Banks Under Attack: PR MisstepsBetter Communication Needed in Wake of Outages
In the wake of recent distributed denial of service attacks against banks, most institutions are missing a prime opportunity to educate their customers about security, says Gregory Nowak of the Information Security Forum.
"They seem to be regarding [DDoS attacks] as a secret," says Nowak, a principal research analyst with the ISF.
HSBC Holdings, BB&T Corp. and Capital One are the most recent victims of DDoS attacks. These incidents have spanned five weeks and targeted 10 U.S. banking institutions, including Bank of America, Chase Bank, Wells Fargo, PNC Bank, U.S. Bancorp, SunTrust and Regions Bank. All the attacks are believed to be connected to the hacktivist group Izz ad-Din al-Qassam, which has taken credit on the public online forum Pastebin.
Izz ad-din al-Qassam said it would continue to target U.S. institutions until a YouTube movie trailer believed by the group to be anti-Islamic is removed from the Internet.
After the initial wave of attacks, Nowak went through the affected banks' websites and couldn't find any relevant information about what happened, how customers can understand it, as well as the reassurance that their information is safe.
"[Banks} should be taking the opportunity to explain to their customers the difference between denial of service attacks and some sort of hacking attack that actually puts information at risk, because their customers are worried and they don't need to be," Nowak says in an interview with Information Security Media Group's Tom Field [transcript below].
Outlining how organizations should respond to this new wave of hacktivist attacks, Nowak discusses:
- Why these DDoS attacks are successful;
- Flaws in institutions' prevention and response plans;
- How to properly manage the risks of hacktivism.
Also, don't miss Nowak's new webinar on hacktivist attacks: Hacktivism: How to Respond.
Nowak is a principal research analyst for the Information Security Forum, an independent authority on information security. He has worked on ISF research projects on hacktivism, cybercitizenship and securing mobile devices. He also is responsible for ISF's Information Risk Analysis Methodology (IRAM).
TOM FIELD: For the people out there who aren't familiar with the Information Security Forum, tell us a little bit about your role with the forum and the work that you folks are doing.
GREG NOWAK: The Information Security Forum is a not-for-profit membership organization with members at the organization level. We have both public and private-sector members and we provide research, tools and methodologies for information security, broadly understood both technical and operational, involving information systems as well as personnel.
Recent Bank Attacks
FIELD: A huge topic for the past week or so has been the series of distributed denial of service attacks against U.S. financial institutions. What are your observations on the attacks that we witnessed against the banks?
NOWAK: I think the first thing to notice is that these are sort of innocent by-stander attacks that have nothing to do with the activities of the bank. They're motivated generally because the banks are seen as representatives of the United States, and we forget that when we think back to 9/11, the stated reasons for the attacks of 9/11 were actions of the U.S. government, but the stated reasons for the choice of targets was because the U.S. financial system represented America and the World Trade Center was chosen as a target. In the same sense, outside of the United States the distinction between public and private is blurred, and banks and financial institutions are seen as primary representatives of the American economy, the American way of life, and so they're chosen as targets.
FIELD: What's important for organizations to communicate to people that are hearing of these attacks through the media? And I ask that because I see that these have become very hot topics in the popular media, and everybody's hearing about them and talking about them. Information about the attacks has been a little bit scant.
NOWAK: I have really been amazed at the nature of media coverage. For example, you referred to DDoS attacks. Everybody understands in the information security business that this is a distributed denial of service attack, and we know what that means. If you look at the mainstream media, they don't use that term because they figure that most people don't understand that so they refer to them as cyberattacks. That gets reinterpreted and when they talk about the actors, the actors are referred to as hackers or hacktivists, and then when the stories get quoted you hear stories like, "Major U.S. banks are hacked and your information may be at risk." I find it surprising because somehow this notion that personal information has been put at risk by these attacks is being created in online discussions when that's not part of the initial reporting.
The banks that have been affected are missing a great opportunity to communicate and educate their users. I tried visiting the sites, and there's nothing on any of the bank sites that says, "Here's what's going on. Here's how you can understand it. Your information is safe." Sitedown.co has provided some up-to-date information about which sites are available, but the banks themselves are not doing a good job of communicating. They seem to be regarding it as a secret. They're saying some people have access issues. People know they have access issues. They should be taking the opportunity to explain to their customers the difference between denial-of-service attacks and some sort of hacking attack that actually puts information at risk, because their customers are worried and they don't need to be.
FIELD: Up to this point, only financial institutions seem to have been targeted, but we would be foolish to think that they would be the only targets. What would you say is the message to non-banking organizations that are watching this activity?
NOWAK: First of all, they should notice that the attacks have nothing to do specifically with activities to these banks. They were just chosen as representatives. They're innocent bystanders in the whole story, and yet suddenly they have to deal with this situation that has taken them by surprise. I think the message is this can happen to any organization and they need to consider it as part of their risk management.
Defending against DDoS
FIELD: We've known about distributed denial-of-service attacks for years now. We know how to prevent them and how to protect against them. Why are these DDoS attacks so successful against these financial institutions?
NOWAK: First of all, there's a matter of leverage. You can now rent botnets to conduct an attack, so it's a low investment of financial resources, and it doesn't take such a large number of individuals to coordinate this. If the initial money is available to rent the botnet and obtain the code, then almost anyone with the necessary amount of money can launch an attack. Someone who feels motivated to make some sort of public statement can do so easily on a large scale and take advantage of the reaction to the DDoS attacks to spread their message. People are gravitating towards these attacks because for a relatively small financial investment and investment of time, they can have a disproportionately large effect and get a lot of media attention.
