a layer of protection on top of a higher based level of performance… and you are paying for the privilege. You are also likely going to be getting a much higher level of customer and technical support and notably faster access for you and your users as these ISPs are located closer to the “core” of the Internet than other, bargain, data centers.

But, it does cost. Often a lot more than for a typical, bargain hosting account or server.

And it likely won’t stop a determined denial of service attack.

It is hard to protect yourself from an incoming rock.

Next Steps

Are you using any off-the-shelf tools to protect yourself from a denial of service attack?

Have you used one of these products or services if/when you were attacked? How well did it work?

I’ve talked with several companies who have switched to top tier ISPs in the wake of denial of service attacks, they’re happier with the better level of service and performance, but they were OK in their old “bargain ISP” days, can you afford moving up to a tier one ISP? Are you waiting for a denial of service attack to switch?

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post Understanding Available Denial of Service Products and Services appeared first on Free2Secure.

]]>
http://free2secure.com/denia-ofl-service-products/feed/ 0
Denial of Service Tactics – Split Your Site http://free2secure.com/split-site/ http://free2secure.com/split-site/#comments Mon, 11 May 2015 16:30:21 +0000 http://free2secure.com/?p=320 The essence of a denial of service attack is to overwhelm your site and cripple your online business. If you have one site, the attacker “just” has to knock your site out. What is the simplest way to fight this? Don’t have just one site. This tactic is in the “your mileage may vary” category [read more]

The post Denial of Service Tactics – Split Your Site appeared first on Free2Secure.

]]>
2 women in identical costumes

Split Your Site to Fight Denial of Service attacks – Image via Flickr

The essence of a denial of service attack is to overwhelm your site and cripple your online business. If you have one site, the attacker “just” has to knock your site out.

What is the simplest way to fight this?

Don’t have just one site.

This tactic is in the “your mileage may vary” category and definitely needs to be tailored to your specific business.

Multiply Your Hacker’s Work

Hackers are lazy. Like you. Like me. They don’t want to do a lot of work or think much. If you have a single site, they have 1 server to hit on 1 IP address with 1 web server running 1 application service with 1 database.

A chain of dependencies where any broken link can bring the whole service down.

2 sites, and everything doubles. 3 sites, it triples, etc.

He needs to double his resources, perhaps more.

Plus, he needs to figure out what is going to hurt you.

Divide and Don’t be Conquered

As I’ve discussed elsewhere, you are likely already using external services like Facebook, YouTube, and LinkedIn. But, in many cases, these services won’t allow you to serve your customers as you need to.

There are different ways to divide up your online business, the two main ways are functionally and by user type.

A functional division is quite straightforward: e-commerce store, membership site, customer support, training, etc.

Dividing by user type is a bit less obvious: new sales, transactional customers, ongoing relationship customers, business partners, API (application programming interfaces) and technical services. Each of these user types may include multiple elements (payment processing & purchasing, information, customer contacts), but are structured based on your users usage.

A clear example of this is for businesses that have a membership component. In this case it is very clear that you would want to convey a very different experience for potential customers who you are trying to sign up vs. those who already have.

Why not have 2 web sites?

Why not more?

Real Division, Real Protection

Splitting your sites only works… if you actually split them.

It is very, very easy to host multiple web sites through a single ISP on a single server in separate accounts. Easy for you, cost-effective for you.

But not very safe for you.

Splitting Your Users

In my earlier discussion about how denial of service attacks work, I showed you how your legitimate customers are part of the problem and that their frustration during an attack just makes things worse by adding more and more traffic to your site.

This downward spiral is directly eased by splitting the site. In the easiest case, if your traffic is split in half between 2 sites, the effects of your own frustrated users are cut in half directly reducing the amount of “free help” the attacker is getting from your users. Again, to be simple, if half of the attack is your own customers, the hacker now has to double his efforts just to take down one site… and he hasn’t even started on the second one.

ISP Roulette

Different ISPs may have different capabilities to respond to denial of service attacks. You probably aren’t going to find out who does it well until you are in the middle of one. So, having services involved just makes your ability to respond that much easier.

