How to Prepare for the Biggest Change in IT Security in 10 Years: The Availability Threat

by Carl Herberger

Availability, or the big “A” is often the overlooked corner of the CIA triad. Perhaps a contributing factor is the common belief among security professionals that if data is not available, it is secure. Corporate executives have a different opinion, as downtime carries with it a hefty price tag. While today’s corporate risk assessment certainly involves the aspect of availability, it is focused on redundancy, not on security. Penetration tests, a result of the corporate risk assessment, also fail to test on availability security. In fact, pen testing and vulnerability scanning contracts specifically avoid any tests which might cause degradation of service, often leaving these vulnerabilities unknown until it’s too late. Availability is commonly handed off to be addressed by network engineering to design and build resilient networks. Common risk mitigations in this arena include redundant power, internet links, routers, firewalls, web farms, storage, and even geographic diversity with use of hot, warm and cold data centers. You get the picture; there is a ton of money invested in building network infrastructure to meet corporate availability requirements.

While these investments in infrastructure are meaningful, they are not impervious to attack. In fact, attacks are often complicated and even exacerbated by the inherent resilient design of the network. For example, let’s consider a few common myths:

Myth 1: DDoS attacks consume lots of bandwidth and are noisy. We will add additional bandwidth if we come under DDoS attack or we already have enough bandwidth to absorb any attack.

A recent study by Radware’s ERT and other competitors report a significant change in the threat landscape, from noisy volumetric floods (TCP SYN or UDP Floods), to application layer (HTTP GET and DNS query floods) and low-and-slow attacks. A volumetric attack can consume any amount of bandwidth you can afford. Admittedly, additional bandwidth may delay the outcome and if significant (100Gbps +), it might even deter an attacker. However, a targeted attack is one in which the attacker is after your business, not your competitor or the guy down the street. He will shift gears to find weakness in your defense; more than likely at the application layer.

Read more: