As we approach the holiday season, there is no shortage of tech articles about
distributed denial of service (DDoS) attacks and how they’re such a huge Q4
problem that necessitates awareness and, of course, a comprehensive DDoS
mitigation strategy. From all of the buzz, one might actually believe that DDoS
is not a problem outside of e-commerce or the holiday season. Even the security
professionals who know better often find themselves making last-minute
contingency plans despite the knowledge that proper planning months in advance
would have reduced the cost of the mitigation solution and substantially
mitigated any damages during an attack. DDoS mitigation is not substantially
different than commercial travel; this is the season when security firms begin
ratcheting up their prices and launching holiday season awareness campaigns.

Don’t miss: IT Security in the Snowden Era (TechRepublic/ZDNet Special Feature)

It is
important to avoid tunnel vision and remember that everyone from the average
consumer to large enterprises can be a victim of DDoS attacks, and the risk remains
substantial year-round. The scope of the threat will vary from individuals to
organizations between industries and seasons. Any organizations that generate
revenue online and their customers can be victims of DDoS attacks. For the
organizations, the cost of advance continuity planning cuts into earnings. Those
that fail to plan find themselves taking costly emergency DDoS mitigation
services and suffering damage to their reputations and customer confidence
levels. Irrespective of the category in which an organization falls in terms of
DDoS attack planning, every single customer becomes a victim, since the expense
of information security becomes a pass-through cost. This is the digital
equivalent of shoplifters increasing costs at brick-and-mortar establishments.  

Major
e-commerce brands are year-round targets. It is hard to imagine Wal-Mart or
Best Buy not having comprehensive defenses in-house. Certainly, nearly every
online retailer has planned for these attacks. One might recall that the first major attacks in 2000 were against e-commerce and included Amazon, Buy.com, and eBay.
Unfortunately, it has been consumers and investors that foot the bill for this
added security. 

The ROI of implementing DDoS mitigation controls

In major
companies, decision makers weigh the case for investment in information
security by evaluating the expected loss from information security incidents,
such as DDoS attacks, and determining the return on investment (ROI) of
implementing controls, such as DDoS mitigation. For illustrative purposes, we
will use Amazon as an example.

Amazon reported $21 billion in sales for Q4 2012, which breaks down to $9.7 million
per hour. At a gross margin of 24.75 percent, the profit per hour was roughly
$2.4 million. Assume that without DDoS mitigation in place that Amazon would
have lost one hour of sales to attacks and that the cost of DDoS mitigation
would have been $1 million, mitigating exposure to five minutes of downtime for
a loss of $120,000 with controls in place. This gives Amazon the choice of
accepting the risk at a cost of $2.4 million or mitigating the risk at a cost
of $1.12 million.In this example, Amazon can demonstrate a ROI of 46.67
percent, which will lead to the company deciding to mitigate the risk and purchase
the DDoS mitigation system.

Why the smaller retailer is much worse off

Imagine the
same scenario with a company having Q4 sales of $200,000 resulting in a gross
margin of $49,500. It is cost-prohibitive and impractical for small companies
to use in-house DDoS mitigation systems, so the company will look to a service-based
solution. An emergency DDoS mitigation service with a 12-month term may have a
total contract of $120,000, placing the small retailer immediately into
negative ROI. This means that the company is forced to accept the risk of DDoS
attacks. If an attacker learns that the company has no DDoS mitigation
whatsoever, the result could be near permanent downtime, quickly leading to
lost sales, loss of consumer confidence, and eventually bankruptcy. 

Essentially,
everyone shares some of the pain when it comes to DDoS attacks, but it is the
smaller online retailers that are left the most exposed. Small firms generally
cannot afford enterprise-grade solutions and often lack the organic information
security capabilities. An emergency DDoS mitigation service is a quick solution
but at a substantial cost, easily reaching into the thousands of dollars per
month.

Consider your company’s size when shopping for mitigation solutions

A decade ago
the Internet was viewed as an emerging technology that could allow anyone to
bootstrap a company and sell online. Today, it has manifested into a complex,
insecure environment that continues to favor well-capitalized corporations.

This problem
is best quantified using the aforementioned ROI model. Where major retailers
can easily find ROI in costly security solutions, smaller retailers are left
facing more difficult decisions as to whether to mitigate or accept the risk of
attack. In practice many small companies choose the latter, as it is the option
that offers the greatest upside, but at the risk of exposing the company to devastation
if targeted by an attacker.

Fortunately,
there are practical solutions available for smaller companies. These require advanced
planning and an understanding that DDoS protection and information security are
fundamental concepts that must be incorporated into a company’s business plan
year-round.

All
companies should work with a security firm or consultant with experience in
mitigating DDoS attacks to determine those solutions that make the most sense
for the size of the business being protected, thereby facilitating the most
attractive ROI.

Jeffrey A. Lyon, CISSP, is the
founder of
Black Lotus Communications, a secure hosting firm specializing
in DDoS attack mitigation.