The Risks of Using SaaS from a DDoS Perspective
By David Hobbs – System Engineer at Radware
David Hobbs focuses on security everyday, with 16 years experience battling the latest attempts by hackers to shutdown corporate systems. We asked him to explain how using SaaS services can be impacted by a DDoS attack.
A lot of companies today are looking at ways to reduce costs for maintaining infrastructure and software. Because of this, Software as a Service (SaaS) has become a norm in modern business. The benefits of making this move are often worth the risks to companies, and until now there hasn’t been much issue with using hosted software solutions. But because hackers constantly adapt and change their methods, SaaS has become the next frontier of attacking companies.
One of the tools hackers use that we see increasing is Distributed Denial of Service (DDoS). You might be aware of groups like Anonymous, Anti-Sec, LulSec, Gnosis or have heard about the number of high profile attacks on businesses in the last few years. These groups often use DDoS, which is the new frontier of attacking businesses. DDoS may come from one user in control of as little as a couple of computers to large botnets composed of hundreds of thousands of computers all over the world. And this phenomenon isn’t going away any time soon. The capability of attacking from hundreds of thousands of computers at once makes finding the original attacker a challenging task for many investigators and IT staff, alike.
Imagine what happens if after 5 failed login attempts, your account gets locked out. Has this ever happened to you? Or, if you’re like me, have you ever had to call the help desk to get your password unlocked because you forgot it while on vacation or maybe you just forgot that recent password change you did before leaving on a trip and locked yourself out? Well hackers can take advantage of this.
Server Cracking is a term used to define using a program to guess passwords. Pretend your e-mail address is firstname.lastname@example.org and you use an online SaaS platform like Salesforce.com or Oracle’s CRM On Demand and your password policy says to lock accounts after 5 invalid attempts. What would happen if a competitor or malicious person were to use LinkedIn to build a database of your employees? With one e-mail address he could probably guess your schema for e-mail, right? So, then, he could create a Server Cracking routine that would solely lock your whole company out of their online service. That wouldn’t be very fun to deal with as your business can’t use the tools any longer, leading to lost revenue while you have to rely on your SaaS provider to unlock everything for you.
Now, what would happen if you did something like tie a single sign on into that SaaS solution? I know lots of companies tie their Active Directory or LDAP directory service to single sign on solutions. What if you even went so far as to do something really insane like tie your load balancer into your single sign on infrastructure and your SaaS services? One well-placed DDoS attack could shut down everything both outside and INSIDE of your network and take your whole company down from the outside in. Imagine what kind of a mess that would be and what you might have to do even to unlock your administrator accounts from the console just to begin resetting the rest of the admin accounts and figure out what’s going on. Meanwhile, as all of this is going on, your company is DOWN, DOWN, DOWN. Would the costs of having all of your systems down be worth it then?
One of the things that might lead to a wake up call about using single sign on solutions and Software as a Service is to make SURE they have reputable Server Cracking Protection mechanisms and DDoS attack prevention. Because Radware’s Defense Pro is used world-wide to fight DDoS and Server Cracking, you might suggest to your SaaS provider that if they don’t have somebody like us defending them, it might be a sign that you should run far away from them until they get a handle on DDoS protection. What’s your business worth to you and what would the costs be to get a DDoS to your SaaS infrastructure?