The Field Report
There are 18,000 banking institutions in the U.S., and somebody has to blog about their breaches, concerns and security successes.
Government Information Security Blogs
Comments (3)
Read All Posts (16)
Can Cloud Defend Against DDoS Attacks?
July 20, 2009 - Eric M. Fiterman
The distributed denial of service (DDoS) attacks - allegedly instigated by North Korea or its backers - that disrupted service for many federal agencies this month were successful because most of these agencies still publish web content on small, easily-saturated network links. Take a look at the two federal offices that were able to sustain the attack for the duration without loss of service - the websites for the White House and the Defense Department. It's no mystery that the White House site sits on servers hosted by Akamai, a distributed content delivery network that provides geo-centric services for content delivery. This means that a person accessing whitehouse.gov from San Francisco will talk to different servers than someone in Washington. The Akamai content network effectively load balances traffic, and this design was likely a key reason the White House wasn't affected by the attacks.
 |
There are plenty of technical options available to help agencies move to platforms that are resilient against blunt-force style attacks. ... Cloud computing platforms may be one approach to  |
The capability that helped the White House fend off these attacks is closely related to another networking concept -- Anycast networking. Anycast is a concept that allows the same content to be served from different physical and geographic locations. This is at the heart of the denial of service problem. When an attacker directs an army of rogue computers at a target website, the hosts are in different locations, but their collective traffic is aggregated to overwhelm the target. However, if each bot in this group talks to a different server depending on its physical location, then you can reduce the overall effectiveness of the mob. This is an effective divide-and-conquer strategy that can help address the problem of DDoS attacks.
Similarly, cloud computing services, such as Google's App Engine and Amazon's Elastic Compute Cloud, or EC2, provide flexible hosting resources that can grow to accommodate a surge in demand. Imagine if the agencies that were affected by the attacks had been sitting in the cloud when the malicious traffic started rolling in. The ability to disrupt agency websites becomes a function of how much capacity Google and Amazon have to support the requests. These providers likely have plenty of bandwidth to sustain the attack and provide service with little to no service disruption.
There are plenty of technical options available to help agencies move to platforms that are resilient against blunt-force style attacks like DDoS. DDoS has been around for a while, and will continue to be used against federal IT systems until they are no longer effective. Cloud computing platforms may be one approach to consider.
Eric M. Fiterman is a former FBI special agent and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics services to the federal government and private businesses.
Other blogs from Fiterman:
 |
 |
 |
 |
|
 |
Scalability and bandwidth are both factors to consider in designing reliable cybersecurity infrastructure. However, a more robust security architecture embedded with artificial intelligence, that could recognize an attack and be able to relegate each attack to a blackhole stands to resolve DDos at large.
Mike Redford Phd, JD, LLM/JSD Candidate
Mike Redford Phd, JD, LLM/JSD Candidate
Posted by drmikeredford on February 3, 2010 @ 1:07 PM
Hi, Tarak:
Thanks for your comment. I think your winter analogy is a great illustration.
Scalability is very relevant in our discussion about security. As I write this, I still have flashbacks of the CIA triad (Confidentiality, Integrity and Availability) from the CISSP exam.
When a vulnerability or an exploit generates a Denial of Service condition, you will be affecting system availability -- denying legitimate users access to conduct business. Considering our dependency on IT resources, taking away someone's ability to process payments, make phone calls, communicate with external parties, or conduct business is a serious security problem. That's why DoS is an element of Contingency and Continuity of Operations (COOP) planning. If improved capacity or better load balancing can help mitigate a DoS condition, then scalability helps us meet our security requirements.
Take a moment and plug this query into Google and you'll see how availability is an important element of our security discussion:
http://www.google.com/search?q=site%3Anvd.nist.gov+denial+of+service
Thanks again for the comment,
-Eric
Thanks for your comment. I think your winter analogy is a great illustration.
Scalability is very relevant in our discussion about security. As I write this, I still have flashbacks of the CIA triad (Confidentiality, Integrity and Availability) from the CISSP exam.
When a vulnerability or an exploit generates a Denial of Service condition, you will be affecting system availability -- denying legitimate users access to conduct business. Considering our dependency on IT resources, taking away someone's ability to process payments, make phone calls, communicate with external parties, or conduct business is a serious security problem. That's why DoS is an element of Contingency and Continuity of Operations (COOP) planning. If improved capacity or better load balancing can help mitigate a DoS condition, then scalability helps us meet our security requirements.
