Buckley Insights: Trends show DDoS attacks continue to increase
On November 19, Neustar released a report showing a 241 percent increase in Distributed Denial of Service (DDoS) attacks in 3Q 2019 versus 3Q 2018. Notably, a couple of new and emerging methods of DDoS attacks have emerged, including:
- DDoS reflection/amplification attacks take advantage of IP spoofing techniques to return large amounts of information in response to a small request;
- Exploitation of Apple Remote Management technology;
- Exploitation of Web Service Dynamic Discovery (WS-DD), which has been increasingly used by IoT devices, including security devices and cameras.
Although the financial sector is not necessarily the prime sector for non-state actor DDoS attacks, it remains particularly susceptible as critical infrastructure in the context of state-supported or state-sponsored cyberattacks, which generally maintain advanced persistent threats or APTs and more sophisticated attack methods.
Why is this important. The NYDFS Cybersecurity Regulations (Regulations) and the FTC proposed Safeguards Rule (Rules), previously covered by InfoBytes here, have imposed (or may impose in the future) technical cybersecurity standards (in addition to blanket statements about “reasonable security measures”) for covered entities, such as multi-factor authentication, encryption, and annual penetration testing, among other things. Although the Rules and the Regulations are not the first regulations to impose technical standards (for example, Massachusetts’ standards for the protection of personal information under 201 Mass. Code Regs. 17.01 et seq.), the Rules and Regulations are the first to embed the CIA Triad as a core cybersecurity principle into the definition of “Cybersecurity Event” and “Security Event,” respectively. The CIA Triad represents the core objectives of cybersecurity, which are confidentiality, integrity, and availability.
Implications for Financial Institutions. Geopolitical developments can often give rise to an increase in cyberattacks designed to disrupt, degrade, deny, or destroy information systems without stealing a single byte of information. Institutions that have built their information security plan solely around “security” and “confidentiality” principles may want to consider reviewing and updating risk assessments, plans, and procedures, and, if applicable, expand them to include availability threats, especially with respect to incident response operations and plans (as well as disaster recovery operations), as may be required under the proposed Rules.
For NYDFS, cybersecurity events are 72 hour reportable events, so a DDoS attack, if significant, could represent a reportable event and potential follow up, even if no PII was lost.