Can ISO 27001 help your organization in a DDoS attack?

In a connected world where hundreds of transactions are made every minute, every second your systems are down or inaccessible may represent a significant impact on your organizations’ business. And, while prevention of infrastructure failures is an immediate and obvious concern for decision makers, a more subtle and insidious threat may be lurking about: Distributed Denial of Service attacks (commonly known as DDoS attacks), which can wreak havoc even in the most robust infrastructures.

In this article you will see how a DDoS attack works, its impacts on business and how to defend against DDoS using practices and controls from ISO 27001, the leading ISO standard for information security management, in order to minimize its effects and maintain business running in a cost-effective way.

What is a DDoS attack?

Basically, a DDoS attack is a coordinated action that targets a system’s resources to prevent them from attending to requests from legitimate users.

Think about a group of attendants at a snack bar. The quantity of attendants was defined considering an expected demand, right? Now think about these scenarios:

  1. A number of persons not interested in buying anything, five times larger than the expected demand, arrives at the same time.
  2. Each fake customer takes three times longer than normal to see the menu (or makes a long list of questions about each option) and simply gives up without ordering anything.
  3. Unable to buy, or tired of waiting, legitimate users also give up and leave the snack bar.

These are basically how DDoS attacks work: either they overwhelm the system’s resource capacity (e.g., network bandwidth, hard disk / database space, etc.) or they lock resources in a useless activity (e.g., application / database connections, etc.), preventing other users from using them.

And, the most critical aspect of a DDoS attack is that the resources needed to create it are easily available, and are far greater than anything an organization can put up alone: unprotected or misconfigured interconnected computers, found in tens of thousands on the Internet.


Business impacts of DDoS attacks

Once under a DDoS attack, an organization can suffer losses related to:

Extortion: the organization has to pay for the attack to be interrupted.

Sabotage: attacks on precise occasions can destroy a market or selling strategy.

Brand damage: loss of confidence due to the perception of customers or shareholders that the organization’s systems are not secure.

Business interruption: attacked organizations are prevented from earning revenue from selling or advertising.

Legal noncompliance: fines and legal processes due to breach of contracts or violations of service level agreements.

Besides those impacts, information gathered from a successful DDoS attack can be used later for new attacks on the organization.

How can ISO 27001 protect your organization?

As a quick overview, ISO 27001 is the ISO standard that describes how to manage information security in an organization, through the application of management practices and security controls to protect information confidentiality, integrity, and availability. Because availability is the critical point to be preserved during a DDoS Attack, ISO 27001 can help organizations in the following ways:

ISO 27001 control Rationale Additional references
A.12.1.3 – Capacity management and A.12.4.1 – Event logging By planning and monitoring the use of resources, organizations can identify attacks at earlier stages and include buffers to minimize initial impacts until proper measures can be taken. Implementing capacity management according to ISO 27001:2013 control A.12.1.3

Logging and monitoring according to ISO 27001 A.12.4
System acquisition, development and maintenance (sections A.14.1 and A.14.2) and Technical vulnerability management (section A.12.6) Properly developed and configured systems minimize chances that vulnerabilities can be exploited to allow DDoS attacks, and periodic surveys ensure that newly discovered vulnerabilities are handled quickly. How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC)

How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1
Network security management (section A.13.1) The use of firewalls, intrusion detection / prevention systems and network segregation can help minimize the initial impacts of DDoS attacks and allow time for the staff to take proper measures. How to use firewalls in ISO 27001 and ISO 27002 implementation

Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls


Requirements to implement network segregation according to ISO 27001 control A.13.1.3
A.15.1.3 – Information and communication technology supply chain Including clauses in agreements with suppliers related to handling events like DDoS attacks can give organizations additional help to handle them. Which security clauses to use for supplier agreements?
Information security incident management (section A.16) By defining clear responsibilities and procedures for how to handle incidents, organizations can react quickly before operations can be disrupted. How to handle incidents according to ISO 27001 A.16
Information security aspects of business continuity management (section A.17) In the ultimate case when DDoS attacks disrupt business operations, by having plans for how to resume minimal service levels, organizations will be prepared to minimize downtime and handle customers’ requests. How to write business continuity plans?

Mitigate DDoS attacks through systematic practices

As you saw, although most of the elements of a DDoS Attack are out of the control of an organization, by adopting ISO 27001 practices an organization can implement several security measures to quickly identify and respond to such attacks, which can turn an organization into a hard target to hit and deter attempts to impair business operations.

To learn more about how to protect your business against various threats, attend this free online Security Awareness Training.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.