Take a moment and plug this query into Google and you'll see how availability is an important element of our security discussion:
http://www.google.com/search?q=site%3Anvd.nist.gov+denial+of+service
Thanks again for the comment,
-Eric
Posted by efiterman on October 8, 2009 @ 5:25 PM
Claiming that "cloud computing services, such as Google's App Engine and Amazon's Elastic Compute Cloud, or EC2, have plenty of bandwidth to sustain a DDoS attack" is akin to arguing that "you can tolerate the cold winter better by becoming fatter."
Is the fact that we have more scalability even relevant in a discussion about security?
Is the fact that we have more scalability even relevant in a discussion about security?
Posted by tarakmodi on October 8, 2009 @ 2:06 PM
Latest Tweets & Mentions
Posts By Category
- ACH
- Agencies
- Anti-Money Laundering
- Application Security
- ARRA/HITECH
- Audits Investigations Reports
- Authentication
- Bank Secrecy Act
- Banking Today
- Biometrics
- Budgeting & Funding
- Business Continuity & Disaster Recovery
- CIO Council
- Cloud Computing
- Collaboration & Interagency
- Committees and Testimonies
- Compliance
- Confidence In Banking
- Congress
- Cybersecurity
- Data Loss
- Debit, Credit, Prepaid Cards
- Defense Department
- Electronic Health Records
- Emerging Technology
- Encryption
- Endpoint Security
- Federal Trade Commission
- FISCAM
- FISMA
- Fraud
- GAO
- Governance & Standards
- Governance, Risk & Compliance
- Government Accountability Office
- Gramm-Leach-Bliley Act
- GRC
- Health Information Exchanges
- HIPAA
- Homeland Security Department
- HR
- ID & Access Management
- ID Access & Management
- Identity Theft
- Identity Theft Red Flags Rule
- Incident Response
- Information Security Compliance
- Information Sharing
- Insider
- Insider Threat
- Inspectors General
- Intelligence
- Law Enforcement
- Laws, Regulations & Directives
- Leadership & Management
- Legislation
- Medical Identity Theft
- Messaging
- Mobile & Wireless
- Mobile Banking
- National Security Agency
- Network & Perimeter
- Network/Perimeter
- NIST
- Office of Management & Budget
- Office of Management and Budget
- Pandemic Preparation
- Payments
- PCI DSS
- Phishing
- Physical Security
- Privacy
- Remote Capture
- Risk Assessment
- Risk Management
- Sarbanes-Oxley Act
- Security Leadership
- SIM & SEM
- SIM/SEM
- Skimming
- Social Media
- Staff & Recruitment
- Storage
- Technology
- Training & Education
- Unified Threat Management
- US-CERT
- Vendor Management
- Virtualization
- Web Security
- White House
Authors & Blogs
The Agency Insider
From the FDIC to the NCUA, banking institutions take guidance from myriad government agencies and regulations. Here's where we make sense of it all.
Secure Marketspace
A look into how the security and privacy concerns of consumers and citizens impact institutions and government agencies.
Information Technology Risk Management
Not all risks are created equal. Understand, manage and transfer risks, as necessary. Ignore none.
-
The Public Eye
Keeping tabs on federal government efforts to protect citizens' privacy
-
Industry Insights
Insights and opinions from the thought-leaders who represent the industry’s services and solutions providers.
Career Insights
Insights from advisors, consultants and practitioners who know what it takes to be a successful security professional
The Security Scrutinizer
Keeping an eye on efforts to protect the privacy and security of personal healthcare information
The Fraud Blog
Tracking fraud incidents and trends wherever -- and however -- they occur.
Recent Comments
"I tend to agree with John Gilligan. I recently worked for a DoD agency subject to DoD IG, GAO and all the other..."
Read Post | Jump to Comments"I really do not know what they are talking about. My question is exactly and specifically how do we get the knowledge..."
Read Post | Jump to Comments"I strongly disagree that all certifications provides a "false sense of security/" Infosec Pros/Ethical..."
Read Post | Jump to Comments
