Banks, airlines, auction websites, online game services and even government websites and universities increasingly become victims of cybercriminals. One of the most popular methods of paralyzing servers and websites is the so called DoS attack (Denial of Service), that is the deliberate overloading of a network or end user devices with traffic. If a large number of computers have been taken control of using special software we are dealing with a so called DDoS attack (Distributed Denial of Service).
DDoS (DoS) attacks may seriously disrupt system operations or paralyze them entirely. The simplest and most popular method of attacking servers is sending large quantities of data on a mass scale, which results in using up server space and paralysis. This may be achieved by sending huge numbers of e-mails or filing large numbers of applications or inquiries using service functions. Attacks may be combined with financial demands (e.g., to pay a specific amount of bitcoins) or directed against competitors (e.g., an attack on an online store of a competitor’s brand).
Statistics drawn up by professional entities dealing with combating cybercrime indicate that the number of DDoS attacks is growing dramatically with each subsequent year. The reason for this is easy access to special software designed for such attacks, so called DDoS attack generators, as well as offers of “made to order” attacks and the falling prices for software and “services” of this type.
Liability for DDoS attacks
It is worth looking at the issue of liability for DDoS attacks on the grounds of Polish law. According to the Criminal Code persons who conduct DDoS attacks as well as persons who develope software used in such attacks may be prosecuted.
Liability for conducting DDoS attacks is regulated by Art. 268a § 1 of the Criminal Code, whereby anyone who destroys, damages, changes or obstructs access to computer data without being authorized to do so, or significantly disrupts or prevents automatic processing, collecting or transfer of such data, is subject imprisonment for up to three years. With regard to obstructing access to computer data the regulation specifically penalizes paralyzing servers or websites by DDoS attacks. The punishment may be even more severe and reach up to 5 years of imprisonment if serious property damage is inflicted as a result of such attacks. However, in order for law enforcement agencies to take the required steps to detect the perpetrators of DDoS attacks it is necessary to apply for prosecution. The crime under Art. 268a of the Criminal Code is prosecuted on request of the injured party.
The punishment may be even more acute in case of attacks on the servers or websites of public administration and other government institutions and disruption or preventing processing, collection or transfer of so called special data processed by such entities (known as „computer sabotage”).
However, finding the perpetrators of such DDoS attacks and prosecuting them may prove difficult because a DDoS attacks take place in stages. In order to conduct an attack it is first necessary to develop malicious software (or to purchase it), to place it in a location from where it will “attack” the chosen targets, and then to activate it, which will result in generating traffic leading to paralysis of servers or websites. It is also worth noting that in some cases even developing malicious software (tools) is subject to prosecution (Art. 269 of the Criminal Code).
It is established wisdom that prevention is better than cure. However, in order to effectively prevent attacks (not only DDoS ones) it is necessary to know one’s weaknesses with regard to security. This may be ensured by using appropriate system audits involving specifically penetration tests. These tests lead to discovering potential gaps in security measures, revealing inaccuracies, and enable an effective assessment of the level of safeguards employed. Such tests may be applied to infrastructure connected to the internet, include websites, applications as well as the VPN and Wi-Fi networks used.
In its recommendations concerning management of the IT and telecom environment in banks the Financial Supervision Authority recognizes the important role of pentests, emphasizing that such infrastructure ought to undergo periodical review from the point of view of the changes occurring in this environment and revealing security gaps. The Authority indicates that penetration tests ought to be one of the tools that should be systematically applied for the assessment of effective control mechanisms in high significance IT and telecom infrastructure.
Proper security audits, involving pentests (one-off as well as periodical ones) ought to be provided for in an appropriately structured agreement protecting both the contracting part as well as the testers. Since conducting penetration tests is associated with access to confidential information and personal data, and may lead to changing software source codes, it is necessary to precisely regulate the specific liability of the parties in this respect. However, the agreement ought to primarily define the scope of the ordered penetration tests (areas and frequency) and the obligation to draw up a report on the tests performed, as well as confidentiality undertakings (embracing the test results).
DDoS attacks and GDPR
Regular testing of an entity’s own security measures will become particularly significant from the effective date of the General Data Protection Regulation (GDPR), which imposes an express obligation on data controllers and processors to implement appropriate safeguards embracing specifically regular „testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing” (Art. 32 sec. 1 point d).
If we take into account the severe penalties for breach of security of personal data processing imposed by GDPR, demand for entities providing services of this type may clearly be expected to grow.
One of the instruments aimed to ensure a proper degree of security is the obligation imposed by GDPR to report breaches of personal data security and to document them. In the opinion of the Art. 29 Working Group a breach of personal data is also breach of availability in case of occidental or unauthorized loss of access to personal data. This is usually the case in DDos network attacks, which cause personal data to become permanently or temporarily unavailable. In each case the affected entity must consider the obligation to report it to an appropriate supervisory body or to notify the persons to whom the data refer if the premises defined in the GDPR are fulfilled.
A report of one of the consulting firms indicates that 33% of DDoS attacks resulted in financial losses and 31% in disclosure of confidential information, while 16% had an impact on loss of client confidence. As such protection against DDoS attacks ought to be considered as an important challenge by every entity. It is to be remembered that the costs of conducting DDoS attacks are falling and the costs inflicted on their victims are increasing. Effective protection of a company’s infrastructure as well as periodical security audits are no doubt a good investment.