Should corporate treasuries be worried by the recent rash of cyber attacks that hackers sprung on leading U.S. financial institutions throughout September and October? According to treasury security experts, the answer is a qualified “yes.”
The distributed denial of service (DDOS) attacks on the Web sites of Bank of America, BB&T, Capital One, JPMorgan Chase, SunTrust Banks, U.S. Bancorp and Wells Fargo “were more disruptive for retail clients rather than corporate clients,” says Paul LaRock, a principal at consultancy Treasury Strategies.
U.S. Bancorp, the only bank willing to share its DDOS experience, saw its online performance degrade on Sept. 26 as hackers flooded the bank’s Web site with extraneous server requests.
“We were never completely down the day of the incident, but we did have some slow performance at times,” says Tom Joyce, senior vice president of corporate and public relations at U.S. Bancorp. “We assured retail clients, and to the extent any of our business clients who were having issues, that all data and funds were secure and that this was a high-volume attack designed to inconvenience customers more than anything.”
Of all of the different types of cyber attacks, DDOS attacks are the equivalent of a blunt club. They typically involve hackers using a series of virus-infected computers, known as “bots,” to send a large number of server or network requests to the targeted Web site in hopes of overwhelming it and preventing other systems from accessing it.
These attacks usually last only a few hours since targeted organizations can use readily accessible tools to identify suspicious message traffic and route it away, LaRock explains. Most corporate treasuries should be able to survive a connectivity disruption with their bank lasting that long, he adds.
However, if the DDOS attacks on banks begin to mirror the lengthy attacks experienced by the Estonian government, banks and media outlets in April 2007, the industry should worry.
“Those DDOS attacks involved a complex strategy that used spam, phishing and viruses, and lasted several days,” LaRock says. “These current attacks so far don’t appear to be on the scale or capabilities of an intelligence agency of an industrialized nation. Looking at the resources involved, I think these are being done by an informal group of people.”
Treasuries should take the DDOS attacks on banks as a cue to update their disaster recovery plans to include a scenario in which they are unable to connect to their banks over the Internet, LaRock urges. “But most firms don’t have plans in place.”
LaRock suggests both a hi-tech and low-tech approach allowing treasuries to avoid connectivity outages as a result of DDOS attacks. Companies could transact business with their banks over a secure private network like the one run by bank messaging cooperative Swift. They could also develop and implement manual treasury processes to use during a connectivity outage.
Both strategies provide a workaround for DDOS-based outages, but each has its issues.
“Using the SWIFT network, treasury departments can access their balances and initiate transfers and almost any other process,” LaRock says. “However, some tools like anti-fraud PositivePay and Payee PositivePay are not accessible over the SWIFT network.”
On the other hand, developing an internal manual process just involves a pencil and a piece of paper. “It will be time consuming and would not be suitable for running a treasury department for an extended period,” he says. “Yet it should work for a few hours or a few days.”
For additional coverage of this issue, see Bank Cyber Attacks Enter Fifth Week, Hackers Attacking Banks Have Sophisticated Tools (Reuters) and Cyber Attacks on Banks Expose U.S. Vulnerability.