IT Risk in the Financial Sector – DDoS Attacks
A good IT Security strategy is often not regarded very highly by senior management because it usually has a solely preventative nature. Therefore, not creating obvious value and only felt when something goes wrong.
The Guardian has recently reported a cyber-attack aimed at the NatWest Website. More specifically, they were the target of a Distributed Denial of Service, more commonly known as “DDoS” attack. This method involves the request of information from as many computers as possible. These are usually called “bots”, are organized in “bot-networks” and controlled illegally by individuals using malware programs (e.g. Sub7).
A very infamous open source DDoS program is the Low Orbit Ion Cannon – used in the Anonymous DDoS attacks on famous victims like PayPal. (Please be reminded that this program is only for private penetration testing and should never be used without permission and failure to do so can lead to imprisonment!)
It is comparable with seatbelt – most people would not wear seat belts if the precautionary beeping (and very annoying) noise had not been voluntarily introduced in 2005 by all automobile manufacturers. This is largely due to its solely preventative nature. It does create an immediately better experience for the customer and humans often lack the foresight for consequence. We are proven quite bad at subjectively estimating risk, the possible consequences and the linked probabilities.
One of the biggest risks of DDoS attacks is the potential trust loss by the consumer – if you cannot protect your website, how should you be able to protect my money and/or credit card?
IT therefore needs a voluntary initiative by CIOs in the form of a seatbelt beeper or rather a risk information service to help cope with the increasing security threads and the potentially devastating consequences.