Last month during the national Cybersecurity Awareness Month, the FBI released a public service announcement that reiterated growing concern of cyber criminals targeting Internet of Things (IoT) devices through threat of distributed denial of service (DDoS) attacks on those devices. The alert stated that criminal actors offer DDoS-for-hire services in criminal forums and marketplaces. Known as a DDoS stresser, or booter, such services are being leveraged by malicious cyber actors and present an emerging threat to government cyber assets.
In recent years, DDoS attacks have become the preferred tool of hackers. With many high-profile organizations coming under attack like Sony, BBC, CNN and Twitter, security experts believe DDoS is now the primary cybersecurity threat facing anyone with a public Internet connection. DDoS attacks are also spanning across all levels of government information systems which can result in a direct impact on the delivery of government programs and services to their citizens. Minimizing the risk of these cybersecurity threats across your local government is essential to ensure resilience and service delivery to citizens.
To begin securing devices from DDoS attacks, the FBI recommends IoT device users take basic precautionary steps, like changing default passwords and usernames, regularly updating their devices and operating IoT devices on protected networks. Below are seven key steps government IT departments can take to guard systems against all DDoS attacks.
What Are DDoS Stresser and Booter Services?
DDoS stresser, or booter, services are becoming increasingly commonplace in the market. These services claim that they simulate a DDoS attack against your IT infrastructure to validate how vulnerable your network is to an attack, in exchange for monetary compensation via PayPal or Bitcoin.
The FBI began warning governments and organizations to be cautious of hiring these testing services because while many are legitimate, criminal actors have used them to commoditize DDoS attacks. They leverage the service to dupe organizations, and hold their cyber assets hostage. Through DDoS stressers, cybercriminals have shut down websites and bring operations to a halt for extended periods of time.
The following best practices help local governments build an effective defense from DDoS attacks, and those that result from a DDoS stresser, and keep cyber assets secure:
- Develop strict policy enforcement to ensure security requirements are met on corporate and employee IoT devices and web applications. Devices should never be connected directly to the Internet unless they are behind a firewall.
- Increase your networks bandwidth in order to absorb a large volume of traffic in case of attack.
- Register your website with more than one provider.
- Talk to you ISP provider to ensure they can filter traffic and limit exposure to DDoS attacks.
- Be sure to perform any stress test on a non-production environment.
- Have a general idea of what your typical inbound traffic looks like so you can easily spot when it spikes. A sharp spike in traffic is a strong indication of a DDoS attack.
- If you do hire a DDoS stresser or booter, pay using a credit card or check. Most DDoS attacks are often paid via PayPal or Bitcoin, and it is these type of payment methods that open avenues for an attack.
More information on the above steps can be found in How to Get Strong on Government Cybersecurity.
Communicate About and Report On DDoS Stresser Attacks
DDoS stresser and booter services, and the potential to mimic them for cyber crime, are an unfortunate result of our increasing digital world. However, by having a strategic disaster recovery plan in place, your local government or organization can remain calm in times of crisis.
What will make or break your plan in the event of a DDoS attack is good communication. Because DDoS attacks can last anywhere from six to 24 hours, communication to government employees and citizens ensures that any disruptions — and loss of public revenue — is minimized.
If your municipal government, department or agency has been a victim of a DDoS attack, the FBI requests that you file a complaint with the Internet Crime Complaint Center (IC3). IC3 complaints can be filed at www.ic3.gov. Use of DDoS stresser and booter services to conduct a DDoS attack is punishable under the Computer Fraud and Abuse Act.