The recent distributed denial of service (DDoS) attacks against Bank of America, Chase, PNC and U.S. Bancorp, recently attributed to Iran by unnamed U.S. government officials, should come as no surprise to the financial services industry or the IT security organizations that support their online services.
The outbreak of hacktivism over the last two years has shown that attacks on banks, governments and other institutions can be motivated by causes, not only by financial gains. With the nation of Iran itself claiming itself to be a "victim" of both the allegedly state-sponsored Stuxnet computer virus and international economic sanctions, it is perhaps unsurprising that they could turn to state-sponsored attacks themselves.
Kudos to the technical talent at BofA and Chase for withstanding these attacks, but industry stakeholders of all sizes must brace for more. As if financially motivated criminals and attention seeking hacktivists were not enough of a problem, it appears that banks can now add nation-states to the list of IT security threats for which they must prepare. After all, if the goal is to deal a severe blow to a struggling U.S. economy, what better way than to attack financial services? Such attacks can be launched remotely and at relatively low costs with a potential impact that is very high. The FBI team alert, for example, cited a $200 crimeware program capable of using a botnet to mount a DDoS attack. And, unlike financially motivated crime, there is no money trail to follow, as the attackers are not seeking to gain control of any assets.
Like the financially motivated cybercriminals that preceded them, it is not hard to imagine nation-states may also quickly find mid-tier to smaller institutions (and their bank service technology providers) are a softer target. The preparation for and response to these potentially catastrophic threats by financial institutions of all sizes must be clear and dramatic, and must start in the executive ranks in board rooms.
In the face of these threats, the first step must be to reassess your organization's structure and communication channels to ensure that IT security concerns get the voice and visibility they deserve at the highest management levels. There is a responsibility on IT security to categorize and present the threats clearly and concisely to provide senior executives with actionable information.
The second step must be to identify and prioritize action items to preempt these threats, and be prepared with an action plan should the institution come under attack. Appropriate management attention and budget should be allocated to ensure the most effective countermeasures are identified and implemented. ROI for such expenditures can be calculated as the cost to the bank if an actual attack is successful times the probability that an attack might occur. The cost number will be large, and the probability is clearly rising.
Finally, executives need to show commitment to and personally lead efforts to educate all levels of the organization regarding potential IT security threats and the best practices to thwart them.
Hackers still rely on trickery using phishing, social engineering, phony text messages and similar techniques to install the Trojans, keyboard loggers and other tools they use to capture employee login credentials or even hijack their online sessions.
Senior executives need to understand how these attacks are taking place, the threat they represent to the business and how employees can help prevent them. Internal champions should lead efforts to both improve security and educate employees at all levels on how they can help. Relying solely on a fortress mentality that trusts in firewalls, antivirus and other countermeasure technologies has been shown, time and again, to be insufficient.
While technology is clearly part of the equation, education at all levels of the organization is equally important. The supplemental guidance from the Federal Financial Institutions Examination Council published just last year reiterated that employee and customer education is one of the top priorities for online security. In the travel industry, the "See something, say something" campaign has been a valuable driver of awareness. Something similar might work for internal operations at financial services institutions.
The battle against sophisticated criminals has been one of constant escalation since the days of strong boxes and floor safes. Each new countermeasure has been met with a new form of attack.
Bank robberies, however, are typically something you can see. Now the attacks can come from anywhere in the world invisibly through wires and through extremely complicated IT infrastructures at the speed of light. Meeting this new hard-to-understand challenge will require bank leaders to accept the fact that it may no longer be about ‘just' stealing money. The ultimate target may be bigger than dollars and cents.
Peter Tapling is CEO of Authentify, a global leader in telephone-based out-of-band (OOB) two-factor authentication.