FIELD: But shouldn't an organization the size of a Chase Bank, PNC or U.S. Bank have the redundancy and the resources that their sites wouldn't even be affected by this?
NOWAK: They should, and I'm surprised they don't. One of the messages that I want to spread about this is that people should notice that the geographical distribution of legitimate clients online is different from the geographical distribution and therefore the IP-space distribution of malicious web traffic directed towards these sites. I think if banks and other organizations consider that a little more investment in intelligent routing and segmenting incoming traffic geographically and by IP sub-spaces was taken proactively, then they would be much less affected by these sorts of attacks because only the front-ends are devoted to certain subspaces of the IP space would be overloaded and they would have more capacity for the geography and the IP sub-net identified with most of their customers. And I don't see that happening. I haven't seen much discussion of it going on. People talk about adding capacity but I don't see much use of intelligent routing to decrease the effects of botnet attacks.
FIELD: Is it fair to say from what we know that this is hacktivist activity that we're seeing?
NOWAK: It's definitely fair to say that, but my advice is always to not pay too much attention to the motivations of the attacks unless it helps you mount particular countermeasures. And in this case, we know the story leading up to these attacks and the banks, and there's no way this could be foreseen. Even understanding the motivation of the attackers really doesn't lead to any changes in the source of countermeasures you'd take for the proactive risk mitigation you'd want to put in place. I would advise people not to spend too much time thinking about the reasons for the attacks, but just thinking generically what they should be doing to prevent these kinds of attacks.
FIELD: If I could ask you this, what benefit do the hacktivist groups gain from attacks such as these? As you say, there's not a breach involved. Information isn't being taken as near as we can tell. It's mischief.
NOWAK: It's mischief, but also it's in defense of an ideology, and people will do strange things and devote a lot of effort in defense of their ideologies, and they feel according to their own system of values that they have accomplished something by making a large public statement, again with a relatively small investment of money and time to advance their idea. And whether or not they achieve their end goal and change the world in the way they want to change or have a video removed from the Internet is less relevant than the fact that they see themselves as having accomplished something for spreading the message and making the attempt.
FIELD: We've talked about the poor response we've seen from organizations. From your perspective, for institutions that have been attacked, what would be the proper response?
NOWAK: First of all, they need to consider this as a significant risk to address in their risk management program. If someone told a retail business that a significant percentage of their physical locations would be blocked and customers who were trying to get access to these locations would not be able to enter the bank or other businesses for an entire day and this would be happening in multiple locations, they would regard that as a critical issue with an immediate response from the top levels of the organization. I'm surprised that the same level of urgency and seriousness of response isn't occurring for these online attacks that just get as much media attention without as much messaging coming out of the organizations that say here's what's going on, here's what we're doing about it, your information is not at risk and this is just a traffic jam on the Internet. I think part of the problem is this word cyberattack, which is so vague and suggests that there's hacking when in fact a more appropriate term in common language would be a traffic jam or slow down, something that communicates the idea that traffic's being stopped but information itself is not being put at risk.
FIELD: For organizations that have not yet been attacked, what's the proper preparation?
NOWAK: First of all, the Information Security Forum in it's recent paper on hacktivism has advised our members to conduct simulation to identify what lines of communication the organization would use, to identify spokespeople and make sure there's a proactive plan to address the media. They should also use all available lines of communication and explain what's going on. There's very little information coming out of the banks that have experienced these attacks. I've looked at some websites and they have their normal promotional materials there. They don't have any banner headlines for more information about what has been going on lately, to "please read this." That's a missed opportunity for them. Communicating out to the public is important.
Also as I said there are technical measures that could be used and they do take some time and some investment to implement, but I think that it's a worthwhile measure to take to mitigate the risk of a denial-of-service attack preventing access to the website. This is not something that people should wait for. They can take proactive measures. They shouldn't look at it as something that they have no defenses against, and they should also make sure that they do have messaging in place and they're prepared to communicate with the public and the media in advance so if it does happen to them, they're not looking like they're unprepared, which is the impression we now get from a lot of the responses we've seen.
FIELD: We've talked a good deal about external communication. How about internal? What do boards of directors and senior business leaders need to be hearing from their security leaders now?
NOWAK: The good news is that security departments are being taken more seriously and getting a seat at the table more often with the senior leadership, but I think the issue of denial-of-service attacks in particular is not high enough on the agenda. As I said earlier, if they were asked to consider what the level of criticality would be if a large percentage of physical locations for the business were blocked and customers couldn't get access, they'd start to see how serious a problem this was and that it's worth doing some proactive investing to mitigate the risk. And if the security folks can come forward and say, 'Here are the things we need to do technically that will help us mitigate the risk, here is the kind of preparedness we need to have for messaging, here is how we need to cooperate with our legal department and our public relations department so we have something to say in the event this happens," I think they will respond to this plan because my impression is that not much is happening because people have the general impression that there isn't much that can be done. I think that with an organized plan that addresses both technical and communications issues, senior leadership could say, "Yes, this is worth investing in. We don't want to be caught unprepared for this sort of thing."
FIELD: We're talking about banking institutions today. We could easily be talking about government organizations, healthcare organizations or universities tomorrow. For any organization concerned that it could be a target next, how would you boil down your advice to them?
NOWAK: It's possible to be prepared. You should be prepared. You can't tell when it's going to happen, so you might as well start getting prepared now. Investigate technical measures that can reduce the risk. Know where your customer base is because it's likely much more concentrated then the geographical and IP base of your attackers. You can defend against it. Prepare with your public relations and communications department to have messaging ready so if this happens to you, you can communicate clearly to the public and let them know what's going on and what the actual risks are, because most members of the public think that their information is at risk just from DDoS attacks when in most cases it's not.