![](https://i0.wp.com/techtrendske.co.ke/wp-content/uploads/2018/06/gdpr.png?fit=807%2C428&ssl=1)
Over recent years, distributed denial of service (DDoS) attacks have become one of the biggest cyber-security headaches for CIOs and CSOs. Each year, these attacks grow in numbers, becoming bigger and more damaging.
Previously, the primary DDoS fears were the business disruption and reputational damage that they caused. DDoS attackers harness the power of thousands (sometimes even millions) of devices ā each āhijackedā with malicious software ā to flood the servers of their targets, and bring down their online systems.
But now, the introduction of new legislation is raising the stakes even further, propelling the issue of DDoS attacks to the top of boardroom agendas. The European Unionās General Data Protection Regulation (GDPR) came into force on 25 May, likely to be followed soon by the enforcement of South Africaās equivalent to this legislation, the Protection of Personal Information (PoPI) Act.
Both sets of legislation aim to protect consumersā personal information, imposing rigorous laws on how organizations gather and use personal data, increasing levels of transparency, giving individuals greater control over how their data is used, and ensuring mandatory disclosure of any breaches.
Specific reference to DDoS
Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks, which specializes in advanced DDoS protection solutions, explains that the new PoPI Act draws heavily on the intent and construct of Europeās GDPR.
āAs our local legislation evolves and formalizes, itās instructive for local firms to look at GDPR as the benchmark to achieve international compliance standards. Most legal opinion suggests that if an organization is in full compliance with GDPR, then it will automatically ensure compliance with PoPI.ā
Under the new GDPR legislation, organizations that operate in Europe or do any business with European citizens must take stringent measures to protect the availability of their network and secure the data that it carries, among many other compliance considerations.
While most of the GDPR headlines tend to highlight the crippling fines that companies could face (up to 20 million euros or four percent of annual turnover) if they are found in violation, Hamman says one of the less-understood provisions relates to network availability.
In fact, article 32 of the regulations specifically refers to āthe ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and servicesā and the āability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.ā
In recital 49, the regulations go on to specifically refer to denial of service attacks, which Hamman believes shows the importance of organizations protecting themselves from this type of attack, as part of an orchestrated end-to-end security strategy.
āThough DDoS attacks have been on the rise, their explicit reference in GDPR illustrates how important they have become to security professionals and regulators alike,ā says Hamman. āThe network is the lifeblood of the modern organization, and any threats are treated extremely seriously by lawmakers.āĀ
Here to stay
Staying in-line with new legislation while combating increasingly sophisticated DDoS attacks is a tough ask for security pros, he adds. āModern DDoS attacks have evolved a long way from their origins, now often interlacing volumetric, TCP state exhaustion and application layer attack vectors.ā
āThis type of complex attack renders standard defences – like firewalls, WAFs, load balancers, and IPS/IDSs ā almost completely useless against DDoS onslaughts.
āCompanies must place a concerted focus specifically on DDoS, with layered, intelligently automated protection strategies that harness the latest technologies to provide instant warning of any new attacks.ā
He highlights four key pillars to Arborās DDoS defence approach:
- Ā Ā Ā Ā Ā Ā Ā Ā Arbor Cloud and 24/7 Security Operations Centreā¦ detects and mitigates volumetric attacks upstream before hitting the organization.
- Ā Ā Ā Ā Ā Ā Ā Ā Arbor APSā¦ which stops so-called ālow and slowā application layer attacks dead in their tracks.
- Ā Ā Ā Ā Ā Ā Ā Ā Arbor Cloud Signalingā¢ā¦ which intelligently routes traffic to secure clouds (preventing on-premise infrastructure protection from being overwhelmed).
- Ā Ā Ā Ā Ā Ā Ā Ā Arbor ATLAS Intelligence Feedā¦ which sends continual alerts to security teams to inform them of developing threats and trends.
āThe reality is that DDoS attacks are here to stay, and there is no āsilver bulletā that can eradicate the industry of this scourge, once and for all. Anyone with an internet connection, some cash to burn, and a grudge to bear, can theoretically launch an attack against your organization.
āIn fact, considering the new regulationās emphasis on network protection, hackers may well intensify their DDoS efforts, in an effort to cause even more chaos and damage to their victims, which are now liable for hefty regulatory fines,ā Hamman warns.