2 Cheap Birds vs. One Stone

As I’ve started looking at how regular online businesses deal with denial of service attacks, one solution comes up frequently: moving up to a top-tier ISP.

It makes sense. A lot of us use bargain ISPs for our businesses because, well, we’re cheap and so are they. A reasonable service at a modest price.

Top-tier ISPs cost a lot more. You can easily spend 10 times what you are paying for a basic site (you know your in trouble when they don’t give you prices, but ask you to “call for a quote”).

Instead, you could split your site between two (independent) bargain ISPs.

Just make sure that they are independent.

Different Impacts, Different Strategies

Once your site is divided, you can also respond to attacks separately. You can use the magic word:

Triage

 Different parts of your business are vulnerable to outages in different ways. Losing new prospects may be less important than serving your existing customers. Perhaps your sci-fi video vault is more critical than your fantasy art gallery.

You can even take different strategic options for different customers. Send emails to existing customers to let them know they can purchase via email instead of by your site.

The richer and more income streams in your business, the less an attack on any one of them will hurt you… as long as they aren’t one big fat target.

Next Steps

What are your online income streams and customer acquisition funnels?

What is the logical way to divide up your online presence so that an attack won’t take out everything?

What have you done to protect yourself from a single site outage or denial of service attack?

Have you gone to a top-tier ISP or do you use a bargain online service?

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

 

The post Denial of Service Tactics – Split Your Site appeared first on Free2Secure.

]]>
http://free2secure.com/split-site/feed/ 0
Denial of Service Tactics – Strategy or Shotgun – Service Door http://free2secure.com/service-door/ http://free2secure.com/service-door/#comments Fri, 08 May 2015 09:29:20 +0000 http://free2secure.com/?p=318 We’d all like to have a magic bullet to solve our problems, business, security, weight, hair loss, you name it. Lacking a magic bullet, we’d at least like some sort of coherent strategy. Slickly allowing us to make cost-benefit trade-offs, rational decisions, and optimal expenditures. Unfortunately, Security is like Marketing – half of it doesn’t [read more]

The post Denial of Service Tactics – Strategy or Shotgun – Service Door appeared first on Free2Secure.

]]>
Denial of Service - Many cards with "No"

Denial of Service – You need a service door – Image via Pixabay

We’d all like to have a magic bullet to solve our problems, business, security, weight, hair loss, you name it.

Lacking a magic bullet, we’d at least like some sort of coherent strategy. Slickly allowing us to make cost-benefit trade-offs, rational decisions, and optimal expenditures.

Unfortunately, Security is like Marketing – half of it doesn’t work and  you don’t know which half.

Which really isn’t true for either,

For both security and marketing, the whole is greater than the sum of the parts

Denial of Service Tactics Shotgun

With all that set up, what follows is a series of relatively short technical and business tactics that can help minimize the damage from a denial of service attack and smartly superscale your business.

  • Some may work for you.
  • Some may not be applicable to your business.
  • Some may confuse you (ask me about those!).

Here comes the ammo. Let’s lock and load.

Service Door

One of the worst parts of a denial of service attack is that you feel helpless. In many cases, you are paralyzed.

Even if you knew what to do, you can’t access your site to fix it.

Trapped. Crippled. Handcuffed.

Stuck.

The “service door” is a back way into your site. Simple as that. It may be something as basic as a second IP address (that you don’t publicize). Even better would be a separate network card and interface that is protected so that you can only access it as administrator. Sometimes, the server administration tool provided by your ISP gives  you an actual second path into your account. Sometimes not, it is hard to tell.

Most denial of service attacks are choking only part of your computer. Modern computers all have a ridiculous amount of power and spend most of their time sitting around doing nothing.

The types of attacks that can knock out a standard web site, even on a dedicated server, are usually attacking the web server, application server, or database parts of the site, not the lower level network or raw processor power (see Denial of Service – Is WordPress the problem?). Thus, if you can get onto the server, you can start figuring out where your problem is. And doing something about it.

