Skip to content

NimbusDDOS - Assurance & Testing Certification Program for Financial Services

We Support the C-Level & Board Oversight to Maintain Governance of their FFIEC Guided Information Security Program

FFIEC Information Technology Examination Handbook, September 2016, page 56
IV.A.3 Independence of Tests and Audits

"Institutions frequently use independent organizations to test aspects of their information security programs. Independent tests have the potential to reduce bias, increase capabilities, and increase knowledge about threats and technologies. Independence gives credibility to the test results. To be considered independent, testing personnel should not be responsible for the design, installation, maintenance, and operation of the tested system, or the policies and procedures that guide its operation. The reports generated from the tests should be prepared by individuals who similarly are independent."

"82% of all our Initial Engagements expose numerous risks to our client's network environments"
- Andrew Shoemaker (Founder/CEO)


DDoS Pyramid - Financial Services

// Executive Summary

NimbusDDOS is an independent, vendor neutral, DDoS assessment and testing company that does not install, recommend, or resell DDoS mitigation systems. NimbusDDOS is a consultancy vendor focused on data driven metrics for the Assurance and Information Security Governance required to mitigate DDoS related "unavailability or degradation" of information and services through the regular use of its proprietary, assessment and testing capabilities.

The NimbusDDOS Assurance & Testing, Certification Program for Financial Services (NATCP), was developed to guide and assist the C-level, Information Security Officer in maintaining a culture of security through DDoS preparedness as they design and operate their iterative, enterprise-wide, network environment and periodically support the Board's oversight. This program is designed to enhance business continuity by offering the Financial Services sector ongoing support of their FFIEC guided Information Security Program. The NATCP consists of two integral components, 1. Initial Engagement and 2. Information Security Governance, which combined, lead to a certification level of DDoS preparedness.

// Premier DDoS Attack Simulation Platform

At the core of our testing capabilities is the industry leading NimbusDDOS Attack Simulation Platform, developed by Founder, Andrew Shoemaker along with his engineering team. Our platform leverages cloud-based resources to mimic the varied behavior of real world bot-nets such as the ever morphing, Mirai IoT Botnet. These are as close to real "in the wild" attacks as you can get without hiring one of "the bad guys" to attack you. With our flexible Cloud Architecture, we can mimic any sized attack. To date, our largest attack was measured in the hundreds of Gbps. However, there is theoretically no upward boundary as to how large an attack we can launch. We can replicate nearly any attack found in the wild and offer any number of attacking nodes, monitoring or other features to accompany your testing needs. Our unique platform offers a "Kill Switch" for fail safe protection and "Pause Testing" capability, offering a real-time, in-house mitigation option during a live test for many targeted risks.

// Methodology

Critical to our methodology, NimbusDDOS believes in data above theories. Unless testing is performed, changes that were made to improve an environment are theoretical, not validated, changes.

We believe in multi-layer testing that stresses the entire OSI stack.

A trusted third party that is vendor neutral is required to evaluate and test an existing network environment. Like penetration testing, it is of the utmost importance to have a third party put themselves into the position of a fictitious attacker and carry out attacker reconnaissance, explore and discover risk areas, and create an attack plan. Then test those theoretical findings to validate risks.

Finally, we believe all assessments should support your Information Security Governance Plan.



   Connect with a DDoS Expert   


NimbusDDOS Assessment & Testing Program

Initial engagement

// Environment Scan and Risk Assessment & Report

"True DDoS attack preparedness is knowing your weaknesses, not blindly implementing a vendor solution."
- Andrew Shoemaker (Founder/CEO)

Our DDoS risk assessment takes a proactive, strategic approach in which a NimbusDDOS expert mimics an attacker's reconnaissance and reviews an organization's infrastructure to identify areas of weakness. This process allows an organization to address DDoS risks on their terms rather than being driven and dictated by the attacker.

// Third-Party Vendor Assessment & Report

"Companies routinely expose themselves to risk through their vendors. This is especially true of SaaS vendors where critical business processes may fail when the vendor is attacked."
- Andrew Shoemaker (Founder/CEO)

We assess and test third-party service providers (ISP, TSP, MSP, SaaS, etc.) as they supplement an institution's technical and managerial capabilities. We create a separate, DDoS related, Summary Report for management and board oversight. This report is for informational purposes that is commensurate with the sensitivity and criticality of the information processes supported by the third-party service provider.

// Risk Specific Baseline Testing & Report

"Metrics we collect during a simulated DDoS attack allow our customers to make data driven decisions on the best way to protect their organization."
- Andrew Shoemaker (Founder/CEO)

We have created the proprietary NimbusDDOS Attack Simulation Platform. Our simulation platform gives organizations the ability to proactively perform DDoS attack tests, using the same techniques used by real attackers. However, our tests are performed in a controlled manner and structured in a way to reflect the customer's objectives. Our unique platform offers a "Kill Switch" for fail safe protection and "Pause Testing" capability, offering a real-time, in-house mitigation option during a live test for many targeted risks.

// Board Oversight Committee Summary & Report

"DDoS is no longer a challenge just for technology stakeholders, its a business risk in which all stakeholders must be versed. Risk mitigation is about decision makers having the information they need whether it be technological or business."
- Andrew Shoemaker (Founder/CEO)

We provide a Board Oversight Committee Summary Report to the C-Level Information Security Officer for use in reporting to the board, or designated board committee with the Initial Engagement and periodically along with the Information Security Governance engagements. This Report describes the overall status of the program and material matters related to the NimbusDDOS Assurance & Testing Program which includes the following:

  • Risk assessment process, including threat identification and assessment.
  • Third-party service provider impact.
  • Enterprise-wide summary of testing results and impact assessment.
  • Recommendations for updates to the DDoS Information Security Program.

NimbusDDOS Assurance & Testing Program

Information Security Governance

// Iterative Environment Assessment & Testing

"The modern agile software development lifecycle can lead to increased risk as environments continually change. The security landscape must also evolve to be more agile through an iterative approach."
- Andrew Shoemaker (Founder/CEO)

DDoS attacks occur frequently in the Financial Services Sector and when they occur they often divert and drain IT resources. The purpose of a DDoS attack is to cause network unavailability or degradation which often results in potentially, catastrophic financial harm. IT teams are usually busy with a host of responsibilities supporting System Design and Operations and a diversion can be used as an opportunity to plant malware and ransomware. The NimbusDDOS Assurance & Testing Program was created to complement the iterative nature of the enterprise-wide, complex and dynamic environment and reduce and aide in the IT team's need to redirect attention on DDoS related attacks.

// Preparedness & Attack Response Training

"To stay ahead of attackers our engineers are continually learning, and it's this knowledge that creates effective DDoS preparedness."
- Andrew Shoemaker (Founder/CEO)

Principles of DDoS Preparedness Guide
Red Team/Blue Team Attack Simulation Drills
Scheduled & Surprise Attack Drills
Cover Fire Cooperative Attack Drills

// Maturity Certification & Scheduling Frequency

Tier Risk Level Type Frequency
1 Least Assessment
Testing 		- Annual + Environment Changes
- Bi-Annual + Environment Changes
2 Minimal Assessment
Testing 		- Bi-Annual + Environment Changes
- Bi-Annual + Environment Changes
3 Moderate Assessment
Testing 		- Quarterly + Environment Changes
- Quarterly + Environment Changes
4 Significant Assessment
Testing 		- Quarterly + Environment Changes
- Monthly + Environment Changes
5 Most Assessment
Testing 		- Monthly + Environment Changes
- Monthly + Environment Changes


   Connect with a DDoS Expert