DDoS is most common cyber attack on financial institutions

A distributed denial of service (DDoS) attack on HSBC’s online banking services is not unusual or surprising, according to information security experts.

With financial institutions underpinning whole economies, they are a choice vertical target for an impactful DDoS attack, said Richard Brown, European director for channels and alliances at Arbor Networks.

“Add to this the fact that 29 January was payday for many people – meaning more people trying to access the website and therefore a bigger audience – HSBC was an ideal target,” he said.

The 2015 Verizon Data Breach Investigations Report (DBIR) shows that DDoS attacks are the most common form of attack against financial services businesses, accounting for 32% of all attacks analysed in the report. And Arbor Networks’ recent Worldwide Infrastructure Security Report found that 57% of financial institutions have experienced a DDoS attack – the highest of any sector.

Laurance Dine, managing principal, investigative response at Verizon Enterprise Solutions, said that unlike other types of cyber attack that expose sensitive data, DDoS attacks are mainly about disruption.

DDoS attacks typically flood online systems, such as internet banking sites or online trading platforms, with vast amounts of data in order to overload them and take services offline.

HSBC said it had successfully fought off a DDoS attack to avoid disruption to customer transactions, but services were unavailable to many customers for most of 29 January.

Because the financial services sector is a regular target for DDoS attacks, most organisations in the industry are fairly well prepared, but such attacks are not confined to this sector, so all organisations need to take this threat seriously.

The Arbor Networks report also shows that average-intensity DDoS attacks are now powerful enough to knock most businesses offline.

The report notes that DDoS attacks are being used mostly by cyber criminals to demonstrate their attack capabilities, mainly for extortion purposes.

Other cyber criminal groups sell DDoS services that are aimed at enabling business organisations to disrupt the online services of their competitors.

A growing number of businesses are also seeing DDoS attacks being used as a distraction or smokescreen for installing malware and stealing data.

Taken together, these trends mean that virtually no organisation can say it is unlikely to be hit by a DDoS attack because DDoS services make attacks easier to carry out by a range of actors for a variety of motives.

“Distributed denial of service attacks are a huge problem for organisations in all industries and of all sizes,” said Craig Young, security researcher at Tripwire.

Many organisations do not include DDoS mitigation as part of their security strategy because they do not see DDoS attacks as a real security threat, but failure to have systems and procedures in place to mitigate such attacks could expose any organisation to significant financial losses, particularly those that depend on interacting with customers online.

Imperva Incapsula said DDoS is a serious matter affecting e-commerce sites and corporate and online assets.

Even though DDoS attacks are often associated with large organisations, research shows that 51% of all companies (no matter the size) have experienced an attack and 70% of DDoS attack victims are targeted more than once, the security firm said in a blog post.

“DDoS attacks can last several days, so it is vital to have a plan in place to deal with such a threat,” said Verizon’s Dine. This includes having a well-tested response plan that details what to do if initial DDoS defences fail, he said.

“It’s best not to wait for an incident to occur to discover that there are gaps or failures in the response plan,” he added. “It should be tested in advance to make sure it works. Tests should be undertaken regularly as infrastructure and processes change and as new DDoS techniques emerge.”

Dine also advised putting critical systems on their own separate networks, so less critical systems cannot be used as gateways to more important ones.

The potential economic and reputational damage that DDoS attacks can inflict should be enough motivation for businesses to ensure they have the necessary mitigation systems and processes in place, but DDoS attacks are also becoming a security issue.

Most DDoS mitigation service providers report a rapid rise in the use of DDoS attacks to distract organisations while malware is installed on internal networks and data is exfiltrated.

Either way, commentators say all organisations should now include DDoS attacks as a potential risk to data security as well as their ability to conduct business online.