Over the past 13 years, the Internet has been plagued by intrusions known as distributed denial of service (DDoS) attacks. When these attacks first began occurring, the perpetrators were largely presumed to be systems operated by criminals aimed at highly visible targets of opportunity. The first of these types were the 2000 attacks against Buy.com, E*TRADE and Datek, to name a few. In these particular cases, the FBI was successful in locating and prosecuting the attackers. Despite the early impact on Wall Street, the information security profession did not see DDoS attacks as a threat to the financial sector.
For the next seven years, most professionals continued to ignore DDoS attacks, which they believed were only a problem in the fringe economy. For instance, in 2003, the majority of largely publicized attacks were against online gambling websites. These companies were predominately operated offshore, where network infrastructure is less developed. However, it is becoming apparent that after more than a decade of DDoS attack evolution, the information security profession still is not equipped to deal with the DDoS problem, a sobering reality that many banks are now facing. To complicate matters further, the highly regulated banking environment prevents banks from having unfettered access to emergency DDoS mitigation services, or at least substantiates fears of outsourcing security to more capable third-party vendors with the experience to monitor, mitigate and track these attacks.
Banking IT pros: Time to get smarter about DDoS
For the most part, information security professionals employed by banks are not well versed in DDoS mitigation. Instead, their areas of expertise are more common to the banking environment, such as data integrity, encryption, auditing and compliance. In short, with DDoS attacks as their weapon of choice, enemies of capitalism have now found the banking industry’s Achilles heel.
There is speculation that these attacks are terrorist — or even state-sponsored, but it is unlikely that the majority of attacks are actually being launched by these groups. For a small sum of money, anyone in the world can hire hackers to launch debilitating attacks on any company or government, no matter how large. It costs only a few hundred dollars to order an attack, but it can cost millions to defend against one, not to mention the cost of business interruption. It is unlikely that a DDoS attack will cause banks to lose substantial business, but it will certainly result in increased costs to any bank that has to ramp up availability security and deal with the impact of highly anxious customers who are unable to access their online accounts. These costs will be passed on to customers and taxpayers as the federal government bears the expense of criminal investigations, cyber defense, and even insurance payments in a worst-case scenario. DDoS is the type of threat that attacks the bottom line versus the data itself.
Granting the assumption that regulatory concerns will prevent banks from substantially outsourcing their availability security, it becomes necessary to develop these capabilities in-house. First, banks must ensure that their upstream carriers are prepared to deal with large bandwidth floods and have robust infrastructure in place. The large, brand-name carriers are not always the most capable of doing this. It is often smaller, “tier-two” providers that maintain the more robust, resilient networks. Network engineers must audit their carriers and gain a deep understanding of the upstream network architecture to ensure that the equipment and fiber capacity meet their specific needs.
Begin to ask questions:
• Is the bank serviced by the carrier’s primary point of presence (PoP) for the given city? • Would it be more logical to purchase fiber to a larger exchange? • Does the carrier operate a competent network operations center (NOC) capable of rapidly responding to a DDoS attack emergency?
Next, banks must begin to think about their network infrastructure in terms of availability security and assess whether routers and switches used to provide service to clients are resilient against DDoS attacks. To do so effectively, banks must hire network engineers with substantial DDoS mitigation experience and ensure that their candidates are capable of securing systems and network devices against vulnerabilities that would compound the severity of an attack. Many of the most popular routers are also some of the most vulnerable to attacks. Ultimately, banks must hire experts in availability security to perform an independent assessment and to implement carrier-grade DDoS mitigation systems capable of detecting, diverting, and mitigating large attacks.
The banking industry can recover from these incidents, so long as it acts quickly to ramp up information security capabilities.
About the author: Jeffrey A. Lyon, CISSP, is the president of Black Lotus Communications and a pioneer in the mitigation of distributed denial of service (DDoS) attacks.