Security

06:55 PM
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

Financial Services Still Plagued by DDoS Attacks

Financial services aren't doing enough reporting of cybercrime, both internally and to their users. Is IT to C-suite communication to blame?

Distributed denial-of-service attacks, or DDoS, are a standard tool of choice for publicity gathering attacks, but we rarely see institutions coming out and commenting on them - why DDoS are they being used, what were the results, or anything related to it that could be worse than what DDoS was going for.

Customer advocacy and information sharing is insufficient, argues Jason Polancich, a US Intelligence Community veteran and founder of the independent analysis and media company Hacksurfer. "Their tendency is to not say anything. Yet, at the same time, customers are left disenfranchised and without an answer when they ask hard questions… As a whole I believe the Financial Service industry is not open and owning its message to customers and supply chain members. They don't really come out enough to educate them, arm them, make them aware."

According to HackSurfer's data, across the entire financial sector on average 22% of attacks detected since April 2013 were DDoS attacks versus other practices like viruses, malware, etc. "That's significant when you think of all the cybercrime practices out there."

People have simply become desensitized to banks and online service getting DDoS. A few years back, Pavel Vrublevsky, the owner of Russian payments firm ChronoPay, hired some Russian hackers to launch DDoS attacks on his rivals, preventing payment processing for the Russian State Airline, costing them millions over a couple days. He was arrested back in August and became the poster child for how DDoS attacks are damaging for Financial Services. "They're not taking it seriously," says Polancich. "They just say 'oh it's DDoS.' It overwhelms the banks but it's rarely just that. It's misdirection, a red herring, or used for some sort of destabilization weapon. The worst is yet to come... We're not probably too far away from it hitting home for major exchanges."

It almost sounds like a far fetched conspiracy, but given the example from Russia, and the current state of affairs, we may want to admit we just don't understand the scope of the issue. The reality it this is stuff that's happening on some scale every day, and not being properly discussed.

Gulf of Understanding

"There's a giant gulf of understanding between the lower level technology engineers and the people who execute budgets that CEOs and CIOs are putting together," he argues. "In most cases you end up with the ability for the C-suite to misdirect budgets inappropriately matched to the threat they face." Engineers will view DDoS as non-technical issues, and the C-suite gets advice from engineers who do not have the purview of higher level objectives met by low lever protection. "At the end of the day, darts are thrown at dartboard, some hit and some don't because there isn't a close relationship between tech teams and the C-suite."

It all comes down to the age old IT versus the rest of the world communication issues. Engineers can sit and talk with other engineers about design patterns, but there's no equivalent language for the C-suite with tech teams. As a result firms can end up with a weird, lopsided budget and execution plan, especially in Financial Services where engineers are scaring the C-suite to death with things they may not need to be scared of, argues Polancich. Throughout it all, neither side has the global awareness of what's going on and what's a threat because they're fighting a lot of other fires every day.

"Things are way too technical and most CEOs admit that they don't think defenses are good enough for their company and don't understand what the threats are." If you just ask a typical internet user, they will understand to depth that there are viruses but are not sure what they are exactly. The C-suite isn't much better educated. They know what they've been told, but don't have a 'golf-course talk' to ask who did what to who, what happened, and why.

