Are Indian Banks Prepared for DDoS?Defences in Question as Anonymous Pledges to Attack
Indian banks may become a hotbed for distributed denial-of-service attacks because of low cybersecurity awareness, inadequate security practices and infrastructure and poor DDoS defences.
The recent DDoS attack on Bank of Greece's website by Anonymous and its operation #Icarus, and subsequent similar attacks on several other banks, are testimony to this probability.
While some private sector banks and their respective CISOs are more open to exploring technology alternatives outside of those stipulated by compliance regimes, most of the CISOs of the public sector banks and commercial banks are less prepared to respond.
Anonymous has an ambitious list of 160 banks that it intends to target. The group plans to strike against financial institutions around the globe and, in particular, Asian countries. Indian nationalized banks are no exception (see: Anonymous Threatens Bank DDoS Disruptions).
Although there are reports saying that the impact of Anonymous DDoS attacks has been relatively minimal, with the disruption of the websites lasting for only a few minutes, security leaders in India are concerned that such attacks could prove disruptive against our banks (see: Anonymous DDoS Attacks Spread, But What's the Impact?).
India's Unique Challenges?
The fear is not without cause. Late last year, the financial sector in India was the target for DDoS, with two large private banks and a retail brokerage facing a DDoS attack that seriously slowed down all online customer transactions.
To that effect, financial institutions received an advisory on the DDoS attack from CERT-In and National Critical Information Infrastructure Protection Centre, which said more attacks would follow.
Further, security vendor Akamai's State of Internet Security Q4 2015 report says retail and financial services in the region will also remain a top target for DDoS, given the myriad opportunities malicious actors have to extract and monetize sensitive data. Increase of web application attacks are expected.
Sudeep Charles, product marketing manager, Asia Pacific and Japan, at Akamai, says while India's private banks are taking some measures to defend against DDoS, in the case of public sector banks, there's much left to be desired.
One concern, I'd think, is the lackadaisical attitude to information security best practices in Indian banking enterprises - spread across 29 public-sector banks, 93 commercial banks including cooperative banks - as well as tight security budgets.
A CISO of a public-sector bank tells me that a CISO of a large public-sector institution was asked to step down from his role because of not being able to handle a DDoS attack, where the systems were down for long hours. The main cause was that the security team was unable to determine it was a DDoS attack.
One problem is that a majority of these banks have such roles on a adhoc/rotational basis, and the individual heading security is not necessarily a security expert. In such a scenario, it becomes a challenge for the executive to even detect the symptoms of DDoS or any form of attack, except with the help of a service provider.
Such immature approaches by the banks would make the environment particularly vulnerable to attacks.
Vikrant Varshney, former risk officer at HSBC, now chief of risk advisory board at Risk Resources, says the dependency of all the associate and scheduled banks on services hosted by the central bank or the RBI will worsen things. Besides, the public sector banks are not geared to handle innovations happening in the payments domain, while securing it.
I agree that several services, such as interbank payment gateways, could be exposed to future DDoS attacks. They're interlinked and absorb new payments innovation without necessarily securing it.
Akamai's Charles argues that fast-growing online retail banking could pose a further security challenge.
Time-to-market for banking products is short, and code-level audits for potential bugs that can be exploited from a security perspective are few and far between.
Charles says while a number of institutions have relied on ISP-based DDoS mitigation, there is a realization that this will not be a comprehensive solution in itself. Given that this geo is price sensitive, investments in cloud-based security have been muted until recently, which is another reason for being vulnerable to attacks.
Since a majority of the banks deploy open source tools, which are not necessarily foolproof, this could be another vulnerability.
Best DDoS Defences
While some private-sector banks and their respective CISOs are more open to exploring technology alternatives outside of those stipulated by compliance regimes, most of the CISOs of the public-sector banks and commercial banks are less prepared to respond.
Indian banks need to take some cues from the wave of DDoS attacks launched on U.S. financial institutions in 2012-13 and learn lessons and best practices adopted by the banks to overcome these attacks (see: New Wave of DDoS Attacks Launched).
It is also important to track the origin of the latest attacks and discover their source. (See: Analysis: Who's Really Behind DDoS?)
As to whether India's banks are equipped to defend DDoS, the answer is yes and no.
Yes, banks have definitely engaged themselves with DDoS service providers in deploying appropriate tools to defend against attacks.
But, no, they have not conducted proper risk assessments to understand the exposure of central banks to DDoS, which would then prevent the cascading effect of risks on other banks.
Varshney suggests that banks having a cyber intelligence and cybersecurity operations team will help address DDoS issues.
Defence-in-depth is key here, Charles says. The limitations? While regulatory regimes are fairly prescriptive, organizations don't go beyond checking-the-box solutions.
Expertise is also critical in protecting business critical data. Often, banks have limited ability to make quick and correct decisions while under attack. Ensuring that qualified security specialists are assigned to technology investments is important. Building a DDoS attack contingency plan is key; most financial institutions don't have one.
Here's some key advice: Banks and telcos must form a group, creating a framework to thwart DDoS attacks and strengthen the information sharing platform. This will help Indian banks keep Anonymous and future attacks at bay.
What's your advice to the banks for creating best defences for DDoS?