Financial Services Thinktank Offers Strategies to Combat Cyber Attacks

Financial Services Thinktank Offers Strategies to Combat Cyber Attacks

It appears that the barbarians are at the proverbial gates, and the financial sector is scrambling to shore up their network defenses in an effort to combat the specter of website downtime caused by hacktivists engaged in a spate of attacks targeting American banks.

In response to the attacks, BITS – the technology policy division of The Financial Services Roundtable – has issued a seven-point strategy for countering cyber threats in the wake of the recent Distributed Denial of Service (DDoS) blitz that has impacted nearly a dozen institutions so far.

“There is a likelihood these attacks will continue, all financial institutions should review their preparations for dealing with such an attack,” the BITS document warns.

Topping the list of recommended actions provided by BITS is a thorough review of network software patching and related protocols for maintaining the most current updates, the scanning of networks to address any issues unrelated to an attack, and engaging service providers for additional network control options like source blocking and setting traffic rate limits.

BITS also advises organizations to conduct security assessments of any public-facing Internet applications and enlisting third-party vendors to provide additional protections to mitigate the impact of a DDoS attack, such as Corero's innovative First Line of Defense, which filters malicious traffic before it ever reaches a targeted network.

“An important message we wanted to convey is that banks are aware of the threats posed by DDoS attacks and they have response strategies which leverage robust information security and business continuity plans,” John Carlson, BITS Executive Vice President told Security Bistro.

Furthermore, BITS recommends a review of current communications strategies for notifying staff, regulators, and service providers in the event an organization is targeted, as well as advising institutions to consult the Treasury Department and other government agencies for assistance if threatened.

The bulk of the document issued by BITS deals with how best to communicate with customers, including providing them with a cursory description of the mechanisms behind a DDoS attack, the offering of assurances that the attacks do not threaten the security of data, as well as advice for consumers on how to protect their own systems from malware and avoid becoming victims of phishing scams.

“We want the public to know that banks are taking steps to address these attacks in partnership with Internet service providers and other security providers, and enhanced collaboration with law enforcement, regulators and other government agencies,” Carlson explained. “The attacks are not designed to be – and have not resulted in – a data breach, hacking, or unauthorized access to consumer information of any kind. Consumers still can access their accounts through alternative means, including bank branch offices and call centers.”

While the BITS advisory instructs institutions to credit the Izz ad-Din al-Qassam Cyber Fighters for the attacks, an Islamic extremest group who has claimed responsibility for the DDoS attacks, speculation on the actual culprits continues to flourish with fingers pointing at everyone from Iran to Russian mobsters – even the U.S. government is named as a suspect in some tinfoil hat theories circulating the web.

Regardless of the muddled attempts at attribution for the attacks, the BITS recommendations are sound advice for any organization looking to protect against similar threats, Brent Huston, CEO of security consultancy MicroSolved says.

“BITS covers the very basics. Organizations should have an incident response plan that includes DDoS and have arrangements in place to work with their upstream providers to move their site (if possible) to a higher bandwidth. Other than that, having your environment hardened and regularly assessed to identify any vulnerabilities is also important. But, the biggest thing we see clients missing is having a tested plan for DDoS and the relationships upstream needed to respond as effectively as possible to an attack,” Huston stated.