Distributed Denial of Service (DDoS) attacks -- that is, an attempt to make a site or service unresponsive to the intended users by saturating the network with illegitimate traffic - will continue to wreak havoc on financial institutions thanks to advancing techniques and easy security workarounds.
Recent attacks show the scale of DDoS attacks has continued to rise to the point that millions of compromised computers are sending traffic to a single web server. A single attack in January of last year sent the equivalent traffic of the transatlantic fiber optic cables, a force no web server in a data center can cope with.
"You would need some pretty sophisticated defense mechanisms to stop that traffic, and much further upstream," says Chris Camejo, director of assessment services at NTT Com Security.
Unfortunately, a common means of protection has proven easily circumventable. Camejo explains organizations frequently turn to a contracted third party service to hosts web servers, filter out bad traffic and detect DDoS attacks before they hit the real web server. It's the equivalent of changing the phone number to an answering service that screens calls before legitimate calls are forwarded to you.
"It works great as long as nobody knows your actual phone number in that analogy," he explains. "The web service is still out there. It's still accessible from the Internet. With a little bit of research, it's usually not terribly difficult to find out where that actual web server is located. Even though publicly they're saying all traffic should go through this third party service, there's nothing preventing me from just DDoS-ing the web server directly because I found its real address. I can just connect to it directly. That's something that a lot of organizations have been overlooking."
The unfortunate reality is many firms aren't even aware it is a victim until it receives an e-mail with a ransom note for money or information in exchange for putting the site back online. Attackers will also use the botnets that deploy these DDoS attacks to try to hijack online banking sessions and obtain financial account credentials.
A recent DDoS attack on Meetup.com hit headlines when CEO Scott Heiferman refused to pay hackers a $300 ransom to restore the site. As a result the social site was offline for nearly four days. Heiferman told Reuters he worried paying the ransom would encourage the cyber criminals to demand more money in another round of attacks.
[To hear about how financial firms are managing their complex data architectures, attend the Future of the Financial Services Data Center panel at Interop 2014 in Las Vegas, March 31-April 4. You can also REGISTER FOR INTEROP HERE.]
The financial industry has had years of experience with these sorts of attacks - perhaps best highlighted by "Operation Payback," when the hacktivist group Anonymous DDoSed credit cards companies after they stopped permitting the use cards to make donations to WikiLeaks. These headlined incidences helped firms rally the resources to protect against this sort of attack.
"I would say the larger financial institutions are in good shape," says Camejo. "Where it gets tricky is the smaller institutions that may not have the kind of resources that Visa or MasterCard or a big bank like Bank of America has. They may not realize this type of attack is out there, they may not realize how powerful these types of attacks are." He adds that there's been a wave of DDoS attacks on credit unions over the last year.
Conversation around the Meetup.com attack revealed more sophisticated techniques by attackers. The attackers were most likely part of some sort of Eastern European criminal element, adds Camejo.
It used to just be that they would send a ton of traffic in somebody's direction and flood the web server, he explains. "But as the anti-DDoS technology has gotten better, they've gotten a bit more sneaky about it. Instead of just blasting it with traffic, now with some of the techniques they'll actually connect to a web server and pretend like they're trying to access the webpage and start downloading data from the webpage, but do it very, very slowly. Thereby forcing the web server to keep that connection open and it makes it harder to detect than the old school method."
Distribute the Risk
One of the biggest issues around security is that nobody really thinks about risk, he adds. There's a tendency to say all of the product is valuable and worthy of protection, but the cost of protecting all data can be overwhelming and causes firms too often to throw up their hands and do nothing, or too little.
Camejo is a proponent of separating the components of a website, and hosting the sites on different infrastructures protected by degree of value to the business. A landing page, for example, would be a shame to see DDoSed and shutdown, but it would not be nearly as detrimental as the loss of actual online banking pages people access on a daily or hourly basis to transfer funds, pay bills, and check balances. And if the landing page is breached, there is less concern they can use the same channels to access customer accounts.
"Decide where downtime is more terrible, and invest in the security of that application," he suggests. "Put it on a separate infrastructure. But in order to make those sorts of decisions you would have to sit down as an organization, sit down and think about which systems are actually worth money to us, which systems are going to cost us lots of money if they go down, which systems are we willing to let go down for how long. Make all those decisions in advance because when it's in the middle of an attack and sites are down and ransom demands are coming in via email; that's not the time to be making those sorts of decisions."