Reducing threats to availability in the banking sector
A spate of high-profile cyber-attacks against US financial institutions between September 2012 and May 2013, the recent attacks on a well-known bank in the Netherlands and the ever present risk that similar attacks will target UK banks have focused concern within the financial sector on the cyber-threat known as a distributed denial of service attack.
The financial services sector’s growing interdependence between internet-accessible clearing and transaction processing infrastructure means that a successful DDoS attack can have far reaching consequences, such as customer dissatisfaction and loss of trust, brand damage, increased operating costs and lost revenue to name just a few, writes Darren Anstee, solutions architect global team manager, Arbor Networks (right).
All networks and services have a finite amount of resource assigned to them. A DDoS attack simply utilises all, or a vast majority, of the resources that are available with attack traffic – so that genuine users cannot be serviced. The ‘distributed’ attacks that are seen today normally come from botnets – networks of compromised computers on the Internet – which allow attackers to generate significant amounts of traffic. Attacks can be executed on multiple levels, targeting everything from provisioned Internet connectivity through to the content on their web-sites.
The recent attacks on the US financial sector from the Izz ad-Din al-Qassam Cyber Fighters illustrated the above. This ideologically-motivated, well-resourced, multi-vector attack campaign lasted eight months, targeting a wide variety of organisations from major financial institutions through to smaller credit unions within the USA. Yet the USA is not the only country facing this type of threat.
Earlier this month, reporting on meetings with the UK’s top five banks, the director of financial stability at the Bank of England admitted that cyber-attacks are a top risk for UK banks and told parliament’s Treasury Select Committee that the UK’s banks must do more to protect themselves.
This call to action should not go unheeded. There is a broad range of motivations behind the attacks going on today, from ideological hacktivism and vandalism through to fraud and data theft. This makes it difficult to assess risk, especially as ideologically motivated attacks can have almost any justification. Launching attacks is surprisingly easy, with paid DDoS attack ‘services’ available, but mitigating the effects of an attack – if not prepared – can be difficult.
From the perspective of regulators around the world, banks must maintain adequate confidentiality, integrity and availability of their services. This means deploying effective defences against cyber-threats, such as DDoS, is now essential. In fact governments around the world are beginning to acknowledge DDoS as a real availability threat to online banking, transaction processing and government services. They are starting to put in place regulations to codify best practices and minimum standards. One good example comes from the Monetary Authority of Singapore, which has a “4×4” rule: a bank must rectify an outage of online services in less than four hours, no matter what the reason. Additionally, the bank can have no more than four outages in one year. Failure results in very heavy fines.
Regulatory bodies and governments are not the only ones applying pressure in this regard. From the end customers’ perspective service outages are a serious issue whether they are caused by a DDoS attack or some other factor. Customers depend on banks’ services being available at any time, and failures can rapidly erode the confidence a customer has in their banking provider. Financial services and banking organisations dedicate significant resources to their disaster recovery and service resiliency planning to counter this, but if cyber threats such as DDoS are not included in this process then appropriate defences may not be in place.
Security is best described by using the InfoSec triangle, which illustrates the Three Pillars of Security: confidentiality, integrity and availability. All three are equally important.
Defending service availability is not all about deploying services and solutions to deal with attacks though. Organisations can reduce the risk that an attack will be successful by minimising their threat surface. Network infrastructure can be used to control the traffic reaching firewalls and application servers – so that only traffic that needs to be there gets through. Web properties should be designed so that large files and images are only accessible post authentication or registration, to prevent them from being easy to download repeatedly. Visibility solutions should also be in place so that organisations can monitor the traffic into and out of their data-centres. These solutions, and infrastructure, should gather data and be accessible out-of-band so that even during an attack security teams can manage the situation.
Organisations must also define and exercise incident handling processes, and should ensure that they have easy access to Internet and security service providers support teams, so that help can be sort when needed. Relationships with CERT organisations and industry research teams can also be advantageous – forewarned is forearmed.
Planning and preparation are key to ensuring continued service availability, and cyber-threats such as DDoS should be considered as a part of business continuity risk planning. If appropriate services, solutions and processes are deployed then the significant impact associated with a successful cyber-attack can be avoided.