|
Protecting Online Banking from Denial of Service Attacks
5 Essential Components of Online Banking Security
|
Containment |
 |
| Prevent proliferation of attacks |
Compartmentalization |
| Prevent unauthorized access to systems. Avoid collateral damage to other business segments when you are under attack. |
Continuity |
| Ensure seamless operation even under DDoS attack or equipment failure |
Recovery |
| Enable rapid recovery from external attack or malicious insider activity |
Performance |
| Network performance should not be reduced by security measures |
| |
Who Needs Operational Risks?
Today, all major banks offer online baking services to their customers. They also have taken many steps by adding security features to the service infrastructure, such as measures to prevent identity theft and fraud so that online banking is a safe and secure experience. However, as more customers depend on a reliable online access, there are steps to take against new types of online threats. Great Disasters happen, not because people run risks, but because they don’t understand the risks.
A few years back, there was news about Westpac bank in Australia. The bank's online service were shut down for three hours between 8pm and 11pm. Three hours later it was discovered to be a Denial of Service attack -- caused by flooding of one of the open ports on an incoming router that carries Internet traffic. The National Australia Bank (NAB) experienced a similar attack in October 2006. A bank insider said the attack was a probe to see how vulnerable the bank's security (firewall etc.) is. "We are waiting for a possible larger attack," he said. "I can't see why [the culprit] would want to attack us with something we can easily shutdown. All they need to do is change the attack to a port that we must have open, such as HTTP or HTTPS." The source said typically 1000 users are online during the hours of 8pm and 11pm -- the time of the DoS attack. "Our Information Security Group (ISG) were completely unprepared for this and didn't know the procedures that should be followed," he added.
Recently there have been DDoS attacks on Bank of America, US Bancorp, Rabobank, Eesti Uhispank and other banks.
Costs to create Denial of Service attacks is low and the pay-back can be massive. These types of attacks by Botnets and other sophisticated attacks bombard the site with bogus requests and overwhelm the network. They can stop all genuine activity for several hours or even many days thus depriving customer access to banking. Moving from gambling sites and holding them for ransom, the criminal activity has now spread to other types of businesses, which have an online presence and it is their significant source of customer interaction. Online banks must protect the consumer and preserve trust and the integrity in the on-line marketplace.
Avoid The Reputation Risk
Bank IT and Security staff need to fully understand the organization’s risks and vulnerabilities.
Knowing the drivers for change, both the external & internal influences.
They must develop a corporate risk profile.
Implement a strong Governance and Controls infrastructure.
Monitor and maintain the security and risk profile to meet new challenges.
Reputation risk associated with Denial of Service attacks can impact public opinion that results in a critical loss of funding or customers. Failure of Online banking platform to perform as promised, due to DoS and DDoS attacks, that prevents customers from accessing their accounts, could expose the banking institution to reputation risk
Why Others Cannot Help You?
Internet Service Providers and hosting providers who host online banking web sites face a difficult problem. They have to take steps to protect against such attacks. Quite often they are either unwilling or lack the expertise to implement such a solution. Many times their first option is to cut off the service to the attacked web site. The online banking operations have now two emergencies to tackle and be back in business. There are a number of horror stories faced by online businesses, many that go unreported. Fortunately, there are affordable solutions that can be implemented without disruption to normal operations.
Define Denial of Service Attacks
Denial of service (DoS) attacks and Distributed Denial of Service (DDoS) attacks are common techniques to bring down e-commerce with a malicious intent.
The attackers employ either a few machines spoofing as large number of machines or a large number of hacked machines with a robot software called bot simultaneously connecting to a website.
The number of simultaneous connections are so many that the e-commerce servers cannot handle the load and are knocked down.
How come the the attack in Westpac could not be stopped by firewalls and the Internet Service Providers?
Denial of service (DoS) attacks and Distributed Denial of Service (DDoS) attacks are very difficult to stop using firewalls because the content is legitimate and the intent is malicious.
Most ISPs for online banks do not have adequate tools and techniques required to stop the onslaught. They can simply take down the network - which furthers the purpose of the attackers.
What is the Solution?
The solution is in containing the attack and compartmentalizing the site, having a DDoS mitigation system which stops attacks by understanding that the behavior of the new visitors is different from the past normal visitors. The solution is in planning for the high performance required in the network security appliance that can handle such onslaught and still stop such attacks so that the business can continue.
5 Key Questions About Online Banking Network Security
- Has your website been affected by a DDoS attack, Botnet attack, or other security breach?
- Have the attacks cost you business or productivity? What is the value of downtime of a few hours?
- Do you have an incident response policy in place?
- Does your company have a 24x7x365 Security Operations Center?
- Is security important enough to distinguish you from your competition?
5 Steps to Online Banking Network Security
Step 1: (You might be here) Insecure Online Banking Network
Step 2: DDoS Mitigation: Key step for building a secure online banking network
Step 3: Firewall : Next step in building a secure network
Step 4: Content Based Security (IPS): Further step towards a more secure network
Step 5: Application Security: Pretty secure online banking network
Comprehensive Online Banking Network Protection
| Feature |
DDoS Mitigation |
Firewall |
Content Based Security
(IPS) |
Web Application Security
(Application Firewall) |
Floods
(SYN, TCP, UDP, ICMP, Fragment, Port, etc.) |
Yes |
No |
No |
No |
| Botnet Attacks |
Yes |
No |
No |
No |
| Source Tracking, Source Limiting |
Yes |
No |
No |
No |
| Continuous Behavior Learning and Adaptive Control |
Yes |
No |
No |
No |
| Header and State Anomalies |
Yes |
No |
No |
No |
| Port Scans, Network Scans, Dark Address Scans |
Yes |
No |
No |
No |
| ACLs |
Yes |
Yes |
No |
No |
| NAT |
No |
Yes |
No |
No |
| Stateful Inspection |
No |
Yes |
Yes |
No |
| Stateful Signatures |
No |
No |
Yes |
No |
| Traffic Signatures |
No |
No |
Yes |
No |
| Cross Site Scripting, Parameter Manipulation, Command Injection |
No |
No |
No |
Yes |
| Information Leakage |
No |
No |
No |
Yes |
Architecture of a Secure Online Banking Network
|
IntruGuard products help you contain the the attacks within 2 seconds. They let you segment your network logically into business functions or networks so that an attack on one business segment does not impact the others. With a hardware DDoS mitigation appliance from IntruGuard, your business continues - automatically. All attacks are instantaneously identified and blocked for a short duration (of less than 15 seconds) and re-evaluated. That helps in reducing false positives. The devices are tested for high performance - under the worst attacks, the performance remains wire-speed. Read a third party analysis here.
Customer Experiences
Read what our customers and world-renowned analysts have to say about us.
Read about Sarbanes Oxley and Denial of Service Attacks.
Read about Payment Card Industry (PCI) / Data Security Standard (DSS) and Denial of Service Attacks.
Want to know more
Sign up for our webinars.
|
