A Perfect Cyber Storm: September 11th, Black Friday and Other Enticing Dates for Cyber Attacks
After reading this article and piecing through the motivations of the hactivist group illustrated in the story, I couldn’t help but think how the world of an information security professional is changing.
If you are like me, you understand that business is not only a collection of functions (e.g. IT, finance, sales, etc.) and processes (e.g. payroll, invoicing, shipping, developing, etc.) but also a sensitive machine, which is uniquely constructed to deliver value to its customers within a certain rhythm.
This rhythm is mysterious, but predictable and goes by many names depending on the industry, such as “seasonality” in retail, or “game time” in sports and bars, “prime time” in showbiz, and even “school time” for universities. In fact, in most businesses, revenue is ‘chunky’ – that is, most revenue is derived in very specific moments throughout the year. In fact, many companies rely on a just a few days every year for their fortunes:
- Chocolate companies, like Godiva, revolve their whole business around four holidays including Mother’s Day, Valentine’s Day, Thanksgiving and Christmas
- Fast food pizza companies, such as Domino’s and Papa John’s, rely heavily on sporting events throughout the year for their revenue, with the Super Bowl representing a lion’s share of revenue generated for the whole year
- Retailers, in general, derive most of their yearly revenue from the period between Black Friday and Christmas, which is known as the Christmas Selling Season. However within that season, Black Friday, Cyber Monday and Black Saturday represent a high percentage of the sales for the holiday season
- Charities sometimes have single fundraisers that define their whole year in terms of donations
So, now I know that dates and timing matters to businesses – when’s the optimum time to attack?
If a goal of DDoS attacks is to disrupt, disorient, shut down or otherwise silence an intended victim, why would it not make most sense to focus efforts where an attack would cause the most harm? Wouldn’t it be more effective to achieve the goals stated above during timeframes in which the business is at a peak capacity and requires peak performance, and slight disruptions are meaningfully reverberated throughout the environment?
In fact, this is no longer conjecture; this is occurring on a wide scale and needs to be considered in a risk security profile of a business. The following are examples of recent attacks that occurred (or are threatened) during significant dates:
- Columbian “Independence Day” cyber attacks
- Recent election day cyber attacks in both Russia and Panama, among others
- Threats against U.S. and Israeli interests on Sept. 11th
In addition, there are strong indications that cyber DDoS attackers are aware of the importance of a business cycle and are taking advantage of it with some notable examples, including:
- Attack on the U.S. banking sector occurred during operational business hours and NOT during the weekend or during the middle of the night – U.S. time zones
- Cyber attacks on politicians increasingly come during elections and on Election Day
- Cyber attacks on Stock Exchanges routinely only occur during the trading day
- Gaming sites are attacked when jackpots are the highest and potential disruption payouts are the most handsome
So, if dates and anniversaries represent new risks – what can we do about it?
This is clearly an area where prescriptive direction is fuzzy, however there are some generalities that can come into play.
There are many steps an organization can take in preparing for a credible threat of an attack, including the following:
- As a Radware client, we suggest that all of our customers make certain that they are running the most up-to-date code and properly configured devices
- Consider optimizing business-partner relationships to ensure high fidelity in attack detection and mitigation
- Make current all key personnel contact lists and whereabouts (including local Radware resources)
- Have contingency plans in place
In the end, we know that just like a major storm, the companies who prepare the most will be able to fare the best!