There has to be a better way to work more symbiotically, to get the people at high business levels to understand what a cybercrime event is and what's really happening. Hacksurfer is one such service providing a simplistic information model teams can use as aids in conversation. "We're trying to establish a common language at a high level that everyone can adopt to enable easier, better communication about a topic dominated by esoteric and hard-to-understand language," says Polancich. Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
11/25/2013 | 9:12:05 PM
re: Financial Services Still Plagued by DDoS Attacks
I've heard the same problem exists with data teams, where the vocabulary that data scientists use is sometimes confusing even to other IT people in an organization, never mind the business people. But I think it should kind of be a requirement of your job that you are able to explain the complexities around what you do to colleagues who may have a different background and area of focus than you. That includes being able to put things in layman's terms for the higher ups.
Becca L
50%
50%
Becca L,
User Rank: Author
11/25/2013 | 3:52:00 PM
re: Financial Services Still Plagued by DDoS Attacks
The chief security office, chief technology officer, and so on must be able to communicate through the levels, but if the lower tiers of IT staffing isn't able to communicate up the lines without losing their message, I think there has to be an aid along the whole communication chain. HackSurfer isn't the first to suggest an information aid or a special type of dictionary to bridge the connection.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
11/21/2013 | 3:21:52 PM
re: Financial Services Still Plagued by DDoS Attacks
I was suggesting a translator (i.e., chief of staff) to bridge the gap because the IT security staff may be very technical and not be able to communicate the business implications. Conversely, the CEO may not have the technical background in malware, DDoS, etc. to understand that person. I agree there needs to be dialogue. As Greg said, the CEO is responsible for understanding the risks. Larger firms have chief security officers and other specialists like chief information risk security officers that probably interface with the CEO.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Apprentice
11/21/2013 | 11:40:59 AM
re: Financial Services Still Plagued by DDoS Attacks
I don't think CEOs need to know the ins and outs of cyber security, or the technical details about some of the security procedures. This is the same with other parts of the business. The CEO at a bank doesn't need to know how to create a CDO or CMO, but the CEO better know what the CEO can do, what its risk is and so on.

When it comes to cyber, CEOs must be able to vet the security procedures thoroughly, in the same way that they ask questions about any other important business products or strategy.
Becca L
50%
50%
Becca L,
User Rank: Author
11/20/2013 | 6:57:24 PM
re: Financial Services Still Plagued by DDoS Attacks
Absolutely, please reach out and let me know more about your work in FS.
Becca L
50%
50%
Becca L,
User Rank: Author
11/20/2013 | 6:56:16 PM
re: Financial Services Still Plagued by DDoS Attacks
Interesting that you suggest acquiring a translator instead of enabling the existing staff to have the discussion. There are arguments for both - management must question how important, expensive and ultimately how successful it would be to train IT staff, versus bringing on one person or a small team to mediate discussion.
Luke Beeson
50%
50%
Luke Beeson,
User Rank: Apprentice
11/20/2013 | 4:49:04 PM
re: Financial Services Still Plagued by DDoS Attacks
Research clearly shows that cyber-attacks using DDoS are still
increasing steadily in number and complexity. Here at BT we are
responding to an increasing demand from the market for DDOs Mitigation
solutions which are able to adapt to this constantly evolving threat. We
have several new enhanced DDoS mitigation services being readied for
launch. The first of these new services is already in operation with two
pathfinder enterprise customers, both within the Financial Services sector,
early feedback is very positive. The new improved range of DDoS
mitigation services from BT will start to be introduced from early 2014 which
weGÇÖd be happy to talk to you about.
Gobnait_bt
50%
50%
Gobnait_bt,
User Rank: Apprentice
11/20/2013 | 4:49:04 PM
re: Financial Services Still Plagued by DDoS Attacks
Research clearly shows that cyber-attacks using DDoS are still
increasing steadily in number and complexity. Here at BT we are
responding to an increasing demand from the market for DDOs Mitigation
solutions which are able to adapt to this constantly evolving threat. We
have several new enhanced DDoS mitigation services being readied for
launch. The first of these new services is already in operation with two
pathfinder enterprise customers, both within the Financial Services sector,
early feedback is very positive. The new improved range of DDoS
mitigation services from BT will start to be introduced from early 2014 which
weGÇÖd be happy to talk to you about.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
11/19/2013 | 11:43:02 PM
re: Financial Services Still Plagued by DDoS Attacks
I think companies need a translator who sits between the IT department and the CEO and board. This person needs to speak multiple languages - in the weeds security speak and corporate management/board level - risk speak.
Becca L
50%
50%
Becca L,
User Rank: Author
11/19/2013 | 3:00:55 PM
re: Financial Services Still Plagued by DDoS Attacks
I recently watched a medical drama TV episode in which the doctor was on trial for a botched surgery. How could the doctor explain to the jury what went wrong if the details are medically complex, and the jury's eyes glaze over at the medical lingo? In the show, analogies were made to get the concepts across, but I don't think that approach will fly at the C-suite and board level. The board needs a clear vocabulary, and IT has to know how to speak with it. But the question remains, what depth of understanding is enough?
Page 1 / 2   >   >>
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video