Most ISPs offer the option to “rent” a second IP address for your server. It is a good option. If you have good IT support, you can move all of your administrative functions to this connection. You can even be real slick and protect it with an encrypted virtual private network (VPN) tunnel. Some ISPs will also set up their servers so that they have a separate administrative network that is accessed via a security proxy (basically a special security server to access the administrative network).

Good stuff, usually at a bargain price.

Also, a sign of a higher end ISP or more advanced cloud service.

Does your web site have a service door?

Have you configured it to separate your site administration from you public users?

Have you locked it down?

Does your ISP have a secure administrative network?

Next Steps

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

 

The post Denial of Service Tactics – Strategy or Shotgun – Service Door appeared first on Free2Secure.

]]>
http://free2secure.com/service-door/feed/ 0
Denial of Service – Is WordPress the problem? http://free2secure.com/wordpress-problem/ http://free2secure.com/wordpress-problem/#comments Thu, 07 May 2015 13:43:14 +0000 http://free2secure.com/?p=251 I’ve used WordPress for years and I quite like how it works…. and you know trouble is coming when someone starts with compliments. The power of a Content Management System (CMS) The WordPress blog platform is one of the most common and powerful content management systems (CMS) used by online businesses. There are a large number [read more]

The post Denial of Service – Is WordPress the problem? appeared first on Free2Secure.

]]>
Good and Evil direction signs

Is WordPress a Security Threat? – Image via Flickr

I’ve used WordPress for years and I quite like how it works….

and you know trouble is coming when someone starts with compliments.

The power of a Content Management System (CMS)

The WordPress blog platform is one of the most common and powerful content management systems (CMS) used by online businesses. There are a large number of others some very popular, some not so much.

What they all share is that they are built on 3-tier architecture based on a web server, some scripting language application platform such as PHP, Python, at Perl, and a database (most often MySQL).

These systems are very powerful and flexible. They break up a web site into modular pieces that can be switched and rearranged.

And there are tons and tons of third party plugins, tools, and themes that work together (mostly). You can run anything from a blog to an ecommerce store to an online community… or all three and more.

I’m not going to complain about any of this…others have and will.

I have other issues.

Authoring vs. Using

In any web site, there are two obvious roles:

  • Authoring – creating, posting, and editing content and capabilities of the site
  • Using – reading, buying, and otherwise participating in the provided service.

In WordPress, there is only one site. This creates all sorts of potential problems. If I make a change to the site that doesn’t work (and, if you’ve run a site, this happens with distressing regularity), the only way to test the site is on the live site. For a business, this can be costly as some changes are hard to undo and, realistically, you shouldn’t want to publish a new feature to the site without testing it first.

An IT team can handle this with a separate development site, but there is no real develop, test, deploy model for WordPress or its peer tools that I am familiar with.

No service door

If you’ve looked at a WordPress site, you will often find a little login area in the sidebar even if users can’t log into the site. Site owners basically enter and access the administration parts of the site through the same path you do as a user.

It is a bad idea.

It makes finding the way to attack the site trivial as essentially all WordPress sites are structured identically and so the login screen or location of potentially weak portions of the site are well-known.

If there is a problem with the site, there is no dedicated administrative interface that can rebuild or restore the system.

Under a denial of service attack, administrators also are coming in through the same network connection as the hackers and are therefore subject to being locked out and unable to fix the site or back it up or do pretty much anything… just like everyone else.

Ideally, administrators would access the site through a separate IP address or service connection that a hacker would have trouble interfering with (or attacking).

Gratuitous databases

The old adage “If you have a hammer, everything looks like a nail” is certainly true for WordPress and a lot of other CMS applications.

Except the WordPress hammer is its database.

In a standard WordPress installation, the PHP scripting tools and database are used virtually constantly.

Each web page may require multiple calls to the database just to render its layout.

In some sense, there really isn’t a WordPress web site at all, every page is a mindless stream of questions to the database:

“What does the page header look like?”

“Gee, Thanks, now I’ll render it”

“Is there a left sidebar?”

“Gee, Thanks, now I’ll render it”

“So, what goes in the top of the left sidebar?”

