Why conduct a DDoS Test?
Historically, security specialists have never placed DDoS testing high on the IT agenda, relying mainly on vulnerability assessment and penetration testing as a means of security validation. However, things are changing. DDoS attacks are no longer simply a risk to the availability of an IT system or service. DDoS attacks are being used in concert with attempts to penetrate networks and/ or steal data and this is changing the way that businesses have to calculate risk of loss with respect to DDoS attacks – as well as the way that counter-measures need to be deployed.
The need for DDoS testing depends heavily on how much your business relies on e-commerce, online sites & applications. If your organization must maintain 24/7 online presence, this type of security assessment is essential. The severity of the risk will, of course, depend on how much that business relies on its online systems for revenue, a matter discussed in our white paper on “Assessing the business risk posed by Distributed Denial of Service attacks.” If the risk is sufficiently large, then budget is usually set aside for mitigation. But until recently many companies saw DDoS as a nuisance, and not a threat to data.
A DDoS attack may target DNS servers, application servers, routers, firewalls and internet bandwidth. Typically, DDoS testing engineers employ a coordinated group of botnets sending traffic to the target to bring the system down, albeit within a controlled legal environment.
Reducing the risk of security incidents & DDoS attacks
Reducing the risk to the business of security threats of all types, including DDoS attacks, is one of the responsibilities of the company’s board. For business, which is increasingly underpinned by IT systems and processes, IT security is employed to reduce the risk, and thus the cost of a security incident of some nature. Deciding on the appropriate investment in security is a calculation of the expected loss (likelihood of damaging event multiplied by impact of damaging event) and then deciding what proportion of that expected loss to invest in systems and processes to eliminate, or at least reduce, the likelihood of a damaging event. The ideal situation is that any spend on security should reduce the likelihood and/or impact of a security incident such that the following is true:
Where Expected loss (£) = Chance of loss (%) * Impact of loss (£)
Spend on security + Expected Loss from security incident with security in place
Expected Loss from security incident with no security in place
Testing IT security is based on the premise that security systems, processes and people have a non-zero risk of not being effective when they come under attack (i.e. they are fallible). The likelihood of security system failure tends to increase over time as things change inside and outside the business environment. The scale of the loss is not only that of the breach itself, but also the investment in the security system – which is wasted money unless the protection is effective. If considered separately to a normal IT security product or service, the likelihood of loss is lower (one assumes that security solutions, as a whole, are at least somewhat effective), but the value of a loss is higher because it includes the investment in the security system that failed.
Spend on IT Security testing =
f (Likelihood of security system failure * (Impact of loss + cost of security system))
Testing is a critical part of ‘security as a process’. If a company invests in some kind of defence measure e.g. DDoS protection and then does not test it, it could be spending money on a capability which does “nothing” and thus does not fulfil the requirements of the business case. This is as true for DDoS mitigation as it is for systems that prevent penetration and data theft.
A simpler way to look at the business case for DDoS testing is to consider regular testing of the security system part of the security system itself. Testing is usually a fraction of the investment in the security system it is deployed alongside and experience suggests that it greatly improves the effectiveness of the security solution – disproportionate to the cost of the test programme. So – given this approach, you can simplify the business case for security testing by considering regular testing as an essential and fundamental component of the security system itself and simply include it in the overarching business case.
Spend on IT “Security as a process” = f (Likelihood of loss * Impact of loss)
So – the business case for IT security and DDoS testing is the same as the business case for IT security more generally; IF you consider security as a process, as opposed to a static system. All spend on IT security is based on the premise that there is a risk of financial and reputational loss and that a proportion of the expected loss can be spent reducing the likelihood of loss – and that this is more efficient than doing nothing and accepting the loss when it happens.
Security as a process
Security is not a static product or service one can buy. All successful businesses change over time, and their IT changes with it. Simultaneously the tools and techniques attackers and criminals use to try and exploit businesses change as well. If a company’s attack surface and the criminal’s methods of attack are in constant motion – a company’s security posture and the systems and processes it employs to enforce that posture have to be in constant motion as well.
Security testing generates important data that can be used as feedback to improve security systems and processes. DDoS testing is crucial to the efficacy of DDoS mitigation systems employed in the defence of a company’s data assets.
A lot of companies engage penetration testers to look for holes in servers and network systems. Sometimes this is a matter of compliance with regulations, sometimes this is a response to feeling the pain of a breach, and sometimes simply following good business practice. Although the business case for DDoS testing is similar to that of penetration testing, the test mechanism itself is completely different to penetration testing or vulnerability assessment, requires different tools and capabilities and is often overlooked. With the emergence of attacks which combine DDoS and penetration/data theft it can no longer be considered a separate business decision.
There is plenty of literature to support understanding of how to implement security as a process into a business, but that is beyond the scope of this blog. Suffice to say that testing security systems is a critical part of being secure and being seen to be secure.
Could DDoS testing be important to your business?
Some types of countermeasures benefit more than others from routine testing and DDoS mitigation systems are a case in point. Some DDoS mitigation techniques rely on deviation of traffic from normal levels and characteristics and so need good baseline information to be effective. Some DDoS attacks mimic normal user behaviour to a point, to try to evade detection and slip past defences – testing helps to tune mitigation detection, minimising false positives and optimising response times to attack.
Staff also need to be familiar with detection and response, and testing can help streamline response plans, reducing the distraction effect of DDoS attacks and keeping resources available to prevent data theft. activereach has encountered several businesses who are under such regular DDoS attack that they feel they can suspend their DDoS testing. But for most companies, the frequency of DDoS attacks is low enough that confidence in staff and system preparedness will be commensurately low.
Top 10 reasons to conduct a DDoS Attack Test
There are a number of features of DDoS attacks and DDoS mitigation systems that make DDoS testing particularly important. We have put together a checklist of Top Ten reasons that businesses should consider when assessing the business case for DDoS testing. Please see our next blog article in this series to find out more.