In the aftermath of an unprecedented spate of data breach cyber attacks on U.S. companies in 2014, it’s tempting for casinos and other businesses to view credit card theft as the top risk facing their organizations.
But there’s another cyber threat that can also be extremely menacing and costly to casino operations that is often overlooked by cyber security planners—the distributed denial-of-service (DDoS) attack.
Thirty-two percent of all cyber threats on the entertainment industry—which includes casinos—are due to DDoS attacks, according to Verizon’s 2014 Data Breach Investigations Report. This makes it the most active digital threat facing the entire entertainment industry, even more so than credit card-stealing data breaches (i.e., point-of-sale intrusions), which accounted for just 7 percent of cyber incidents in 2013. According to the same report, the entertainment sector is the fourth most targeted U.S. industry when it comes to DDoS attacks.
So, what is a DDoS attack? In this type of attack, a hacker floods the company’s computer network or website with bogus data/requests in order to overwhelm it to the point where it can no longer function and is unable to serve legitimate users. For those who think this just means a company’s website goes down temporarily, keep in mind that it could extend far into the actual corporate network, so that internal network operations slow down or halt, payment transactions can no longer be processed, and the network architecture itself could be damaged resulting in further downtime and cost. There’s also the possibility that DDoS will be used to overwhelm the casino’s IT security team so that the hackers can break into the network to steal data without being detected.
In years past, DDoS attacks were primarily the weapon of choice for “hacktivist” groups, whose goal was to embarrass or harass companies for perceived social wrongdoings. However, over the last two years, DDoS attacks have become more sophisticated, “criminalized” and damaging—they’ve also become much easier for almost any criminal to use, regardless of their technical skills. These attacks are now increasingly being used in cyber extortion schemes and as a way to conceal data breaches and financial fraud.
In the last few years, DDoS attacks have evolved in four important ways:
Commercialization of DDoS—Denial-of-service attacks have been around since the early days of the Internet, but in the past they used to require some level of sophistication for a criminal to utilize them. In a DDoS attack, criminals harvest the power of thousands (or tens of thousands) of already infected computers, known as a “botnet,” to issue bogus data requests to the targeted network. Whereas criminals used to have to go out and infect those computers themselves, or be involved with sophisticated organized crime outlets that would be willing to share them. Today, almost anyone can go online to one of the many black market sites available on the dark web and rent a botnet for a nominal fee. This makes it possible for more criminals, even those without much technical skill, to launch highly-sophisticated and powerful DDoS attacks.
More DDoS power—Along with the increased availability of DDoS tools, the tools themselves have gotten better. New hacker techniques have made DDoS exponentially more powerful than it used to be. A few years ago, a DDoS attack that scaled to one gigabyte per second (Gbps) would have been considered an unusually powerful attack. However, today one Gbps attacks are common, and they’re even scaling as high as 50 Gbps. This increased power makes it extremely hard for companies to defend against these attacks using older methods, and requires more simulated testing in advance.
Increased criminalization—Once a tool used primarily for pranks and petty mischief, in the last few years DDoS has become increasingly criminalized. It’s now regularly used as part of cyber extortion schemes, in which a criminal shuts down a company’s website or network and demands a ransom payment—usually in the tens or hundreds of thousands of dollars—in order to stop. A recent study by Incapsula found that cyber extortion now occurs as much as 46 percent of the time in a DDoS attack. DDoS is also now frequently used as a smokescreen for other attacks, like stealing customer data (33 percent) or implanting viruses and malware (50 percent), according to the same study.
Higher cost for victims—According to the same Incapsula report, DDoS attacks now cost victims $40,000 per hour (estimated average across all U.S. industries), with an average duration of six to 24 hours. That makes the average cost of a DDoS incident $500,000.
For years, companies have downplayed the risks from DDoS attacks, viewing this attack as more of a nuisance than a real threat, while focusing their resources instead on physical security threats and financial fraud cyber attacks. But the growing criminal market for these attacks changes this dynamic and requires casinos to take a more aggressive and proactive stance against them. Unless a casino adequately prepares itself for the worst types of DDoS attacks, it could very well find itself a victim of criminal cyber groups.
Here are some key steps casinos should take to protect themselves:
Establish a DDoS policy—It’s imperative for casinos to have a policy in place that prepares the company in advance for a DDoS attack (including both mitigation and recovery), guides its decision-making process during the heat of battle and educates employees as to the risks this type of attack poses. It should answer questions, such as: What will the casino do to inform/reassure customers? How will it maintain normal business operations during an attack?
Know how to spot DDoS—Believe it or not, a common mistake organizations make when attacked by DDoS is they fail to realize it’s even happening. Often, DDoS incidents are initially believed to be network or software glitches, and companies lose valuable time trying to narrow down the source of the problem. Time is critical in a DDoS attack, so it’s important for all casinos to establish a baseline of normal network traffic so that it can quickly compare that with anomalies in network behavior.
Know who to call—Every casino should have a list of emergency contacts it can turn to in the event of an attack that is beyond its ability to respond. For example, a third-party DDoS mitigation service will be helpful at rerouting traffic and scrubbing out illegitimate traffic. In addition to having technical assistance just a call away, a casino should also know the proper government, legal and regulatory entities it can turn to for advice and recommendations.
Conduct a simulated DDoS attack—DDoS “black-box” testing is now an essential part of cybersecurity planning as it allows a company to see how its network will behave under real-world attack conditions and whether the defensive measures it has in place are sufficient to quickly mitigate multiple types of highly advanced DDoS attacks. It’s important for these tests to be performed in a controlled environment by a qualified DDoS black-box testing service.
Preventing secondary attacks—Casinos should avoid key mistakes often made during a DDoS crisis, which can enable a secondary attack. For example: don’t overlook alerts issued by the monitoring system and cautious of any other unusual activity on the network.
It’s important for casinos to take the threat from DDoS attacks seriously. DDoS attacks can be beaten, but to do so, casinos and other organizations will have to get serious and prepare in advance.