“Gee, Thanks, now I’ll render it”

“So, what goes next in the left sidebar?”

“Gee, Thanks, now I’ll render it”

it goes on and on and on.

For every part of every page.

For every visitor to each page.

Most of the time, you would never notice.

A web site that servers 1 million pages per month is almost rendering a page a second.

It just doesn’t stress out the web server.

Most of the time.

While storing this information in a backend database structure makes a lot of sense, it is madness to run a site like this.

Trivial caching tools can reduce this madness by a factor of 2 or 3,  more powerful caching applications (which basically store pages once rendered until the cache fills up) can improve performance by a factor of 10.

Most pages, most of the time are static. Don’t even run script code unless you have to.

Total madness.

Even more so as the generic relational databases that most sites use are really not optimize for this style of operation. Almost every web site almost all of the time is reading to the database and almost never writing to it.

Lessons learned?

As I said at the top, I quite like WordPress and, at the time I am writing this, I am using it for my site.

But, if I was using a conventional web site authoring tool, like CoffeeCup or Dreamweaver, I would be addressing many of these issues. I’d serve static pages where possible, I would have a separate authoring and test environment.

I could move the site very quickly due to a denial of service attack or any other problem that I had with my ISP.

… it does make you wonder.

Next Steps

In order to plan for, or deal with, a denial of service attack, you need to fully understand the consequences.

Choices made for “convenience” may wind up being inconvenient and costly.

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

 

The post Denial of Service – Is WordPress the problem? appeared first on Free2Secure.

]]>
http://free2secure.com/wordpress-problem/feed/ 0
Denial of Service Tactics – Deep Defense for Your Online Services http://free2secure.com/deep-defense/ http://free2secure.com/deep-defense/#comments Wed, 06 May 2015 16:28:48 +0000 http://free2secure.com/?p=316 The hackers are hammering your site. You are getting hit with thousands of bogus connections. Your legitimate customers can’t get through, new prospects can’t connect. You can’t even get to your own site. Your online business is dead in the water. What do you do? Network Filters – The First Line of Defense The first [read more]

The post Denial of Service Tactics – Deep Defense for Your Online Services appeared first on Free2Secure.

]]>
Castle siege

Defense in depth for Denial of Service – via Wikipedia

The hackers are hammering your site. You are getting hit with thousands of bogus connections. Your legitimate customers can’t get through, new prospects can’t connect. You can’t even get to your own site.

Your online business is dead in the water.

What do you do?

Network Filters – The First Line of Defense

The first line of defense is a simple network filter.

In many cases, hackers are coming in from other countries and, in many cases, almost all of your customers are coming from your own country.

Good news.

Just filter out the bad guys.

Or, more sensibly, “filter in” the good guys.

Block all network traffic from other countries or from countries where your customers aren’t.

This is pretty easy, in practice. Internet addresses (IP addresses) are mostly allocated to countries so it is pretty easy to block suspicious traffic before it even gets to your server / web site.

Routers are fast, so they can efficiently look at source IP addresses and block them.

However, bad guys sometimes masquerade their source IP address. This is surprisingly easy. Imagine how easy it would be to send out a real envelope with the return address of the White House, or Angelina Jolie, or your mother-in-law.

Trivial.

You actually get junk mail that takes advantage of this all the time: pretentious looking envelopes marked Urgent, etc.

Internet service providers COULD actually do a much better job than they do of authenticating source IP addresses, but, as they are not held accountable for generating bogus traffic, they don’t.

Things are different for global online businesses

When a large company like Microsoft or Sony gets hit by a denial of service attack, they can’t quite do this as easily as they get worldwide traffic. See How DDoS Attacks Work, And Why They’re So Hard To Stop for more.

I am somewhat dubious… or suspect corners are being cut.

Unless the denial of service attack is really overwhelming all of your data centers or servers, you should be able to partition traffic by geographic region so that the scope of the attack is limited.

If your business is truly global (really, not pretend “I’m on the Internet” global), you may have a more serious problem.

