DDOS - security or operational risk?

Question

The chief security officer of a medium sized IT company (400-500 employees) recently released a bulletin in which he stated that DDOS attacks are not a security risk but an operational one. Also I was told that in a previous meeting he denied that DDOS or related attacks are his responsibility.

From my understanding security comprises three major themes:

Confidentiality, Integrity, Availability

In my opinion DDOS attacks are clearly a security risk as they directly target availability of a service - and thus are also clearly within the responsibilities of a chief security officer. So who is right?

Are DDOS attacks a security or operational risk?

I once read that a DoS may cause a server reboot, which may reset some settings to their defaults, which then may cause a security risk. Also, the error messages (503 or so) may reveal information about the server. Don't know if these are problems in practice, though. — Cephalopod, Jun 16 '15 at 08:10

score 39 · Accepted Answer · answered Jun 15 '15 at 07:04

I think that is a false dichotomy, and your CSO is being plain silly.

Though I am fond of the silliness, the security department should be driving risk mitigation. Squabbling over areas of "responsibility" are obviously not productive, though it might fit into the general corporate culture.

While there are various ways of qualifying the realm of security and their responsibility - the CIA triad is one, but there are others - a mature, responsible CSO would at the least be pushing for a solution.

I have heard some say that the distinction between "security risk" and "operational risk" is whether there is a potential threat actor, or merely accidental or misuse.
While this does make a lot of sense, I think a more pragmatic approach would be to simply accept that there is substantial overlap between the two - and that just means there are more resources to work on the problem, not that everybody gets to abdicate responsibility.

That said - in this specific case, the process I would recommend is having the CSO (or technical people in his department) drive the mitigation procedure, define a framework for levels of risk, etc - and then hand it off to operations to implement a fitting solution. Perhaps the security folk can recommend a solution, or maybe they should just define metrics that the solution should meet, depending on how technical / hands-on the team is.

In this way, the company can handle the fact that while the risk is a security risk, the solution is an operational one.

score 17 · Answer 2 · answered Jun 15 '15 at 17:41

While I generally disagree with the CSO, I can see a reason why he drew this line.

The question can come down to the delineation of who needs to lead mitigation and remediation efforts. DDoS does, of course, impact availability but is typically handled by the Operations team. If a DDoS event happens, your CSO might feel that there is nothing that he can do and wants another party to take charge. In other words, don't call the CSO at 2am when DDoS is happening, but call him at 2am when there is a breach.

Consider the scope of the CIA triad. Should every CSO be ultimately in charge of facility fire and safety systems in the server room? Fires are also an availability risk. But, in some organizations, that responsibility should fall to a facilities manager and not the CSO (although the CSO should have a hand in this area, too.) In the similar situation as above, if the fire alarm goes off at 2am, call the facilities manager, not the CSO. Your CSO might be drawing this kind of line to equate fires and DDoS as the same kind of risk to the organization.

That said, it is also possible that a DDoS event can be a distraction or leverage for a wider security attack, so I believe that the CSO does still need to be involved at some level.

So strictly speaking, you are correct in your assessment, and I generally agree with you, but it might come down to a different understanding of role definitions and available resources.

Interesting counter-point! Though it seems at the bottom line we arrive at the same conclusion... :-) — AviD, Jun 15 '15 at 20:17
Btw, re fire, safety, and HVAC - I do believe the CISSP CBK disagrees with you, and in fact has a whole chapter discussing how that is precisely in the purview of the CSO ;-) — AviD, Jun 15 '15 at 20:18
@AviD being a CISSP, I am well aware. But I'm saying that not every organization needs to tap the CSO for this in an incident. As I said, the CSO should have a hand in it, and in the absence of another more qualified expert, the buck stops at the CSO. But I do not believe that the CISSP CBK's intent is to say that the CSO needs to be the one called at 2am in every organization. — schroeder, Jun 15 '15 at 20:29
@AviD My answer is not meant to be in opposition to yours at all, simply a different perspective on the same conclusion. — schroeder, Jun 15 '15 at 20:33
I know, I appreciated the different perspective. And I agree about the HVAC too - to some extent, the same model applies here with DDoS. Designing the solution, or defining requirements, is separate from operational responsibility. — AviD, Jun 15 '15 at 20:50

score 2 · Answer 3 · answered Jun 15 '15 at 17:28

DDoS attacks fall into both operational and security categories because of the triad mentioned above. However security personnel tend to be more knowledgeable of attacks so like AviD said there should be communication between the security and IT teams to solve the problem rather than losing hours covering research that could be solved by a 10 minute phone call.

score 2 · Answer 4 · answered Jun 15 '15 at 20:30

From a technical, 1s and 0s stand point, he is correct but the "accepted scope" of security threats include availability. However all companies are free to assign responsibilities as they see fit so your CSO may be simply stating a point that it's not his responsibility to mitigate that particular risk.

Mithun John Jacob · Answer 5 · 2015-06-16T12:12:38.233

2

I would consider it to be both operational(or biz) as well as a security risk.

Biz:

Businesses run on reputation and if the reputation goes for a toss as a result of a DDOS attack; if the C-level executives fails in the damage control area. The situation is especially grave when you are running a B2B service.

Security:

Crackers can use the DDOS attacks as part of attention diversion strategy to attack or find other vulnerable areas.

edited Jun 16 '15 at 12:12

answered Jun 16 '15 at 04:59

Mithun John Jacob

51
4

Correct, DDoS can also be used to form a breach in a security perimeter .For example, DDoS attacks are used to take down firewalls, which are positioned on edge and likely to be ill equipped to handle large traffic volumes. – Igal Zeifman Jul 21 '15 at 18:22

DDOS - security or operational risk?

5 Answers5