The types of distributed denial of service attacks launched recently against banks including Bank of America, JPMorgan Chase, Wells Fargo and U.S. Bancorp are hard, but not impossible, to thwart, experts say.
One challenge is that since the attacks are not coming from known malicious sources, the traditional line of defense - keeping a blacklist of cybercriminals, chains and groups that can be prevented from accessing a Web server - doesn't work.
Attackers can also spoof IP addresses, so the identity of the incoming user is easily muddled. "These reports are coming out of Iran, but there are plenty of countries, people and competitors that want to diminish the effectiveness of websites for banks and companies everywhere," says Marty Meyer, chief executive of Corero Network Security in Hudson, Mass. "To me, this is a cyberwar and people have to be prepared to protect themselves against it."
In a distributed denial of service attack, a Web server is flooded with so many requests from multiple sources that its performance is slowed and sometimes stopped altogether. This does not necessarily lead to theft or even access to any sensitive information, but it is extremely inconvenient for banks and their online banking customers. "All the banks now are scrambling to figure out what to do," Meyer says. "I think these hacktivists want to create doubt in the American consumer in their financial institutions, and create instability that way."
But Meyer and others say this is a war banks can win. "It requires a layered approach, but it's totally preventable," Meyer says. "A lot of the articles out there have people throwing up their hands saying 'What can we do?' which is really scary if you're a consumer and your money's in the bank. There are really good technologies out there." Here are some examples.
1. Do all you can to receive early warnings. "Cyberhacktivists that do denial of service attacks often will advertise what they're going to do," notes Jon Ramsey, chief technology officer at Dell SecureWorks. For example, in the recent round of DDOS attacks against large U.S. banks, the Cyber Fighters of Izz ad-din Al Qassam announced their intentions beforehand on Pastebin.
"If you know where to look, you can get some indication and warning," Ramsey says. "In some cases you can even get the attack pool they're going to use so that you can be prepared, muster the troops and get everybody ready. Depending on the kind of DDOS attack, you need to have a game plan around how do I best mitigate it? Do I use content distribution networks? Do I use an anti-DDOS cleaning service? Do I degrade the capability of my website so it doesn't do much damage if it's a DOS attack? There are a lot of things a company can do to prepare."
FS-ISAC is acting as a clearing house for security threat information for financial institutions. Banks send the organization information about security incidents and the group anonymizes that information and sends it back out in the form of reports and alerts to all its members.
Many companies offer security intelligence services that similarly alert banks to potential security threats. Dell SecureWorks has a counterthreat unit made up of white-hat hackers that delivers a quarterly trend analysis report and an hourly XML feed that can be ingested by a company's security controls. Verizon Business and Wolters Kluwer are among other companies that offer security and threat investigation services to banks.