Latest Posts

Latest Comments


Why DDOS demands protection money


Posted by |

Imagine you are a nightclub owner. You receive a letter that treads an uneasy line between politeness and intimidation that highlights issues with your security. There’s an unspoken threat that those chinks could be exploited…unless you choose to pay to ward off any such threat. Ignore the letter and the next thing you know you have a flash mob descending on you one evening uninvited, crashing through your doors, and seriously disrupting your business and your livelihood. Pay up and you avert the threat…this time. Trouble is, they may well be back for more because that is how extortion works, first playing on human psychology and then punishing you whichever way you jump. It’s been a feature of the criminal landscape for over eight centuries, and we really shouldn’t be surprised that it’s now flexing its muscles even more powerfully with a new digital dimension.

There’s been plenty of publicity recently around ransomware such as CTB-Locker, where files are encrypted and the owner offered a valid decryption key only once they’ve paid the ransom using Bitcoins. But organisations should also remain aware of more aggressive extortion rackets. We know of one company recently that was targeted by a group of computer criminals calling themselves ‘DD4BC’, who threaten targets with massive Distributed Denial of Service (DDoS) attacks unless they pay up significant sums using Bitcoins. Worryingly, this firm wasn’t a high profile political target or global brand, just a regular business, which incidentally supports the underlying trend of security attacks becoming far more indiscriminate – so don't ever think it couldn't be you, because it could.

So like our nightclub owner the organisation was faced with the dilemma – pay up or see if DD4BC would make good with their threat. Either way, you are looking at unpleasant consequences, consequences that merely serve to highlight the necessity of avoiding them – and the only way to do that is, of course, to pay another sort of ‘protection money’ altogether. So while our nightclub owner may choose to recruit a whole squad of SAS-trained doormen to keep the flash mob at bay whilst letting genuine clubbers through, businesses will need to invest in one of the sophisticated DDOS defence mechanisms that have evolved to safeguard corporate websites, online services and networks.

But at the same time they will need to accept it’s not a one-time cost, and that security budgets may well have to rise year on year as more and more intelligent solutions are developed to mitigate ever more sophisticated attack strategies. The temptation, for some, might be to take the risk that they won’t be targeted; they might rationalise even further and argue that the cost of the attack is more affordable than the price of protection. But extortion feeds off that weakness, and the only effective counter-measure is to be strong and resolute in the face of threats – or else you will find yourself a victim over and over, until your revenues, your brand, your customer relationships are so compromised that your business will no longer be targeted, because it no longer exists.

The nightclub owner accepts his increased salary bill as a cost of doing business. Companies in the digital age need to do the same in relation to their security spend.



Post a comment

Comment submitted! Comments needs approval before being displayed.