Distributed denial-of-service attacks, or DDoS, are a standard tool of choice for publicity gathering attacks, but we rarely see institutions coming out and commenting on them - why DDoS are they being used, what were the results, or anything related to it that could be worse than what DDoS was going for.
Customer advocacy and information sharing is insufficient, argues Jason Polancich, a US Intelligence Community veteran and founder of the independent analysis and media company Hacksurfer. "Their tendency is to not say anything. Yet, at the same time, customers are left disenfranchised and without an answer when they ask hard questions… As a whole I believe the Financial Service industry is not open and owning its message to customers and supply chain members. They don't really come out enough to educate them, arm them, make them aware."
According to HackSurfer's data, across the entire financial sector on average 22% of attacks detected since April 2013 were DDoS attacks versus other practices like viruses, malware, etc. "That's significant when you think of all the cybercrime practices out there."
People have simply become desensitized to banks and online service getting DDoS. A few years back, Pavel Vrublevsky, the owner of Russian payments firm ChronoPay, hired some Russian hackers to launch DDoS attacks on his rivals, preventing payment processing for the Russian State Airline, costing them millions over a couple days. He was arrested back in August and became the poster child for how DDoS attacks are damaging for Financial Services. "They're not taking it seriously," says Polancich. "They just say 'oh it's DDoS.' It overwhelms the banks but it's rarely just that. It's misdirection, a red herring, or used for some sort of destabilization weapon. The worst is yet to come... We're not probably too far away from it hitting home for major exchanges."
It almost sounds like a far fetched conspiracy, but given the example from Russia, and the current state of affairs, we may want to admit we just don't understand the scope of the issue. The reality it this is stuff that's happening on some scale every day, and not being properly discussed.
Gulf of Understanding
"There's a giant gulf of understanding between the lower level technology engineers and the people who execute budgets that CEOs and CIOs are putting together," he argues. "In most cases you end up with the ability for the C-suite to misdirect budgets inappropriately matched to the threat they face." Engineers will view DDoS as non-technical issues, and the C-suite gets advice from engineers who do not have the purview of higher level objectives met by low lever protection. "At the end of the day, darts are thrown at dartboard, some hit and some don't because there isn't a close relationship between tech teams and the C-suite."
It all comes down to the age old IT versus the rest of the world communication issues. Engineers can sit and talk with other engineers about design patterns, but there's no equivalent language for the C-suite with tech teams. As a result firms can end up with a weird, lopsided budget and execution plan, especially in Financial Services where engineers are scaring the C-suite to death with things they may not need to be scared of, argues Polancich. Throughout it all, neither side has the global awareness of what's going on and what's a threat because they're fighting a lot of other fires every day.
"Things are way too technical and most CEOs admit that they don't think defenses are good enough for their company and don't understand what the threats are." If you just ask a typical internet user, they will understand to depth that there are viruses but are not sure what they are exactly. The C-suite isn't much better educated. They know what they've been told, but don't have a 'golf-course talk' to ask who did what to who, what happened, and why.
There has to be a better way to work more symbiotically, to get the people at high business levels to understand what a cybercrime event is and what's really happening. Hacksurfer is one such service providing a simplistic information model teams can use as aids in conversation. "We're trying to establish a common language at a high level that everyone can adopt to enable easier, better communication about a topic dominated by esoteric and hard-to-understand language," says Polancich.