In the wake of a year of attacks waged against banking institutions by Izz ad-Din al-Qassam Cyber Fighters, the FS-ISAC’s Bill Nelson and the ABA’s Doug Johnson say the need to regularly update DDoS preparedness is a critical lesson learned.
As the one-year anniversary of the start of the hacktivists’ distributed-denial-of-service attacks against U.S. banks approaches, banks need to avoid complacency and leverage new mitigation tools to ensure protection against any DDoS attack from any group, the two experts say.
By taking advantage of cyber-intelligence and DDoS mitigation toolkits provided by the Financial Services Information Sharing and Analysis Center and others, banking institutions of all sizes can help prevent online outages and mimimize risk for fraud, says Nelson, who heads the FS-ISAC in the U.S.
FS-ISAC’s DDoS toolkit, which has been updated three times in the last year, is available to all institutions, not just FS-ISAC members. “We’ve worked to get this out to associations and third-party banking service providers, which really have a very important role as far as DDoS,” Nelson says in an interview with Information Security Media Group. “The Web hosting environment can impact numerous institutions.”
A DDoS preparedness plan should address hardware security risks, ensure sufficient bandwidth and outline collaboration with third-party service providers, Nelson says.
“Setting up in advance, not just waiting to see your name on a Pastebin post, is critical,” he says.
Johnson, who oversees risk management for the American Bankers Association, says institutions have to band together to ensure they have the right plans in place.
“It does take that village to ensure the institutions are asking the right questions,” he says. “The threat environment is substantially different than it was before these attacks.”
On Sept. 18, 2012, Izz ad-Din al-Qassam Cyber Fighters announced the launch of its first wave of attacks against U.S. institutions to protest a movie trailer deemed offensive to Muslims.
These attacks have forever changed the way the online world approaches DDoS, Nelson says.
“When we realized this DDoS attack was different … we realized quickly that we needed to stand up and create an incident response team,” he says. “The reaction was really effective, and it proved how effective information sharing could be.”
But Johnson says one lesson the industry has learned over the last year is that DDoS is not just about hacktivism, and banking institutions need to be concerned about attacks from any number of players.
“It’s about the broad number of DDoS attacks that the industry is suffering [attacks] from a variety of parties,” he says.
For community banks, the greatest concern is not online disruption, but the threat of DDoS attacks being waged to mask fraud, Johnson says.