A disturbing new specter in the security of financial IT was identified this week: Nation states launching DDoS attacks on banks and other financial institutions.
Of course, the idea of nation states launching cyber-attacks against one another isn't exactly new. Suspicions abound about the origins of the Stuxnet malware, which targeted Iranian nuclear energy plants, for example. As we've previously reported, there's surely a cyber arms race underway.
What's notable about the latest DDoS attacks is that they were directed specifically at the online banking services of major US financial institutions, and that they appear to have originated in datacenters. According to a January 8, 2013, report in The New York Times, a series of DDoS attacks against US banks that began in September 2012 was notable because "instead of exploiting individual computers, the attackers engineered networks of computers in data centers." This means the scale of the attacks can be far greater than possibly using a network of individual computers.
The New York Times article goes on to state:
"There is no doubt within the U.S. government that Iran is behind these attacks," said James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies in Washington.
On the plus side, these types of DDoS attacks do not appear to have targeted customer data per se, but are instead aiming to cause severe disruptions in service. Of course, the level of service available on your website is as important to your customers -- if not more so -- than the level of services available in your brick-and-mortar banks.
Yet, all too often, banking CIOs and IT are not part of the team involved in managing and maintaining the customer-facing websites for banks. These recent discoveries leave no doubt that this dynamic has to change. If you're not already having frequent conversations with your counterparts in charge of online banking services, your governance/risk/compliance executives, and your legal department you've already fallen behind. These conversations need to take place on a constant basis as new risks arise.
You also need to engage your PR and marketing executives and educate them about the potential threats, as well as working with them to plan a rapid response strategy to make sure that your customers are not left out in the cold.
Wondering what's ahead in 2013 when it comes to IT security for financial firms?
Coalfire, an independent IT governance risk and compliance firm in Louisville, Colo., identifies the following five trends that will influence banking IT security in 2013:
- Mobile operating systems will become known as vulnerabilities by the IT security industry.
- Government will lead the way in the enterprise migration to "secure" cloud computing.
- Lawyers have found a new revenue source -- suing negligent companies over data breaches.
- Critical Infrastructure Protection (CIP) will replace the Payment Card Industry (PCI) standard as the white-hot tip of the compliance security sword.
- Security technology will start to streamline compliance management.
If these challenges haven't made you dive under the covers with plans to hide until 2014, then tell us how you expect financial organizations, and particularly banking IT, to tackle these issues. We want to know what we've missed, too. Are there other predictions you have for the banking technology world in 2013?