Fans of the TV show Homeland know about the diversion tactic of a highly visible, yet preventable terrorist attack that draws attention away from the bad guy's real goal of inflicting harder-to-detect, broader harm.
In the TV show, a U.S. Marine sniper who's been recruited by Middle Eastern terrorists shoots several people in the Vice President's entourage as they are about to enter CIA headquarters. The VP and top members of the National Security Council barely escape and are quickly taken to a safe room as televised chaos rages outside. Problem is, the real terror awaits inside - another double agent, a U.S. Marine who's been "turned," is waiting to blow up the room containing the VP and his staff. Since this is TV, the second double agent's undetected suicide bomb malfunctions.
What does this have to do with bank security? A group of bankers, analysts and tech professionals that we spoke with in the wake of the politically-motivated denial of service web attacks on U.S. banks this fall all fear a cybercrime equivalent of the terror scenario described above. They think the substantial denial of service attacks aimed at the largest banks are a prelude to a longer-term series of smaller malware intrusions and insider attacks against banks of all sizes - actions that are much harder to detect and stop, but capable of doing harm in the form of ID theft, data breaches and network disruptions. While it's too early to know if such a second wave is truly underway, the fear is giving ammo to providers of layered authentication, cloud-based continuity and network monitoring, who smell a spike in security spending as banks prepare to fight more sophisticated denial of service attacks as well as a related or unrelated wave of follow-up attacks.
"The attackers make a loud noise and say 'look over to the left,' and the industry allocates a lot of resources to stopping that kind of very loud and large attack in the future. And that focus on the immediate or obvious threat can weaken resources in other areas," says Jason Malo, a research director at CEB TowerGroup. "The smaller attacks are designed to hide in the network or a piece of code or an application. They don't reveal themselves easily."
So far, the denial of service attacks fit the "loud noise" part of the scenario perfectly. During late September and early October, it was hard to look anywhere in the news without seeing some report connected to a film called "The Innocence of Muslims," which reportedly lampooned Mohammed. There's no evidence that any banks were even remotely connected to the film, but denial of service attacks nonetheless were launched against more than a half dozen banks, including Bank of America, U.S. Bancorp, SunTrust, Capital One, Regions Financial, PNC, Bank of America and Wells Fargo. These attacks, in which an organized group of crooks click on a website repeatedly to overwhelm bandwidth, cause website activity to slow down or shut down for a time. A group called the Izz ad-Din al-Quassam Cyber Fighters claimed responsibility.
The attacks drew the attention of Defense Secretary Leon Panetta, who asked Congress to give the government power to protect major facilities from cyberterrorism and suggested President Obama may order sharing of data among industry and government to mitigate web attacks.
But closer to the bank IT community, the concern is that these larger attacks will lead to smaller attacks as smaller crooks affiliated with the hacktivists or more traditional thieves look to take advantage of the diversion. As such, preventative measures for both larger and smaller attacks are being recommended.