Server Filters – Your Gatekeeper

Your own server has network software that grabs all of your Internet traffic and hands it off to the different applications you have that work with the network: file transfer, email, telnet, and, of course, your web server.

This software can also be configured to block and pass certain IP addresses.

The advantage of this is that network software is fast and efficient at handling addresses as that is pretty much all that it does.

… and it can keep malicious traffic away from your web site better than your web server.

Though your web server can provide this function as well.

Minimal Essential Site

Most web site are quite rich and complicated and web servers are there to support these fancy features – all the cool stuff that makes the Internet interesting such as databases and scripting languages like PHP and Python and more.

They do have a cost and can be targeted to slow your server down.

If filtering isn’t enough, a minimal essential site may be your best option.

The Hydra Defense – when in doubt, spread it out

The essence of a denial of service attack is to overwhelm your online business so that you can’t operate. This is easy if you are in one location on one server.

So, don’t be.

Spread yourself around.

A number of my articles on superscaling describe using massive online services for parts of your business.

The other way to scale is to spread out your own business service so that there is not one site to hit, but many.

This creates something of a problem for new customers as they can’t find you if your main site is down, but you can freely (and sometimes very flexibly and even invisibly) re-steer your existing users to other sites and servers.

This can be done at with URLs (see the forthcoming chapter).

It can also be done for applications.

The Fast Server Directory

Many online applications send you to a single online site to login. It is easy to design systems this way and reflects the way some traditional security tools for network access control work, such as Kerberos.

Easy to implement.

But, easy to block.

Instead of first logging in, it may make more sense for your application to hit one of a series of servers whose sole function is to provide a list of login servers.

These very small, very simple servers simply return URLs or IP addresses for available login servers.

So, they can be super cheap.

They may not even exist all of the time.

So, they can be even cheaper :).

From a design perspective, this spreads out the number of places that a hacker needs to attack to take your service out.

Depending on how your client applications work, you may even be able to push the directory information out via email or other service that is very hard to block.

Next Steps

Can you ask your ISP to block certain countries?

Can you configure your own server to help protect your site?

 

If you have a custom online application, have you planned for denial of service attacks?

What other tactics have you used? Have they worked?

Please share them with your fellow online business owners.

Let’s compete on our products, not our security.

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post Denial of Service Tactics – Deep Defense for Your Online Services appeared first on Free2Secure.

]]>
http://free2secure.com/deep-defense/feed/ 0
Denial of Site vs. Denial of Service – Superscaling vs. Unscrewing http://free2secure.com/denial-site/ http://free2secure.com/denial-site/#comments Wed, 06 May 2015 08:55:35 +0000 http://free2secure.com/?p=371 When you are getting hit by a denial of service attack, what does it mean? Once upon a time, if your business was online, you had a web site and that was it. You likely even ran your own email server Today, we are in a much richer and more complicated world. In addition to [read more]

The post Denial of Site vs. Denial of Service – Superscaling vs. Unscrewing appeared first on Free2Secure.

]]>
Denial of Service - Many cards with "No"

Denial of Site vs. Denial of Service – Image via Pixabay

When you are getting hit by a denial of service attack, what does it mean?

Once upon a time, if your business was online, you had a web site and that was it. You likely even ran your own email server

Today, we are in a much richer and more complicated world. In addition to your web site, you may have a presence on one or more social networks like Facebook or LinkedIn, you post images to Instagram and Pinterest, video on YouTube, a podcast on iTunes, your store on Shopify or Paypal, and tweet away on Twitter.

Your actual web site may be augmented by a content distribution network (CDN) and you may use a third party mail service like AWeber, Mail Chimp, or Constant Contact.

… and even your blog gets pushed out via RSS to remote hosts and readers.

It is amazing that any of us get anything done beyond managing all of these services!

Just what are you losing?

 

It is too easy to panic when your site gets hit with an outage or a denial of service attack.

Take a look at all of the components of your online business. There are probably more pieces than you think.

Next, determine which are part of your actual site and which are part of a much larger service.

You may be worried how dependent your business is on some of these services (see my forthcoming article on Unscrewing).

