Bank Attacks: What Next?DDoS Incidents Pose Serious Threat to All Sectors
We've never seen a week quite like this past one.
See Also: How to Defend Your Attack Surface
It began on Oct. 8 with the group calling itself Izz ad-Din al-Qassam declaring on Pastebin that it intended to continue its recent string of distributed denial of service attacks against prominent U.S. banks. Calling its initiative "Operation Ababil," the hacktivist group promised to attack three banks on consecutive days.
Banks are this month's target, but who's to say that government agencies, public utilities or healthcare entities aren't next?
Capital One was first, suffering significant site outages on Tues., Oct. 9.
SunTrust was Wednesday's victim.
And then on Thursday, like clockwork, Regions Bank was struck.
Three banks, three days - just as promised. And those attacks came in the wake of hits against five other banks in September.
What's next? Well, the alleged attackers say they're taking the weekend off to plan next week's attacks.
And do we have any reason to believe that any targeted institution will be better prepared next week to ward off the attacks than those who were hit in earlier waves?
Not Just FUD
There are some observers who say DDoS attacks are nothing new. These incidents occur constantly, and to publicize them now is to spread the proverbial FUD - fear, uncertainty and doubt.
But think about it: When some of the largest financial institutions in the nation can be forced into an online outage - when customers cannot access their accounts for hours at a time - that's a legitimate threat to an element of our critical infrastructure, and it's frightening.
Plus, when we know these attacks are coming, yet we still can't adequately repel them ... don't you feel a bit of uncertainty creeping in?
There's plenty to discuss here, no doubt.
Questions and Insight
We've closely monitored these incidents since day one, nearly a month ago. Assessing the scale and impact of these attacks, several questions arise:
- Why are these DDoS attacks so effective? The reason: Because we've never seen such traffic, according to security experts. A typical DDoS attack would see incoming traffic equivalent to maybe 1 or 2 gigabytes per second, says Mike Smith of Akamai Technologies. These latest attacks have been measured at 65 gbps.
- Are the DDoS attacks a front for other crimes? Often a DDoS attack is like a gang of shoplifters making a commotion at the front of a store. While everyone is distracted, the bad guys sneak away with the goods. Could that be happening now? Gartner's Avivah Litan says she hears anecdotal accounts of fraud slipping through banks' overloaded call centers while the online channels are under attack. Account takeover is a legitimate concern.
- Who's next? This might be the scariest question of all. Banks are this month's target, but who's to say that government agencies, public utilities or healthcare entities aren't next? It's time to accept that any organization can be a target - and make sure we're prepared to respond.
I don't pretend to have all the answers, but the team at Information Security Media Group continues to ask good questions. Tracy Kitten, managing editor of BankInfoSecurity, covers this developing story on a daily basis. In addition to her ongoing news accounts, we've produced a series of enlightening interviews, including:
- Bill Wansley of Booz Allen Hamilton, discussing nation states and the threats they pose to U.S. banks.
- Gregory Nowak of the Information Security Forum on how to use these incidents as an opportunity to educate customers about security.
- Attorney Ronald Raether on how best to plan for and publicly respond to security incident such as a DDoS attack.
Who knows what next week will bring? We could see additional attacks, or we may continue to dissect the ones we've already experienced.
Either way, please know that we will continue to raise questions and seek answers. The goal: not just to give this threat the attention it deserves, but to help you find the security solutions you need.