How can banks protect themselves from DDoS attacks?
Distributed Denial of Service (DDoS) attacks in all sectors are becoming increasingly frequent; a 2018 study by Link11 found there were on average 102 attacks per day between April and June of this year. For banks, in particular, this is a worrying statistic due to the sensitive nature and sheer volume of private customer credentials they hold in their systems.
The banking industry is a longstanding target for application and network layer DDoS attacks. Despite the emergence of newer industries like bitcoin and the continued rise in attacks on crypto-currency, the threat of DDoS, and other cyber-attacks, against the traditional banking sector remains. Targeted cyber-attacks cause slow website response times and prevent customers from accessing their online banking and trading portals. The attacks also serve as diversionary tactics by criminals looking for ways to compromise sensitive data, commit fraud and steal private and financial data.
The current challenge facing the banking sector is continuing to develop and grow as a business, whilst protecting customer data against DDoS attacks. Delivering on digital transformation, meeting customer expectations, providing 24/7 banking with easy-to-use and secure software, is difficult to achieve whilst the underlying threat of a DDoS attack is so high. So, what are banks doing wrong and how can they get better?
The stakes are high for UK banks
With the recent announcement this month that Tesco Bank has agreed to pay £16.4m as part of a settlement with the Financial Conduct Authority following a cyber-attack in 2016, it is clear that failure to implement adequate cyber-protection is costly.
Tesco said the attack did not involve the theft or loss of any customers’ data, but led to 34 transactions in which funds were debited from accounts, and other customers having normal service disrupted.
The FCA said the fraud netted cyber-attackers £2.26m, exploiting “deficiencies” in Tesco Bank’s design of its debit card, its financial crime controls and in its financial crime operations team.
Why are DDoS attacks on banks getting worse?
DDoS attacks have increased by a massive 16% from November 2017 to April 2018, according to the State of the Internet 2018 report by Akamai. This figure is only set to rise, and with the evolving threat landscape, they’re getting harder to predict and mitigate against.
DDoS-for-hire sites are one thing responsible for this increase. They sell readily available DDoS attack software for as little as £11. This means anyone, even an agent with little or no technical knowledge, has the ability to launch an attack.
Webstresser.org was a DDoS-for-hire site recently shut down by the authorities, and thought to have enabled in the region of 4-6 million attacks. The global task-force called Operation Power Off was responsible for this closing, requiring the co-operation of multiple countries in order to succeed. Such criminal sites are often given a veil of authenticity, by offering apparently genuine pieces of software designed to stress-test computer systems but which are used by criminals to disrupt services.
These attacks included those on seven of the UK’s biggest banks in November 2017. It forced the banks to shut down operations temporarily and according to the UK National Crime Agency cost hundreds of thousands in getting services back online. According to people briefed on the operation at two of the affected banks, the seven banks involved were: Santander, Tesco Bank, RBS, Lloyds, HSBC, Clydesdale and Yorkshire Banking Group, and Barclays.
Another worrying factor is the increasing size and scale of the attacks. In 2018 the largest attack on record, a massive 1.35Tbps, was recorded; over twice the previous record. It is now reasonably common for volumetric attacks to go beyond 100 Gbps, the scale of which means it is practically impossible to effectively mitigate.
Is there board-level commitment in the UK banking sector?
A report entitled ‘Governing cyber risk: a guide for company boards’, published in April of this year by TheCityUK, flagged concerns over disparities between big banks and financial services companies in how they tackle cyber threats.
The report found that many companies were yet to meet the standards published today and need to do more to address the risks.
While all firms are now taking actions to manage cybersecurity, the research found material differences in the extent to which boards were driving those actions. The report benchmarked boards on six dimensions of behaviour, which evaluated how ‘proactive’ the board is in engaging and informing itself on cyber and how much ‘challenge’ the board is creating for management in providing active and intrusive oversight.
“Make no bones about it, cyber crime is a clear and present danger, not only to our current way of life, but also to society as a whole,” said John McFarlane, chairman of TheCityUK and Barclays, in a foreword to the report.
“Our traditional defences are no longer adequate to protect ourselves as shared industry systems, companies or individuals. This is war, and needs wartime, not peacetime, urgency.”
What can banks do to protect themselves?
Unfortunately, DDoS attacks on banks can happen at any hour, on any day. Due to the accessible nature of services such as online banking, this means systems are active 24/7, and mitigation should be too. If a bank does not protect itself, emergency mitigation takes time to sign contracts and sort details, therefore leaving customers details unprotected for days. ‘Always on’ DDoS mitigation solutions are the only way to stay safe.
Due to the digitalisation of many banking and payment systems, it is even more important for banks to operate resilient DDoS security solutions. It is no longer sufficient to just use hardware to protect IT infrastructure as the majority of systems are now cloud-based, and therefore require a new kind of mitigation. In our current attack landscape, no system can be left unprotected. From cloud infrastructure to physical systems, databases to network applications, all assets must be covered by security solutions.
Overall, banks cannot be complacent when it comes to protecting their IT infrastructure. With the added pressure of DDoS-for-hire sites and new attack vectors, banks especially need to be on high alert with detecting and defending against these attacks. As DDoS attacks continue to grow in popularity, using robust mitigation which is regularly tested (keeping customers happy) needs to be the ultimate goal for all banks nationwide.
If you would like to better protect yourself against DDoS attacks on banks, activereach can help by providing bespoke IT solutions and professional services. Please visit our DDoS mitigation and DDoS testing pages to find out more or call us on 0845 625 9025.