Yesterday, CNN called it the biggest cyber-attack in history. And chances are, your bank’s website has been affected. In fact, since Sept. 19, coordinated Denial of Service (DoS) attacks have shut down the websites of Bank of America and JPMorgan Chase, while Wells Fargo, U.S. Bank and PNC Bank were crippled just this week.
Rest easy, your financial information is safe. These DoS attacks are designed to cripple the websites themselves — criminal hackers use their multitude of computers and malware to flood the targeted site with massive amounts of traffic until it is overwhelmed and thus shut down. The resulting downtime is damaging in countless ways.
The Islamist group Izz ad-Din al-Qassam Cyber Fighters, a military wing of Hamas, publicly claimed responsibility for the attacks in what it called "Operation Ababil." The group has launched attacks in the past, albeit far less coordinated than the recent batch; however, the group also claims the attacks will continue until the controversial film “Innocence of Muslims” is completely erased from the Internet.
For most of us, these attacks are merely an inconvenience. For those tasked with protecting these banking websites and related critical financial data, it is obviously a total nightmare. "The volume of traffic sent to these sites is frankly unprecedented," Dmitri Alperovitch, co-founder of CrowdStrike, a security firm that has been investigating the attacks, told CNN. "It's 10 to 20 times the volume that we normally see, and twice the previous record for a denial of service attack."
According to cyber-security expert Darnell Washington, CISSP and President and CEO of SecurExperts, there are many commercially available, subscription-based security services for banks to help prevent DoS attacks. An example is Prolexic, which offers a managed service that monitors bank infrastructures (as well as others) for attacks. They have the ability to redirect and deflect malicious traffic using a “scrubbing” server, which enables normal traffic to flow while dropping the attack traffic.
Another emerging mitigation technique is called “first packet authentication” from Blackridge Technology, which prevents any user device without a security token from sending traffic to a banking system (or other network). The system will “bounce back” any attack by not allowing unauthenticated users to send any traffic (good or bad) to a website.
Adds Kevin Beaver, frequent contributor to SecurityInfoWatch.com and regular columnist for Security Technology Executive magazine: “Another good way to prevent certain types of DoS attacks is to ensure your network does not have any low-hanging fruit that can be exploited by people with ill intentions. This means, hardening, patching, and by all means, testing for security flaws on a periodic and consistent basis.”
Those are certainly lessons that any security manager with a website to protect can take from these incidents. But beyond the nuts-and-bolts of dealing with a coordinated cyber attack, the bank attacks have far-reaching consequences. No bullets have been fired, but rest assured, this is truly a terrorist strike at the United States.
Sen. Joe Lieberman of Connecticut said in a C-SPAN interview this week that he believed the attacks were launched by Iran: "I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions," he said.
No matter who is behind the attacks, if a terror group can so easily crash a major banking website, what’s next? Government systems like air traffic control? Or, critical infrastructure targets such as power grids? The prospects are mind-numbing, and frankly, scary.
Are we ready for them?