Inside Asian Gaming

March 2015 inside asian gaming 29 that it could extend far into the actual corporate network, so that internal network operations slow down or halt, payment transactions can no longer be processed, and the network architecture itself could be damaged resulting in further downtime and cost. There’s also the possibility that DDoS will be used to overwhelm the casino’s IT security team so that the hackers can break into the network to steal data without being detected. In years past, DDoS attacks were primarily the weapon of choice for “hacktivist” groups, whose goal was to embarrass or harass companies for perceived social wrongdoings. However, over the last two years, DDoS attacks have become more sophisticated, “criminalized” and damaging—they’ve also become much easier for almost any criminal to use, regardless of their technical skills. These attacks are now increasingly being used in cyber extortion schemes and as a way to conceal data breaches and financial fraud. In recent years, DDoS attacks have evolved in four important ways: • Commercialization of DDoS —Denial-of-service attacks have been around since the early days of the Internet, but in the past they used to require some level of sophistication for a criminal to utilize them. In a DDoS attack, criminals harvest the power of thousands (or tens of thousands) of already infected computers, known as a “botnet,” to issue bogus data requests to the targeted network. Whereas criminals used to have to go out and infect those computers themselves, or be involved with sophisticated organized crime outlets that would be willing to share them, today, almost anyone can go online to one of the many black market sites available on the dark web and rent a botnet for a nominal fee. This makes it possible for more criminals, even those without much technical skill, to launch highly-sophisticated and powerful DDoS attacks. • More DDoS power —Along with the increased availability of DDoS tools, the tools themselves have gotten better. New hacker techniques have made DDoS exponentially more powerful than it used to be. A few years ago, a DDoS attack that scaled to one gigabyte per second (Gbps) would have been considered an unusually powerful attack. However, today one Gbps attacks are common, and they’re even scaling as high as 50 Gbps. This increased power makes it extremely hard for companies to defend against these attacks using older methods, and requires more simulated testing in advance. • Increased criminalization —Once a tool used primarily for pranks and petty mischief, in the last few years DDoS has become increasingly criminalized. It’s now regularly used as part of cyber extortion schemes, in which a criminal shuts down a company’s website or network and demands a ransom payment—usually in the tens or hundreds of thousands of dollars—in order to stop. A recent study by Incapsula found that cyber extortion now occurs as much as 46% of the time in a DDoS attack. DDoS is also now frequently used as a smokescreen for other attacks, like stealing customer data (33%) or implanting viruses and malware (50%), according to the same study. •Higher cost for victims —According to the same Incapsula report, DDoS attacks now cost victims US$40,000 per hour (estimated average across all US industries), with an average duration of six to 24 hours. That makes the average cost of a DDoS incident $500,000. DEFENSIVE ADJUSTMENTS For years, companies have downplayed the risks from DDoS attacks, viewing this attack as more of a nuisance than a real threat, while focusing their resources instead on physical security threats and financial fraud cyber attacks. But the growing criminal market for these attacks changes this dynamic and requires casinos to take a more aggressive and proactive stance against them. Unless a casino adequately prepares itself for the worst types of DDoS attacks, it could very well find itself a victim of criminal cyber groups. Cyber Security So, what is a DDoS attack? In this type of attack, a hacker floods the company’s computer network or website with bogus data requests in order to overwhelm it to the point where it can no longer function and is unable to serve legitimate users.