Are retail and investment banks in denial about being adequately protected from the frequent advanced DDoS attacks they’re getting hit with today? It is mid-March 2018 – just three months into the year and 3 major banks have already been taken offline by DDoS attacks, making global headlines. Reuters reported that ABN Amro, ING and Rabobank were targeted by hackers, temporarily disrupting online and mobile banking services at the end of January (Reuters Jan 29, 2018 Dutch tax office, banks hit by DDoS cyber attacks). Whatever DDoS attack protection they had in place proved to be insufficient.
So why are today’s DDoS attacks so successful against well-heeled financial institutions who spend more on cyber-security than most organizations spend on IT in total? The problem may lie with the “protection gap” within banks’ legacy DDoS attack protection solutions that have evolved over the last 20 years but focus principally on defending against large volumetric DDoS attacks. Banks typically rely on two DDoS architectural components:
Cloud DDoS Mitigation for elastic scalability during large volumetric attacks Web Application Firewalls (WAFs)for encrypted traffic and to provide confidentiality and integrity for encrypted “Layer 7” banking applications during attacks
Legacy DDoS attack defenses often lack the automation required to provide real-time mitigation of today’s short-duration DDoS attacks. Corero’s analysis shows that even the largest banks frequently have this protection gap and it is the Achilles’ heel within their DDoS defenses.
From the Verizon DBIR graph below we see that Financial Services organizations are twice as likely to be hit with a DDoS attack than any other industry. Despite this fact, the protection gap paradox suggests that banks remain either in ignorance or denial and, consequently, haven’t adjusted their DDoS defenses to be resilient to the short, sharp DDoS attacks that dominate today. Corero’s primary research shows that, in 2017, 96% of DDoS attacks were less than 5 Gbps and 71% lasted 10 minutes or less.
2017 Verizon Data Breach Investigations Report (DBIR)
Protecting all IP addresses presents economic and compliance challenges for banks using this legacy DDoS attack prevention architecture:
- Always-on cloud DDoS mitigation across all IP address ranges is eye-wateringly expensive, so even wealthy banks tend not to cover all IP addresses – leaving some of their IP addresses unprotected against DDoS attacks.
- To cover encrypted traffic, they are required to surrender crypto-keys which layers-on non-compliance risk due to personal data protection regulations and privacy mandates.
These challenges effectively create a “Catch 22” scenario where these banks can’t be fully protected even by always-on cloud DDoS defenses.
Consumers now demand and regulations require that banks (and other enterprises) keep their services available with zero downtime and that personal data privacy is guaranteed. As the Dutch experience has demonstrated, modern DDoS cyber-attacks pose a serious threat to both service availability and data security. Consequently, banks are at risk from trading outages, punitive regulatory fines, and customer churn.
There is good news for banks. Corero’s SmartWall® can supplement their existing defenses to deliver fully automated, real-time protection against today’s DDoS attacks. SmartWall mitigates both the short, sharp attacks and the larger attacks including amplification attacks that exploit the recently publicized “Memcached” vulnerability. Learn more