FARMERS BRANCH, Texas-While often overlooked as possible conduits for denial of service attacks (DDoS), internet-connected devices such printers, routers, IP cameras and sensors are considered open doors that cyber criminals freely walk through undetected-until it's too late.
That's just one piece of security advice from several experts who shared with Credit Union Journal a number of steps credit unions can take to better protect themselves.
"Internet-facing resources such as websites, Internet connection(s) are rendered unavailable during a DDoS attack," said Mike Saylor, VP-Information Technology for the Texas Credit Union League. "For companies that rely heavily on a public-facing resource such as e-commerce, payment processing and banking, DDoS can effectively ruin an organization and potentially their business partners, financially."
Over the last year, there have been countless DDoS attacks at financial institutions, including Patelco Credit Union, University (of Texas) FCU, Key Bank, M&T Bancorp and Zions Bank among others. And there are no indications that attacks will lessen in the coming year.
"There are two different sets of attacks going on here. There are the attacks against a group of U.S. banks by the Al Qassam Cyber Fighters (AQCF) that have been going on since September of last year," said Rodney Joffe, SVP and senior technologist of the Sterling, Va.-based Neustar, Inc. "Then there are the opportunistic attacks going on against the smaller regional banks and small institutions. These are almost guaranteed to be launched by criminal gangs to hide and disrupt discovery of thefts from those banks customers using ZEUS and SpyEye malware. I bet that if you correlate the attacks against these smaller banks with customer thefts, you'll see a one-to-one match. No brainer."
The State of DDoS
Historically, DDoS attacks have been based on simple network/transport layer protocol attacks (i.e., network-based DoS) that exploit protocol design weaknesses. Saylor explained that the goal of in network-based DoS is to consume available bandwidth of a target site, or "fill up" the available allowed connections to a specific service.
Today, DDoS attacks are defined as layer 7 or application-based DoS attacks, which are more difficult to detect and defend against, especially attacks over https SSL/TLS encrypted sessions that can require fewer resources (i.e. botnets). "Most attacks today are a hybrid of the two types of DoS. Many of these newer attacks use legitimate services available on the target and exploit application design weaknesses like consuming back-end processes by executing multiple queries within a web application," said Saylor.
For those who think it is simply a bandwidth issue, Saylor cautions that these queries performed autonomously can render a site unavailable without having to consume large amounts of bandwidth. Application-based DoS attacks, he added, can also be in the form of standard HTTP/HTTPS RFC or a web service implementation weakness. This makes them difficult to field as they do not require a botnet to execute.
Joffe, founder and chair of the Conficker Working Group, acknowledged as a best practices model for public/private partnerships for Advanced Persistent Threat (APT) mitigation, said that even with due diligence, all credit union are open for attack.
"No one is safe from these attacks as has been made evident by the AQCF attacks. The effects can only be mitigated. Use of mitigation services like Site Protect provides some measure of relief, especially in the cases where the attacks are launched to cover thefts," said Joffe. "And the use of our threat analysis services can make a significant impact on identifying when (CU/bank member/customers)are the actual targets, and can help mitigate those losses."
Best Defense and Practices
Saylor, who also serves as the executive director of Richardson, Texas-based Cyber Defense Labs, said credit unions dealing with existing or potential DDoS attacks must employ a multi-layer defense. This includes reducing external attack surface (i.e., securing ingress port filtering), configuring internet gateways to restrict protocols that are typically used and are not needed (i.e., ICMP, UDP, SNMP) as well as investing in security filtering edge devices such as firewalls and deploying network performance monitoring technologies.
Equally important is designing the credit union's network infrastructure and services in a more distributed design (i.e., web mirroring, load-balancing), utilizing proxies or content delivery network services and utilizing cloud-based DoS/DDoS scrubbing services such as anti-DoS services, noted Saylor.
Frequently called upon to assist federal authorities with investigating and protecting against cyber-crime and cyber-terrorist activities, Joffe is the co-chair of the FCC's CSRIC Network Security Best Practices sub-committee, and sits on the ICANN Security and Stability Advisory Committee.
When asked how credit unions could best prepare for DDoS attacks moving forward, Joffe responded, "Have a mitigation service in place already, and ready to activate. Utilize a secure DNS provider to ensure that DNS is not compromised, or disrupted. And, have some service in place to provide early warning that an attack is under way. Finally, have a Plan B in place that will allow member to transact business and communicate with the CU other than online."
