Show me desktop version
CALL US +1 (646) 759 9933

The ISO 27001 & ISO 22301 Blog

Can ISO 27001 help your organization in a DDoS attack?

In a connected world where hundreds of transactions are made every minute, every second your systems are down or inaccessible may represent a significant impact on your organizations’ business. And, while prevention of infrastructure failures is an immediate and obvious concern for decision makers, a more subtle and insidious threat may be lurking about: Distributed Denial of Service attacks (commonly known as DDoS attacks), which can wreak havoc even in the most robust infrastructures.

In this article you will see how a DDoS attack works, its impacts on business and how to defend against DDoS using practices and controls from ISO 27001, the leading ISO standard for information security management, in order to minimize its effects and maintain business running in a cost-effective way.

What is a DDoS attack?

blogpost-banner-bia-en

Basically, a DDoS attack is a coordinated action that targets a system’s resources to prevent them from attending to requests from legitimate users.

Think about a group of attendants at a snack bar. The quantity of attendants was defined considering an expected demand, right? Now think about these scenarios:

  1. A number of persons not interested in buying anything, five times larger than the expected demand, arrives at the same time.
  2. Each fake customer takes three times longer than normal to see the menu (or makes a long list of questions about each option) and simply gives up without ordering anything.
  3. Unable to buy, or tired of waiting, legitimate users also give up and leave the snack bar.

These are basically how DDoS attacks work: either they overwhelm the system’s resource capacity (e.g., network bandwidth, hard disk / database space, etc.) or they lock resources in a useless activity (e.g., application / database connections, etc.), preventing other users from using them.

And, the most critical aspect of a DDoS attack is that the resources needed to create it are easily available, and are far greater than anything an organization can put up alone: unprotected or misconfigured interconnected computers, found in tens of thousands on the Internet.

Business impacts of DDoS attacks

Once under a DDoS attack, an organization can suffer losses related to:

Extortion: the organization has to pay for the attack to be interrupted.

Sabotage: attacks on precise occasions can destroy a market or selling strategy.

Brand damage: loss of confidence due to the perception of customers or shareholders that the organization’s systems are not secure.

Business interruption: attacked organizations are prevented from earning revenue from selling or advertising.

Legal noncompliance: fines and legal processes due to breach of contracts or violations of service level agreements.

Besides those impacts, information gathered from a successful DDoS attack can be used later for new attacks on the organization.

How can ISO 27001 protect your organization?

As a quick overview, ISO 27001 is the ISO standard that describes how to manage information security in an organization, through the application of management practices and security controls to protect information confidentiality, integrity, and availability. Because availability is the critical point to be preserved during a DDoS Attack, ISO 27001 can help organizations in the following ways:

ISO 27001 controlRationaleAdditional references
A.12.1.3 – Capacity management and A.12.4.1 – Event loggingBy planning and monitoring the use of resources, organizations can identify attacks at earlier stages and include buffers to minimize initial impacts until proper measures can be taken.Implementing capacity management according to ISO 27001:2013 control A.12.1.3

Logging and monitoring according to ISO 27001 A.12.4
System acquisition, development and maintenance (sections A.14.1 and A.14.2) and Technical vulnerability management (section A.12.6)Properly developed and configured systems minimize chances that vulnerabilities can be exploited to allow DDoS attacks, and periodic surveys ensure that newly discovered vulnerabilities are handled quickly.How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC)

How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1
Network security management (section A.13.1)The use of firewalls, intrusion detection / prevention systems and network segregation can help minimize the initial impacts of DDoS attacks and allow time for the staff to take proper measures.How to use firewalls in ISO 27001 and ISO 27002 implementation

Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls


Requirements to implement network segregation according to ISO 27001 control A.13.1.3
A.15.1.3 – Information and communication technology supply chainIncluding clauses in agreements with suppliers related to handling events like DDoS attacks can give organizations additional help to handle them.Which security clauses to use for supplier agreements?
Information security incident management (section A.16)By defining clear responsibilities and procedures for how to handle incidents, organizations can react quickly before operations can be disrupted.How to handle incidents according to ISO 27001 A.16
Information security aspects of business continuity management (section A.17)In the ultimate case when DDoS attacks disrupt business operations, by having plans for how to resume minimal service levels, organizations will be prepared to minimize downtime and handle customers’ requests.How to write business continuity plans?

Mitigate DDoS attacks through systematic practices

As you saw, although most of the elements of a DDoS Attack are out of the control of an organization, by adopting ISO 27001 practices an organization can implement several security measures to quickly identify and respond to such attacks, which can turn an organization into a hard target to hit and deter attempts to impair business operations.

To learn more about how ISO 27001 can help protect your business against various threats, attend this free online training ISO 27001 Foundations Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

100% privacy respected. Unsubscribe at any time with a single click.

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

ISO 27001 & ISO 22301
Free Downloads

 

Upcoming free webinar
How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301
Wednesday - January 17, 2018

OUR CLIENTS

OUR PARTNERS

  • Exemplar Global (formerly RABQSA) is leading international authority in certification of training providers.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933