Fans of the TV show Homeland know about the diversion tactic of a highly visible, yet preventable terrorist attack that draws attention away from the bad guy's real goal of inflicting harder-to-detect, broader harm.
In the TV show, a U.S. Marine sniper who's been recruited by Middle Eastern terrorists shoots several people in the Vice President's entourage as they are about to enter CIA headquarters. The VP and top members of the National Security Council barely escape and are quickly taken to a safe room as televised chaos rages outside. Problem is, the real terror awaits inside - another double agent, a U.S. Marine who's been "turned," is waiting to blow up the room containing the VP and his staff. Since this is TV, the second double agent's undetected suicide bomb malfunctions.
What does this have to do with bank security? A group of bankers, analysts and tech professionals that we spoke with in the wake of the politically-motivated denial of service web attacks on U.S. banks this fall all fear a cybercrime equivalent of the terror scenario described above. They think the substantial denial of service attacks aimed at the largest banks are a prelude to a longer-term series of smaller malware intrusions and insider attacks against banks of all sizes - actions that are much harder to detect and stop, but capable of doing harm in the form of ID theft, data breaches and network disruptions. While it's too early to know if such a second wave is truly underway, the fear is giving ammo to providers of layered authentication, cloud-based continuity and network monitoring, who smell a spike in security spending as banks prepare to fight more sophisticated denial of service attacks as well as a related or unrelated wave of follow-up attacks.
"The attackers make a loud noise and say 'look over to the left,' and the industry allocates a lot of resources to stopping that kind of very loud and large attack in the future. And that focus on the immediate or obvious threat can weaken resources in other areas," says Jason Malo, a research director at CEB TowerGroup. "The smaller attacks are designed to hide in the network or a piece of code or an application. They don't reveal themselves easily."
So far, the denial of service attacks fit the "loud noise" part of the scenario perfectly. During late September and early October, it was hard to look anywhere in the news without seeing some report connected to a film called "The Innocence of Muslims," which reportedly lampooned Mohammed. There's no evidence that any banks were even remotely connected to the film, but denial of service attacks nonetheless were launched against more than a half dozen banks, including Bank of America, U.S. Bancorp, SunTrust, Capital One, Regions Financial, PNC, Bank of America and Wells Fargo. These attacks, in which an organized group of crooks click on a website repeatedly to overwhelm bandwidth, cause website activity to slow down or shut down for a time. A group called the Izz ad-Din al-Quassam Cyber Fighters claimed responsibility.
The attacks drew the attention of Defense Secretary Leon Panetta, who asked Congress to give the government power to protect major facilities from cyberterrorism and suggested President Obama may order sharing of data among industry and government to mitigate web attacks.
But closer to the bank IT community, the concern is that these larger attacks will lead to smaller attacks as smaller crooks affiliated with the hacktivists or more traditional thieves look to take advantage of the diversion. As such, preventative measures for both larger and smaller attacks are being recommended.
As an example, Malo mentioned Sony, which in 2011 told Congress that it didn't notice security breaches that compromised user accounts on its PlayStation Network, Qriocity and Sony Online Entertainment because it was distracted by distributed denial of service attacks. In the Sony case, crooks exploited a system vulnerability to gain access to its network and escalate privileges inside servers while Sony's security team was focused on combating the DDOS attacks.
"You have to consider when something like this happens, the first thing you do is make sure [the big attack] is not masking some other types of behaviors," says Curtis Anderson, an information security analyst at TCF Bank.
Anderson would not discuss his bank's hacking prevention strategy in specifics, but says there are emerging, hosted web security systems that monitor web traffic for suspicious spikes in activity and other red flags, and divert unusual activity or access outside of the bank's network for investigation.
Malo suggests virtualization of core systems, which some banks are starting to incorporate in their business continuity plans by making virtual copies of servers that run core systems, can be useful in reducing the impact of denial of service attacks.