In October 2016 major websites like Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times were taken down by a DDoS attack, so regular users could not access the sites. Who could be behind this and what did they want to achieve?
Attribution is very difficult (and sometimes dangerous), so I would not want to hazard a guess. However, suffice to say that attackers (whether they are organized crime gangs, isolated criminals or nation states) have different motivations, from financial gain, exposure, grudge, political motives or simply because they can. Whilst we can speculate at will, it is interesting to note that in this particular attack, the target was not, on the surface, any of the companies who made the headlines (e.g. twitter, Netflix, Reddit, etc.), but Dyn, a managed DNS operator.
This is actually a smart move from the criminals, because rather than targeting individual sites, they can take out the entire Internet (or large chunks of it) for any end user whose DNS requests route through a given server (in this case Dyn). This modus operandi is not new and we can draw a parallel in the payments industry: targeting a payments gateway or processor, which ends up compromising the many businesses that use them, is far more efficient than targeting one single retail or hospitality business, for example. The second interesting thing to note in this attack is that, from what has been reported, it made use of the Mirai botnet, which infects vulnerable Internet of Things devices (e.g. DVRs, webcams, routers, etc.) that then become part of a botnet army, driving malicious traffic toward a given target.
Many IoT manufacturers have since recalled/patched their vulnerable devices, but there are plenty more out there. Whilst I cannot fathom the motive of this particular attack, one thing is certain, criminals evolve with the times and technology advances much faster than legitimate businesses.
Are banks even more exposed to cybercrime than other types of companies?
I would say that banks and financial services institutions have always been exposed to threats, and are therefore far more able to cope with them than firms in other industries because of the resources and knowledge at their disposal. Whilst healthcare, retail and hospitality are seemingly far easier targets, this is no reason for banks to become complacent: technology innovations in mobile, IoT, artificial intelligence, social media all create new business opportunities, but also bring along new risks and threats that financial services institutions should be ready to mitigate and combat. However, even with traditional infrastructure, banks are for from immune and should remain ever vigilant, as we have seen with the recent Tesco Bank hack affecting 20,000 current account customers.
What controls can and do banks implement to defend against cybercrime?
Financial services institutions generally have a lot of controls and governance already in place. Regardless of industry, information security always comes down to common sense and a few principles need to be followed: ensuring that personal data is safe, ensure that systems only collects the data they need, prevent unauthorised access to the data, prevent corruption of the data whether at rest or in transit. We all have seen the statistics related to the various types malware and the innovative ways criminals use to get to their targets. Unfortunately, basic security principles are rarely followed, in favour of quick time to market. Of course, all of this needs to be applied within the context of an enlightened risk management framework, with the appropriate governance, operational processes and culture to support it.
How are regulators fighting back amid this systemic danger that cybercrime poses over financial companies?
In the last couple of years, we have seen a marked changes in the way regulations have evolved. Most notably in Europe, the Payments Services Directive 2 (PSD2) is the first set of regulation in financial services that explicitly specifies both information security and strong authentication requirements for regulated organisations. In the United States, the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency have also set out new plans to strengthen the way they oversee big banks in a bid to protect the country's financial system in the event of a major cyberattack or technology failure, covering both American and foreign banks operating in the country as well as market infrastructure companies. Many other countries have similar initiatives. In addition, we have the EU General Data Protection Regulation, and the 4th Anti-Money Laundering Directive. When these regulations are looked at together, it becomes apparent that there are many synergies and potential overlaps, as well as a distinct convergence between cyber security and fraud/financial crime prevention, a trend which must be welcomed. To make sense of it all, businesses should approach these regulations holistically, not as separate distinct programmes, as many efficiencies can be derived.
However, we can see a change in this area with many industries willing to cooperate (e.g. automotive and banking with the Cyber Defence Alliance, (as well as many others). Data and cooperation will be key.
About Neira Jones:
Neira is a Non-Executive Director for cybersecurity firm Cognosec and Chairman for payments innovator Comcarde. She also chairs the Advisory Board for mobile innovator Ensygnia, partner for the international Global Cyber Alliance and Advisor and Ambassador for the Emerging Payments Association.
About Emerging Payments Association:
The Emerging Payments Association brings together companies across the emerging payments spectrum to help shape the future of the payments industry landscape. Our vision is to make the UK a global leader in payments innovation by attracting investment capital and creating a hospitable regulatory environment for innovators, new entrants and disruptors.
The Paypers. All rights reserved. No part of this site can be reproduced
without explicit permission of The Paypers(V2.3).