There has been a cease-fire of sorts on the DDoS attacks that have been harassing the banking industry since last fall. But that doesn’t mean we can let our guard down, not in the banking industry, not in any industry. In fact, they might be getting more sophisticated. Avivah Litan, an analyst at Gartner Research, expects that one in four DDoS attacks will be application based, which means these will be targeted attacks. According to CSO magazine:
Gartner said hackers send out targeted commands which put strain on the central processing unit (CPU) and make the application unavailable.
The point of a DDoS attack is to take down a computer network and make it temporarily unavailable to users. According to Litan, the application-based attacks have taken DDoS attacks to a whole new level, ramping up the amount of network traffic and crashing the system.
Another very disturbing aspect to these attacks is the way they use social engineering to trick users. The bad guys are posing as law enforcement or banking officials (since most of these attacks have targeted the banking industry). Gartner’s recommendation to protect against the attacks is to deploy a layered approach with fraud prevention and identity-proofing techniques:
In particular, fraud prevention systems that provide user or account behavioral profiling and entity link analysis are useful in these cases. Call center call analytics and fraud prevention software can be deployed to help catch fraudsters committing crimes via social engineering or by using stolen identities. Customers should also be educated on best security practices to help them avoid phishing attacks and social engineering ploys.
I’m seeing a trend here.
As the bad guys continue to generate new ways to attack, we are left to our old ways of defense. I know security companies are always developing new technologies to combat DDoS attacks, malware, and other security concerns, but it seems like we are constantly falling back to the same old recommendations – have the right security layers in place and education, education, education. I do like that Gartner takes education past the employee level to the customers, but at what point should we start expecting customers to be more aware of social engineering techniques or how to be safe online? Aren’t they getting that message from the workplace education? I don’t disagree with what Gartner put out there as recommendations; however, at what point do we say that what we’ve been doing isn’t working so great and we need another new tactic?