Cyber attacks, SaaS, SOA and your business

Over the last month or so Estonia (a small Baltic nation) has been under attack, not a traditional military attack but a cyber attack. The NY Times provides a good run down (via Kim Cameron) of what has been going on.

When Estonian authorities began removing a bronze statue of a World War II-era Soviet soldier from a park in this bustling Baltic seaport last month, they expected violent street protests by Estonians of Russian descent.

They also knew from experience that if there are fights on the street, there are going to be fights on the Internet, said Hillar Aarelaid, the director of Estonia’s Computer Emergency Response Team. After all, for people here the Internet is almost as vital as running water; it is used routinely to vote, file their taxes, and, with their cellphones, to shop or pay for parking.

Hillar thought he was prepared:-

When the first digital intruders slipped into Estonian cyberspace at 10 p.m. on April 26, Mr. Aarelaid figured he was ready. He had erected firewalls around government Web sites, set up extra computer servers and put his staff on call for a busy week.

But.

By April 29, Tallinn’s streets were calm again after two nights of riots caused by the statue’s removal, but Estonia’s electronic Maginot Line was crumbling. In one of the first strikes, a flood of junk messages was thrown at the e-mail server of the Parliament, shutting it down. In another, hackers broke into the Web site of the Reform Party, posting a fake letter of apology from the prime minister, Andrus Ansip, for ordering the removal of the highly symbolic statue.

Essentially Estonia was under full scale attack from a Distributed Denial of Service (DDOS) attack, something that is very hard to defend against and even harder to stop.

By the end of the first week, the Estonians, with the help of authorities in other countries, had become reasonably adept at filtering out malicious data. Still, Mr. Aarelaid knew the worst was yet to come. May 9 was Victory Day, the Russian holiday that marks the Soviet Union’s defeat of Nazi Germany and honors fallen Red Army soldiers. The Internet was rife with plans to mark the occasion by taking down Estonia’s network.

Mr. Aarelaid huddled with security chiefs at the banks, urging them to keep their services running. He was also under orders to protect an important government briefing site. Other sites, like that of the Estonian president, were sacrificed as low priorities.

During the attack one bank has reported losses of around US$1 million dollars, not a huge amount but enough to get the attention of any CEO and Board of Directors. To give you a size of the scale of the attacks the NY Times reported:-

All told, Arbor Networks measured dozens of attacks. The 10 largest assaults blasted streams of 90 megabits of data a second at Estonia’s networks, lasting up to 10 hours each. That is a data load equivalent to downloading the entire Windows XP operating system every six seconds for 10 hours.

This brings me to SaaS and SOA, or Software as a Service and Services Orientated Architecture the next big things in enterprise software. The team in Estonia’s CERT were good, very good but even they were unable to completely protect themselves from such attack.

Some questions to ponder:-

  • What about the company that provides your SaaS payroll, recruitment, CRM or SCM, how would they stand up?
  • As a CIO or IT Manager selecting a vendor to provide services to your organisation are you even thinking of this?
  • As the CTO of a vendor, do you have the ability in house or contact externally to defend yourself?
  • Do the lawyers understand what is going on?
  • What would be the impact to your company if you lost your payroll, recruitment, CRM or SCM systems?