Risk Management

12:33 PM
Jeffrey Lyon, Black Lotus
Jeffrey Lyon, Black Lotus
Commentary
50%
50%

DDoS Attacks on Financial Industry: Ignoring Them Won’t Make Them Go Away

After more than a decade of DDoS attack evolution, the information security profession employed by banks, is still is not equipped to deal with the problem, argues Jeffrey Lyon, president of Black Lotus.

Over the past 13 years, the Internet has been plagued by intrusions known as distributed denial of service (DDoS) attacks. When these attacks first began occurring, the perpetrators were largely presumed to be systems operated by criminals aimed at highly visible targets of opportunity. The first of these types were the 2000 attacks against Buy.com, E*TRADE and Datek, to name a few. In these particular cases, the FBI was successful in locating and prosecuting the attackers. Despite the early impact on Wall Street, the information security profession did not see DDoS attacks as a threat to the financial sector.

For the next seven years, most professionals continued to ignore DDoS attacks, which they believed were only a problem in the fringe economy. For instance, in 2003, the majority of largely publicized attacks were against online gambling websites. These companies were predominately operated offshore, where network infrastructure is less developed. However, it is becoming apparent that after more than a decade of DDoS attack evolution, the information security profession still is not equipped to deal with the DDoS problem, a sobering reality that many banks are now facing. To complicate matters further, the highly regulated banking environment prevents banks from having unfettered access to emergency DDoS mitigation services, or at least substantiates fears of outsourcing security to more capable third-party vendors with the experience to monitor, mitigate and track these attacks.

Banking IT pros: Time to get smarter about DDoS

For the most part, information security professionals employed by banks are not well versed in DDoS mitigation. Instead, their areas of expertise are more common to the banking environment, such as data integrity, encryption, auditing and compliance. In short, with DDoS attacks as their weapon of choice, enemies of capitalism have now found the banking industry’s Achilles heel.

There is speculation that these attacks are terrorist — or even state-sponsored, but it is unlikely that the majority of attacks are actually being launched by these groups. For a small sum of money, anyone in the world can hire hackers to launch debilitating attacks on any company or government, no matter how large. It costs only a few hundred dollars to order an attack, but it can cost millions to defend against one, not to mention the cost of business interruption. It is unlikely that a DDoS attack will cause banks to lose substantial business, but it will certainly result in increased costs to any bank that has to ramp up availability security and deal with the impact of highly anxious customers who are unable to access their online accounts. These costs will be passed on to customers and taxpayers as the federal government bears the expense of criminal investigations, cyber defense, and even insurance payments in a worst-case scenario. DDoS is the type of threat that attacks the bottom line versus the data itself.

Granting the assumption that regulatory concerns will prevent banks from substantially outsourcing their availability security, it becomes necessary to develop these capabilities in-house. First, banks must ensure that their upstream carriers are prepared to deal with large bandwidth floods and have robust infrastructure in place. The large, brand-name carriers are not always the most capable of doing this. It is often smaller, “tier-two” providers that maintain the more robust, resilient networks. Network engineers must audit their carriers and gain a deep understanding of the upstream network architecture to ensure that the equipment and fiber capacity meet their specific needs.

Begin to ask questions:

• Is the bank serviced by the carrier’s primary point of presence (PoP) for the given city? • Would it be more logical to purchase fiber to a larger exchange? • Does the carrier operate a competent network operations center (NOC) capable of rapidly responding to a DDoS attack emergency?

Next, banks must begin to think about their network infrastructure in terms of availability security and assess whether routers and switches used to provide service to clients are resilient against DDoS attacks. To do so effectively, banks must hire network engineers with substantial DDoS mitigation experience and ensure that their candidates are capable of securing systems and network devices against vulnerabilities that would compound the severity of an attack. Many of the most popular routers are also some of the most vulnerable to attacks. Ultimately, banks must hire experts in availability security to perform an independent assessment and to implement carrier-grade DDoS mitigation systems capable of detecting, diverting, and mitigating large attacks.

The banking industry can recover from these incidents, so long as it acts quickly to ramp up information security capabilities.

About the author: Jeffrey A. Lyon, CISSP, is the president of Black Lotus Communications and a pioneer in the mitigation of distributed denial of service (DDoS) attacks.

Comment  | 
Print  | 
More Insights
More Commentary
The Bankerless Bank
Regulatory upheaval has distracted banks from developing innovative technology. When will banks return their focus to building technology for competitive advantage?
4 Factors Driving Enlightenment & Big-Data Adoption in Regulatory Compliance
Whether seeking to maintain compliance or to drive business value, emerging technologies can unleash tremendous potential.
The Art of Leveraging Governance, Risk & Compliance Technology Tools
Eliminating compliance risk across information channels is a constantly transforming task. Ongoing auditing and auto-corrective technology can increase trust, accountability, and transparency.
The FSB's Swaps Data Aggregation Report, a Technical Review
The Report discusses legal, technological, and regulatory issues to be resolved in order to obtain a complete view of swap transactions around the world.
Raising the Data Management Stakes
Data management can get firms only so far. Advanced data analytics is needed for all business lines and for calculating risk, especially with BCBS 239 on the horizon.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.