A security curmudgeon’s take on defending against DDoS attacks

At the recent SC Congress event, Dave Lewis provided helpful advice on IT security with a touch of humour woven in

Share this article:

Dave Lewis can be so hilarious and sarcastic that it’s easy to forget he’s warning you about something as serious as cyber threats.

If you’re one of Lewis’s 19,000 Twitter followers, you’re already familiar with his profile picture (the one with the giant “Bull—-“ sign) and the extremely self-deprecating self-description on his account (i.e., “breaker of things, bassist, dad, goon”). He jokingly lists “Security Curmudgeon” as his job title on LinkedIn.

Lewis’s real job title, of course, is global security advocate at Akamai Technologies. He is also, among other things, a resident of Toronto.

So his recent presentation at SC Congress Toronto on the latest DDoS data took place before a hometown crowd. Featuring his blend of entertaining wit and informative insight, the session did not disappoint us. Here are some highlights.

Beware of “bored kids”: “This is a very large swath of the population. This is a possible army of people you can employ to run (cyber) attacks,” said Lewis, citing evidence that Anonymous has recruited troubled, tech-savvy teens to execute some of its online onslaughts.

If your concept of teen angst still dates back to Dawson and Pacey, here’s your reality check. As Lewis pointed out, the 2014 hack of the Canada Revenue Agency website wasn’t masterminded by some overseas operative in a trench coat, but (allegedly) by a 19-year-old spelling bee champ who got perfect marks and lived at home with his mom and dad.

Cleanup in aisle nine?: “Retail is getting hammered,” Lewis said. “I was at a retail conference recently and for the most part, they were more worried about having adaptive design for their mobile sites than they were about securing their websites.”

Ouch. To be fair, he then gave the retail sector props for recent steps to educate its members on cyber threats. Case in point: last year the National Retail Federation in the U.S. formed a new CIO council focused on IT security.

Still, Lewis said the financial services sector does a better job at network security than retail – and research seems to bear that out. A 2014 report by PricewaterhouseCoopers suggested retailers spend only $400 per employee on cybersecurity compared with an average of $2,500 for banking and finance. Just last month a Ponemon study found retailers take about 197 days to detect advanced cyber threats vs. just 98 days for financial sector folks.

Chaos is cheap: While the average attack could cost a victimized business $40,000 per hour in damages, it costs as little as $69 per month to subscribe to a cloud-based DDoS attack platform. That works out to $2.30 a day.

“So for less than a cup of coffee a day you can cause someone no end of grief,” Lewis said.

Chaos is easy: For those attackers who don’t want the commitment of subscribing to a monthly DDoS platform, there are plenty of easy, one-time options out there. Lewis described tools like Havji, which requires nothing but inputting a string of code using a simple template. Now it takes just minutes, not hours, to spark DDoS mayhem.

“The barrier to entry is so low that my mother could jump in and launch an attack,” said Lewis. “Which is a little troubling. My mom’s not really an angry person.”

Funny stuff, but with a serious message.

“Patch, patch, patch your systems,” Lewis advised. “If you don’t, you’re asking to get attacked. You don’t need that. Nobody needs that.”

Share this article:
Comments are closed.