Bank of America's website experienced periodic outages on Tuesday, possibly due to a cyber attack launched in retaliation for a film mocking the portrait of the Prophet Muhammad which has already incited deadly riots throughout the Middle East. The threat, from the "Cyber fighters of Izz ad-din Al qassam," a reference to the military wing of Hamas, was also made against the New York Stock Exchange.
Wall Street & Technology spoke to Eric Friedberg, co-president, Stroz Friedberg, a global digital risk management and investigations firm about how financial firms should protect themselves from these sophisticated attacks.
WS&T: How can firms protect themselves against the attacks that the group protesting the anti-Islam film threatened to carry out against Bank of America and NYSE?
Eric Friedberg What these threats show is that for global financial firms, threat assessment needs to be based on a complex global understanding of who the potential adversaries are and what are the likely attack factors. With the rise of hacktivism, companies are being targeted with what they represent to the attacker rather than what they did. There is a steep rise of hacktivism in the name of anti-globalization, anti-Wall Street, and intellectual property, and pro religious group X, Y or Z. That presents a complex web of challenges to security professionals. You have to be really thinking not just on a technology level but in behavioral and geo-political terms. Security professionals have to think about how all of these different groups are going to be perceiving their company and what the likely attack vectors are. If you’re just going through a check list without prioritizing risk on the basis of what the likely attack is, you’re shooting in the dark.
WS&T: How do you prepare for a Denial of Service attack, like the one that this pro-Hamas group threatened to carry out?
EF: You’re trying to manage an enormous amount of information being thrown at servers. You have to have an understanding with upstream ISP providers about what ISP can do to filter out as much of the junk that is thrown at you. You have to establish a preparedness plan. Contact people. Have a strategy. And understand what ISP can do to divert some traffic. Sometimes this traffic can be filtered out based on signatures and other criteria, almost like a junk filter.
WS&T: Are there any other ways that you can protect yourself?
EF: Yes, with load balancing within a company. If you have multiple servers and a DoS attack is targeted at a particular server, you can balance the load of traffic across many servers so that the functionality of your site doesn’t slow down. It’s very hard to do that if you’re first thinking about it when you come under attack. You also need to revise you architecture, establish incidence response plans, and bring in other types of technologies that can help prepare for those attacks.
WS&T: What are the other types of attacks hacktivist groups carry out?
EF: These groups are often trying to make a political point by embarrassing and causing temporary pain to a company. Recently they have found that by infiltrating pockets of reportable and personally identifiable information that a company has and exposing it to the public they have given the company an enormous reporting headache. They hack infiltrate a database, find people’s date of birth, social security and email addresses and make them public. Hacktivists are less concerned with financial motivation, and more with causing the pain that they understand follows from exposing the personally identifiable information (PII) that a company has.
WS&T: How can you protect yourself from this type of infiltration attack?
EF: Many of the data breaches that result in the loss of PII result from systems that were improperly patched, and are running software with known vulnerabilities. One of most important things is to make sure a company’s patch management system is up to date. Much of the harm comes from over retention of data. A company has millions of records that is can lose. From business purposes the company might have needed to retain only a couple hundred thousands of these records. But there’s been no housekeeping. So protecting against data breaches involves patch management, data retention and recycling.
Intrusion detection is another key area. A persistent attacker with enough skill and resources can attack most systems. Preparedness and early identification of the attack – having red flags go up when you’re under attack – are key. For most people it’s a question of when, not if, you’ll be attacked. You also need to have quality skilled people that know how to even identify and respond to attacks. And there’s a shortage of highly skilled incidence responders. Some companies don’t focus early enough on making sure they have a good internal team that has appropriate skill sets in this area. That’s hard to build when you first learn you’re under attack. When it comes to sophisticated attacks like state-sponsored espionage or hacktivism, there’s a unique skill set that is needed.
WS&T: Can you give us a few examples of the skills security experts need to combat hacktivist attacks?
EF: Large global networks have enormous amounts of information flowing through them. Even if you’re running intrusion detection systems, they generate massive amounts of information. The ability to interpret large data sets of logs and intrusion detection information and quickly hone in on something that represents a real threat as opposed to minor noise is one example.
When you find some malware on your computer on your systems, there’s a process of reverse engineering of malware: it has to be decrypted, uncompressed and pulled apart. A very unique set of skills is needed to figure out in advance how to pull this unique malware apart so that you can analyze code and you can see what the attacker will do with the code. It will tell you how the attacker is aggregating and exfiltrating (sending out of the system) the information.