Bank Attacks: 7 Steps to RespondBITS Offers Plan to Protect Systems, Inform Customers
After the latest distributed denial of service attacks against 10 U.S. banks, financial institutions need to expect more incidents and review their preparations to deal with them. That's the advice from BITS, the technology division of the Financial Services Roundtable.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
In an Oct. 19 statement titled Cyber Attacks: Strategies for Response, BITS offers a seven-point response plan that includes assessing security controls and communicating with customers. Specific steps include:
- Review the software patch status of the network, and manage network bandwidth to minimize non-DDoS-attack related issues. Also, review ongoing strategies for patching IT systems;
- Coordinate with ISPs and other service providers to implement traffic controls such as scrubbing, rate-limiting and source-blocking;
- Ensure post-attack communications strategies include internal and external incident notification.
The BITS statement also outlines talking points institutions can use to educate consumers about the origin of the DDoS attacks; steps banks take to protect accounts; and tips for how customers can help secure their own computers and credentials.
"The one message we wanted to convey is that institutions are aware [of the threats posed by DDoS attacks], and they have response strategies that are based on robust security plans," says John Carlson, executive vice president of BITS. "We want the public to know that institutions are taking steps to address these attacks - with ISPs [Internet service providers] and other security providers - and there is a fair amount of collaboration going on with regulators and the Department of Homeland Security about the threats and how to address them."
Response to Latest Attacks
On three consecutive days, from Oct. 16 through Oct. 18, HSBC Holdings, BB&T Corp. and Capital One were hit with DDoS attacks. These incidents were the latest in a series of attacks that have spanned five weeks and targeted 10 U.S. banking institutions, including Bank of America, Chase Bank, Wells Fargo, PNC Bank, U.S. Bancorp, SunTrust and Regions Bank. All the attacks are believed to be connected to the hacktivist group Izz ad-Din al Qassam, which has taken credit on the public online forum Pastebin.
Izz ad-din Al Qassam said it would continue to target U.S. institutions until a YouTube movie trailer believed by the group to be anti-Islamic is removed from the Internet.
BITS claims 14 large U.S. institutions have either been threatened or hit by DDoS attacks allegedly linked to Izz ad-Din al Qassam. But Carlson would not reveal the names of those additional four institutions not previously reported by BankInfoSecurity. He also could not offer details about how BITS became aware of the threats made against those institutions.
Although no new hacktivist threats have appeared on Pastebin since Oct. 16, BITS warns institutions to expect more attacks. In addition to the three steps outlined above, BITS recommends banks and credit unions:
- Assess external-facing assets and applications to provide end-to-end protection. Also assess vendors' capabilities for protecting or expanding bandwidth;
- Share actionable information with other institutions;
- Inform banking regulators of attacks and seek assistance from the U.S. Department of Treasury as well as other federal agencies.
- If attacked, communicate openly with customers about the true source and scope of the incidents.
DDoS and the Potential for Fraud
Because DDoS attacks and other cyberthreats are likely to continue, Carlson says banks and credit unions must focus on educating consumers about steps they're taking to protect accounts.
"The evidence thus far is that we have not seen increased levels of fraud as a result of these attacks," Carlson says. "That said, institutions are on much higher alert to detect the possibility of fraud."
Among the points BITS recommends communicating to customers:
- The attacks have not resulted in unauthorized access to customer information.
- Institutions use sophisticated online security strategies to protect customer accounts.
- Institutions continue to invest in technology to defend against potential attacks.
Some security experts, however, do suspect the attacks are designed to mask financial fraud.
Mike Smith, a security evangelist with online security provider Akamai Technologies, says thsee latest attacks, coupled with history, suggest fraud is the catalyst.
As the industry wades through the increasing number of attacks, and works to pinpoint the motivation behind them, BITS recommends institutions share the following online security tips with their customers:
- Install anti-virus, firewall and anti-spyware software and keep it up to date.
- Set operating systems and browsers to "automatic" download for security updates.
- Be mindful of suspicious, phishing e-mails.
- Use passwords that include a mix of numbers, symbols and letters that are at least eight characters in length, and change them often.
More Alerts to Come?
The BITS statement comes one month after the fraud alert issued Sept. 17 by the Financial Services Information Sharing and Analysis Center. The alert noted specific financial threats linked to DDoS attacks identified by the Federal Bureau of Investigation and its Internet Crime Complaint Center (see High Risk: What Alert Means to Banks).
A few days later, FS-ISAC for the first time changed the U.S. banking industry's cyberthreat level from "elevated" to "high."
Carlson says BITS' announcement is an extension of what FS-ISAC spearheaded in mid-September, and it's likely more alerts will follow as additional attacks occur.
"Ever since our sister organization, FS-ISAC, elevated the threat level to 'high,' we have been communicating with members about how the attacks are affecting banks, and we've been putting together some calls to talk about strategies that are working and not working," Carlson says. "Now we have decided that we need to get banks to communicate with customers and the media about these attacks."