On the other hand, these massive online services should also be radically less vulnerable to denial of service attacks.

If they are implemented well.

Sometimes, you may be surprised.

It is worth looking at to be sure you are getting the scalability and reliability you desire vs. the challenge of exiting the service.

Denial of Service vs. Unscrewing Strategy

A well designed large scale online service should be able to provide  you with substantial resistance to denial of service attacks. You can strategically structure your use of these services to minimize your vulnerability to denial of service attacks.

Even using an email list as your primary communication tool with your customers will radically reduce the threat to your business from denial of service (provided your email is on a separate server).

Denial of your site is not the same as denial of service to your business.

There is a cost – Getting out of these services.

Alison Bailes Bhattacharyya was a enterprise class user of an online storage service for backup paying $100 per month with 120 GB of data in 20,000 files… and it all disappeared.

The company said “We have escalated this to engineering.”

Eventually, the data was recovered.

Fortunately, Alison had a full backup and is moving to a different service provider.

Are you as well prepared?

Next Steps

In order to plan for, or deal with, a denial of service attack, you need to fully understand the consequences.

If you use an outside service for scalability and reliability do they really provide them?

Can you “unscrew” if you get screwed by your service provider?

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post Denial of Site vs. Denial of Service – Superscaling vs. Unscrewing appeared first on Free2Secure.

]]>
http://free2secure.com/denial-site/feed/ 0
Denial of Service -What does it cost you? http://free2secure.com/denial-of-service-costs/ http://free2secure.com/denial-of-service-costs/#comments Mon, 04 May 2015 09:59:21 +0000 http://free2secure.com/?p=259 What is the real cost of a denial of service attack to your online business? What should you do if you are getting hit by one? Perhaps, nothing. Perhaps, a lot. As I write this article, Free2Secure.com gets a fairly small amount of traffic each day. Almost as many people see my articles when I [read more]

The post Denial of Service -What does it cost you? appeared first on Free2Secure.

]]>
The Moneychangers via Wikipedia

What does a Denial of Service Attack cost you? via Wikipedia

What is the real cost of a denial of service attack to your online business? What should you do if you are getting hit by one?

Perhaps, nothing.

Perhaps, a lot.

As I write this article, Free2Secure.com gets a fairly small amount of traffic each day. Almost as many people see my articles when I post them at LinkedIn and, hopefully, join the Free2Secure discussion group there.

I might lose a few new contacts, but nothing more.

Bottom Line: If I got hit with a denial of service attack today, I’d be angry, but the correct answer would probably be to do nothing.

Hopefully, this will change!

Before I get to anything else, if you are being attacked, the very, very first thing you should do is:

Turn off your ads!

If your site is down for any reason, there is absolutely no reason to be running any sort of online ad campaign. All it will do is send new, cold prospects to a web site that they can’t reach.

So, shut the darn ads off.

Or, if you’ve got an alternate way to offer your service, re-steer these cold prospects to that site and count yourself lucky (or wise).

You can’t do much about organic search steering cold prospects to your crippled site.

What does your online business really look like?

To understand the damage that a denial of service attack can do, you need to dive into your online business – what part of your business online is “real time” and will be lost if your site or a service is not available versus what business will be a bit patient and come back when you are back online?

See Denial of Site vs. Denial of Service – Superscaling vs. Unscrewing for more details.

Online businesses that rely on page views are the most vulnerable:

No pages seen equals no revenue earned.

Many ad-based businesses and some affiliate based businesses are very vulnerable to real-time outages. They rely on page views and impulse actions to make their money. Retailers who sell commodity products available from a number of sites are similarly at risk… if your site is down, your potential customers will go somewhere else.

This does raise an interesting question for these kind of sites. Many of them have email lists and RSS subscribers, but the sites only send out a fraction of their material via these channels. They are always striving to pull their users back to the web site. Sometimes they do this to avoid their content being hijacked.

… on the other hand, if you are worried about denial of service attacks, you may want to load both your content AND your ad or affiliate information.

It is an interesting trade-off.

