Risk Management

12:33 PM
Jeffrey Lyon, Black Lotus
Jeffrey Lyon, Black Lotus
Commentary
50%
50%

DDoS Attacks on Financial Industry: Ignoring Them Won’t Make Them Go Away

After more than a decade of DDoS attack evolution, the information security profession employed by banks, is still is not equipped to deal with the problem, argues Jeffrey Lyon, president of Black Lotus.

Over the past 13 years, the Internet has been plagued by intrusions known as distributed denial of service (DDoS) attacks. When these attacks first began occurring, the perpetrators were largely presumed to be systems operated by criminals aimed at highly visible targets of opportunity. The first of these types were the 2000 attacks against Buy.com, E*TRADE and Datek, to name a few. In these particular cases, the FBI was successful in locating and prosecuting the attackers. Despite the early impact on Wall Street, the information security profession did not see DDoS attacks as a threat to the financial sector.

For the next seven years, most professionals continued to ignore DDoS attacks, which they believed were only a problem in the fringe economy. For instance, in 2003, the majority of largely publicized attacks were against online gambling websites. These companies were predominately operated offshore, where network infrastructure is less developed. However, it is becoming apparent that after more than a decade of DDoS attack evolution, the information security profession still is not equipped to deal with the DDoS problem, a sobering reality that many banks are now facing. To complicate matters further, the highly regulated banking environment prevents banks from having unfettered access to emergency DDoS mitigation services, or at least substantiates fears of outsourcing security to more capable third-party vendors with the experience to monitor, mitigate and track these attacks.

Banking IT pros: Time to get smarter about DDoS

For the most part, information security professionals employed by banks are not well versed in DDoS mitigation. Instead, their areas of expertise are more common to the banking environment, such as data integrity, encryption, auditing and compliance. In short, with DDoS attacks as their weapon of choice, enemies of capitalism have now found the banking industry’s Achilles heel.

There is speculation that these attacks are terrorist — or even state-sponsored, but it is unlikely that the majority of attacks are actually being launched by these groups. For a small sum of money, anyone in the world can hire hackers to launch debilitating attacks on any company or government, no matter how large. It costs only a few hundred dollars to order an attack, but it can cost millions to defend against one, not to mention the cost of business interruption. It is unlikely that a DDoS attack will cause banks to lose substantial business, but it will certainly result in increased costs to any bank that has to ramp up availability security and deal with the impact of highly anxious customers who are unable to access their online accounts. These costs will be passed on to customers and taxpayers as the federal government bears the expense of criminal investigations, cyber defense, and even insurance payments in a worst-case scenario. DDoS is the type of threat that attacks the bottom line versus the data itself.

Granting the assumption that regulatory concerns will prevent banks from substantially outsourcing their availability security, it becomes necessary to develop these capabilities in-house. First, banks must ensure that their upstream carriers are prepared to deal with large bandwidth floods and have robust infrastructure in place. The large, brand-name carriers are not always the most capable of doing this. It is often smaller, “tier-two” providers that maintain the more robust, resilient networks. Network engineers must audit their carriers and gain a deep understanding of the upstream network architecture to ensure that the equipment and fiber capacity meet their specific needs.

Begin to ask questions:

• Is the bank serviced by the carrier’s primary point of presence (PoP) for the given city? • Would it be more logical to purchase fiber to a larger exchange? • Does the carrier operate a competent network operations center (NOC) capable of rapidly responding to a DDoS attack emergency?

Next, banks must begin to think about their network infrastructure in terms of availability security and assess whether routers and switches used to provide service to clients are resilient against DDoS attacks. To do so effectively, banks must hire network engineers with substantial DDoS mitigation experience and ensure that their candidates are capable of securing systems and network devices against vulnerabilities that would compound the severity of an attack. Many of the most popular routers are also some of the most vulnerable to attacks. Ultimately, banks must hire experts in availability security to perform an independent assessment and to implement carrier-grade DDoS mitigation systems capable of detecting, diverting, and mitigating large attacks.

The banking industry can recover from these incidents, so long as it acts quickly to ramp up information security capabilities.

About the author: Jeffrey A. Lyon, CISSP, is the president of Black Lotus Communications and a pioneer in the mitigation of distributed denial of service (DDoS) attacks.

Comment  | 
Print  | 
More Insights
More Commentary
Shore Up Cyber Security Now
Knowing that a data breach can and will happen at some point, asset management firms can manage new operational and regulatory risk with a layered approach to cyber security.
Is Big Data a Problem or an Opportunity?
When it comes to data, financial services firms are, as a rule, quite circumspect. They fear cyberattacks, data theft, data loss, security breaches, data privacy, and human error.
Data Integrity: A Necessity, Not an Option
Financial institutions that have taken on the data integrity task in the past now have to spend more money on hardware, software, and people just to keep up with the demand.
What Colombia’s New IT Campaign Means for Latin American Tech Investment
Colombia’s campaign is the latest example of how Latin America is trying to edge into the global technology space.
Initial Margin: When Does More Turn Out to Be Less?
Changing margin regulations are set to affect the OTC derivative market, including initial margin risk models for non-cleared OTCs.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - July 2014
In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.
Video
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.