Fans of the TV show Homeland know about the diversion tactic of a highly visible, yet preventable terrorist attack that draws attention away from the bad guy's real goal of inflicting harder-to-detect, broader harm.
In the TV show, a U.S. Marine sniper who's been recruited by Middle Eastern terrorists shoots several people in the Vice President's entourage as they are about to enter CIA headquarters. The VP and top members of the National Security Council barely escape and are quickly taken to a safe room as televised chaos rages outside. Problem is, the real terror awaits inside - another double agent, a U.S. Marine who's been "turned," is waiting to blow up the room containing the VP and his staff. Since this is TV, the second double agent's undetected suicide bomb malfunctions.
What does this have to do with bank security? A group of bankers, analysts and tech professionals that we spoke with in the wake of the politically-motivated denial of service web attacks on U.S. banks this fall all fear a cybercrime equivalent of the terror scenario described above. They think the substantial denial of service attacks aimed at the largest banks are a prelude to a longer-term series of smaller malware intrusions and insider attacks against banks of all sizes - actions that are much harder to detect and stop, but capable of doing harm in the form of ID theft, data breaches and network disruptions. While it's too early to know if such a second wave is truly underway, the fear is giving ammo to providers of layered authentication, cloud-based continuity and network monitoring, who smell a spike in security spending as banks prepare to fight more sophisticated denial of service attacks as well as a related or unrelated wave of follow-up attacks.
"The attackers make a loud noise and say 'look over to the left,' and the industry allocates a lot of resources to stopping that kind of very loud and large attack in the future. And that focus on the immediate or obvious threat can weaken resources in other areas," says Jason Malo, a research director at CEB TowerGroup. "The smaller attacks are designed to hide in the network or a piece of code or an application. They don't reveal themselves easily."
So far, the denial of service attacks fit the "loud noise" part of the scenario perfectly. During late September and early October, it was hard to look anywhere in the news without seeing some report connected to a film called "The Innocence of Muslims," which reportedly lampooned Mohammed. There's no evidence that any banks were even remotely connected to the film, but denial of service attacks nonetheless were launched against more than a half dozen banks, including Bank of America, U.S. Bancorp, SunTrust, Capital One, Regions Financial, PNC, Bank of America and Wells Fargo. These attacks, in which an organized group of crooks click on a website repeatedly to overwhelm bandwidth, cause website activity to slow down or shut down for a time. A group called the Izz ad-Din al-Quassam Cyber Fighters claimed responsibility.
The attacks drew the attention of Defense Secretary Leon Panetta, who asked Congress to give the government power to protect major facilities from cyberterrorism and suggested President Obama may order sharing of data among industry and government to mitigate web attacks.
But closer to the bank IT community, the concern is that these larger attacks will lead to smaller attacks as smaller crooks affiliated with the hacktivists or more traditional thieves look to take advantage of the diversion. As such, preventative measures for both larger and smaller attacks are being recommended.
As an example, Malo mentioned Sony, which in 2011 told Congress that it didn't notice security breaches that compromised user accounts on its PlayStation Network, Qriocity and Sony Online Entertainment because it was distracted by distributed denial of service attacks. In the Sony case, crooks exploited a system vulnerability to gain access to its network and escalate privileges inside servers while Sony's security team was focused on combating the DDOS attacks.
"You have to consider when something like this happens, the first thing you do is make sure [the big attack] is not masking some other types of behaviors," says Curtis Anderson, an information security analyst at TCF Bank.
Anderson would not discuss his bank's hacking prevention strategy in specifics, but says there are emerging, hosted web security systems that monitor web traffic for suspicious spikes in activity and other red flags, and divert unusual activity or access outside of the bank's network for investigation.
Malo suggests virtualization of core systems, which some banks are starting to incorporate in their business continuity plans by making virtual copies of servers that run core systems, can be useful in reducing the impact of denial of service attacks.
"There's the possibility of integrating [large volume attack prevention] into a cloud-based disaster recovery plan," Malo says, adding that would properly size denial of service attack prevention while allowing more resources to be dedicated to mitigating smaller attacks and breaches. He also says that deploying expensive resources to accommodate the bandwidth spike caused by an occasional denial of service attack isn't efficient.
Tech firms that monitor web traffic and identify users were quick to match the DDOS and hacktivist mitigation to their own services. Paul Ginn, a director at network monitoring firm APCON, which offers network monitoring services in a space that also includes firms such as NetQos and Gigamon, says that since the source of the high traffic volume for some of the banking institutions was generated from inside the network, the source of the DDOS attack was probably able to enter the data center undetected. He said one solution to guard against denial of service attacks is to aggregate all of the data that enters and exits a network, and use filtering techniques to help network administrators sort through massive streams of data to isolate suspicious activity.
For the more targeted attacks, the trend toward using two-factor authentication to protect against fraud will likely gain more traction among banks. For the smaller malware attacks, Mark Kay, CEO and chairman of mobile security firm StrikeForce Technologies, who also worked as a CIO at JPMorgan Chase for 20 years, says dual authentication and encrypting keystrokes to protect online activity from malware that's already been installed on a computer are two ways to mitigate external attacks in specific workstations, coordinated attacks on a number of devices or internal attacks. He also says the pressure is coming from more than just politically motivated hackers, and includes more traditional regulatory bodies. "The FFIEC and HIPAA[healthcare regs] are all moving toward greater authentication requirements. Tokens are not as secure as out of band authentication," says Kay, adding his firm has closed a deal to protect a major student loan originator and a Wall Street firm. Other firms in the authentication space include Microsoft, which recently acquired PhoneFactor; and Authentify.
The web attacks on large banks that followed a controversial film may be a preview of more targeted assaults to come.