Conversely, a membership site or subscription service may just ride out a denial of service site attack. As long as the attack doesn’t go on too long, there is no real damage to your business*.

* You may extend subscriptions or memberships as a gesture of good will.

Losses from Your List

If you read ANY book or article about online business you’ll constantly hear about “building your list”. It is a tired tune, but it is true.

Building your email list is the art of turning cold site visitors into potential customers.

It is also the foundation for your customer list.

It should be guarded, nurtured, and grown.

And backed up… right?

If your site is down, you are going to have trouble adding to your list.

It is the first component for figuring out the cost of denial of service:

# of names added to your list per day * expected revenue per name on  your list per year = lost revenue per year per day of outage. 

This may be a little, it may be a lot. Unfortunately, it is just the beginning.

Real-time Losses

If your business is based on page views, you are going to face revenue losses every hour you are down. Here are several revenue sources that are most affected by real-time outages:

  • Ads
  • Sponsorships
  • Affiliates
  • Product sales (mass market retail)

Each of these revenue areas can be modeled based on how your business handles them and you can make an estimate of your losses when your site is down. Businesses in this category are prime candidates for high availability and high reliability service.

He who lives by the eyeball (and click), dies by the eyeball (and click).

Transaction Service Hazards

Some businesses are intermediaries. eBay, Paypal, payment processors, and, in some cases, Amazon, all provide transaction services for other parties and make their money by facilitating transactions.

Several years ago, several offshore sports wagering sites were threatened with denial of service attacks timed to coincide with the Super Bowl. As you can imagine, this form of electronic blackmail was considered a very serious threat as a huge fraction of a year’s wagers happen during the weeks leading up to big game.

Denial of service attacks aren’t always a fancy form of revenge or vandalism.

If you are running this type of service, you are probably acutely aware of the requirement for your service to by always available and you are going to have planned for traffic spikes, denial of service threats, and outages. You’ll also have service level agreements (SLAs) and contract terms that will formally handle these situations.

If you haven’t and you have a problem, you’ll hear about it from some very unhappy customers.

However, even if you’ve covered yourself with lawyers and contracts, you are going to have real problems if your service is not robust in the face of a denial of service attack or other outage.

Proprietary Products and Services – A margin of safety

The big money, and margins, are usually to be found with proprietary products and services. Anything that you are the only provider of, well, your customer is going to have to wait until you can provide it.

But, you still don’t want to make these customers too unhappy.

In this case, you may lose some new product sales, but, if the product is something that your customer really wants or needs, they are going to wait (at least a while).

Memberships and subscriptions can likely tolerate reasonably short outages without any real losses. Longer outages may require compensation.

Reputation Matters

No one likes to be hacked. Or, more specifically, no one likes the publicity associated with being hacked. It is bad for your reputation. It is bad for business.

Most people are somewhat savvy about hacking, but you may face damage to your reputation from the attack. In some cases, it may be from Internet users and customers who don’t know you are being attacked, but simply find your service broken or unresponsive.

Customer Support Costs

You are going to face increased customer support costs and need to spend extra time and money on informing your customers and potential customers what is happening.

You can effectively preempt some of these costs with a smart communication strategy, but expect to provide hand-holding. And the longer the attack continues, the more these costs will grow.

Operational Costs and Recovery

If you can’t ride the attack out, you are going to have increased operational costs. You may need to change your ISP (either because you are not happy with how they handle the situation or they may drop you as a high-risk customer).

You may need to add additional security services to your site or increase your base site to more easily ride out the attack.

If you have maintained good backups, this will be much easier. Much, much easier.

Much, much, much easier.

Other Losses?

What other losses can you think of from a denial of service attack? The costs I’ve covered are the costs that you will face for the duration of the incident. Changes to your ISP and business operations may continue indefinitely.

Next Steps

In order to plan for, or deal with, a denial of service attack, you need to fully understand the consequences.

To keep up with this series on denial of service and other security problems that your online business may face, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

 

The post Denial of Service -What does it cost you? appeared first on Free2Secure.

]]>
http://free2secure.com/denial-of-service-costs/feed/ 0