What we learned following a DDoS attack

A DDoS attack on the Royal Borough of Windsor and Maidenhead taught IT chief Rocco Labellarte that ticking boxes for compliance is not enough

A while ago (the local authority didn't want to disclose exactly when), Royal Borough of Windsor and Maidenhead suffered an attempt to bring down its systems via a distributed denial of service (DDoS) attack.

The experience of battling against this attack taught their CIO, Rocco Labellarte, his team and the council's leadership some valuable lessons about people and processes, which he relayed to the audience at the Computing Enterprise Security and Risk Management Summit, recently.

"The attack began with a phone call," explained Labellarte. "The caller, who claimed to be from Anonymous, made certain demands and threatened to take down our online services if we didn't agree." In less than 30 minutes senior management were on the case, and three hours later the council's systems were being bombarded by hundreds of thousands of hits originating from all over the world.

Fortunately the council had recently upgraded its firewalls. "Technically we were very well protected, but in terms of people and procedures we had lots of questions," Labellarte said. "Who do we contact? Should we tell the police? The Cabinet Office?"

The picture was complicated by the fact that the council runs a hybrid cloud environment. "Most of our business systems, including our website, are hosted in our hybrid cloud. Which suppliers should we contact? Do we warn the cloud providers? We realised we were not fully prepared to answer these questions," Labellarte said. "We had limited resources and a whole series of issues to address."

The attack went on for a number of days. "It's very concerning," Labellarte said. "You have no idea when it's going to stop. We could have just locked down all our ports, but as soon as we opened them it could have started again."

Once the attack had finally subsided, Labellarte and his colleagues sat down to mull over what could have been done better. He shared a three-point framework for instigating a security culture with the audience.

Making management understand risk
"The first thing about a security culture is to make sure that the leadership understands the risks and takes accountability for the decisions taken," he said. The approach that some take is to address the board in a way that allowed them to feel that there was sufficient security and therefore no need to ensure future investment, when necessary.

"If the board asks, 'Are we safe?' and the reply is: 'For now we are but we will need to continue investing as the threats evolve', what is heard is: ‘Yes, we are safe'," he explained.

What this experience teaches, Labellarte said, is to frame security in the language of business rather than in terms of perceived threat, using percentages to describe relative risk and using this as a case for investment:

"At the moment we are 80 per cent safe. If we invest in this measure, which will cost x, we will be 85 per cent safe."

This approach allows senior management to take responsibility for investment based on the likelihood of a risk occuring - which can also be good for the CIO's job security.

"The executive team should shoulder that responsibility. Make it about appetite for risk. Make it clear there is no guarantee because nobody can know what they don't know."

Standards and procedures
"Secondly, you need to make sure there are clear standards and procedures in place so that when something does happen you can deal with it rapidly and effectively," Labellarte went on.

"In terms of our security culture we were ticking boxes for compliance but we didn't understand what we needed to do when the threat became real," he said. "We struggled because, although we were covered technically, we didn't know every action to take, or who necessarily to contact. We went through a very fast and intense learning curve, and even after the event we still don't have all the answers, and continue to learn.

"One of the questions is: ‘How do you keep a limited number of staff monitoring and reacting to an attack of long duration?' There's a whole series of actions that you need to take during that event, and post that event, that we hadn't thought about."

Making security second nature
"One thing that's absolutely critical is that your staff treat security as second nature," Labellarte said.

"Making such behaviours second nature is hard to achieve within an organisation. For this to occur there has to be a collective sense of belonging and consistent leadership. Two years ago the council moved to an open-plan setup based on cloud services and mobile, flexible working and hot-desking.

"We instigated a clear-desk policy, but within a few months photographs and personal items had started appearing on the desks and paper was begin to reappear," Labellarte explained, adding that this was not seen immediately as a problem.

"The rationale was that staff wanted to make the environment more comfortable'," he said. "But we need to demonstrate that we are serious about security and a security culture starts with the stance taken by the leadership team."

He continued: "If you allow a culture of 'it doesn't really matter' within an organisation, it's harder to bring it back into line. Yet for the most part creating a security culture is just about common sense, just as you lock your door when you leave your house so take the approach into your work."