Threat of the Week: May 7, Ready or Not
You remember Project Blitzkrieg, don’t you?
Probably you don’t, actually, and that is because the late 2012 cyber-attack – said to be the brainchild of Russian criminals who intended to cripple and loot the top 30 U.S. banks – amounted to a whole lot of bluffing. If it happened at all, nobody much noticed.
There is the thought to ponder as you contemplate what may or may not happen on May 7, the day of a supposedly huge DDoS attack that will be aimed at banks and others, according to a press release posted by the hacker group Anonymous on Internet bulletin board pastebin.
The language is obscene, the argument is unstructured, but it seems to say that come May 7 a DDoS attack will be unleashed that will bring the United States to its knees.
But note that deep down in the commentary is this line: “And to the American people we suggest switching your bank accounts from a big bank to a local union.”
Is that an endorsement of the credit union movement? Impossible to say.
Just as it is impossible to say if anything at all will occur on May 7. “These are not people who operate in a framework of rules. They do not have to act on their announcements,” said David Britton, a DDoS expert with 41st Parameter, a Scottsdale, Ariz., security company.
Exactly what Anonymous will do is unknown. But there nonetheless are facts that are known.
A first is this: DDoS has been a plague on the nation’s biggest banks, along with a few credit unions, for some months, but “the primary impact has been down time. This has not disrupted our society in any meaningful way,” said Hugh Smallwood, chief technology officer at Maryland CUSO Ongoing Operations.
Besides, noted Britton, “DDoS attacks are so widespread, every organization has been impacted. I’m not sure it has a stigma to have suffered an attack.”
By now, just about every money center bank has been knocked offline by DDoS for at least a few hours and if the giants fall, the message is that nobody is safe so there is no shame in a DDoS outage.
Another fact: for credit unions that have not yet put in place plans for responding to a DDoS attack, know that it is too late to do much to mitigate any attacks that might come on May 7.
What can be done, however, is “work with your ISP and Web host to see what mitigation help they can provide,” said Ken Otsuka, a risk specialist with CUNA Mutual in Wisconsin.
He also stressed taking steps to ensure that member data stay safe throughout a DDoS attack (there have been reports that sometimes, although uncommonly, DDoS is used as a diversion as fraud is committed).
Note, too, that credit unions with no, or sparsely used, online banking need do nothing. Present day DDoS is aimed at paralyzing the online portal, period. And it usually does nothing at all to the mobile banking channel which, in most cases, will be fully functional throughout a DDoS attack – a point that may interest members who want to perform digital transactions as an attack transpires.
Then there is the biggest question which is what to do after May 7, assuming there are in fact widespread outages in the U.S.? Pressure may grow for many credit unions to have in place at least bare-bones defenses. “I think most bigger than $500 million in assets will decide they need protection,” said Smallwood.
He stressed that he was not suggesting that even those credit unions need the capability to deflect the high-volume attacks that have lately been thrown at money center banks by al Qassam, a hacker group usually said to be allied with the government of Iran. Those attacks are massive, and even top 10 banks struggle to assemble the resources to ward them off.
But those $500 million and bigger credit unions had better get ready to ward off lower grade DDoS because a 2013 reality is that garden-variety DDoS is becoming a fact of life.
The more press coverage there is, the more every cyber miscreant will decide to throw a little DDoS at whatever institution annoys him or her in the moment and that means protections probably will indeed be needed.
The good news: many vendors – including Smallwood’s Ongoing Operations – are scrambling to put together affordable DDoS packages.
At what cost? Smallwood – who said Ongoing Operations’ solution is now in pilot – will probably cost in the $1,000 to $4,000 per month range.
What about smaller credit unions, for which those amounts may seem staggeringly large? “Some credit unions will decide to do nothing about DDoS,” said Smallwood. “They will decide it is OK to go offline for a few hours and wait it out.”
Exactly that happens, frequently, in summer thunderstorms in much of the country – and nobody gets too agitated when the power goes out for an hour here and there.
The same may become our response to DDoS.
Either way, we will know more – about DDoS threats and how we respond – come Tuesday, May 7
- Was May 7 Only a Test?
- May 8: Attacks But No Time to Let Guard Down
- Mixed Views in LinkedIn Poll on May 7 Warning
- No Takedowns Reported Tuesday
- Anonymous May 7 Target List Includes CUs
- Krebs: DHS Memo Says ‘More Bark Than Bite’
- CO-OP Issues DDoS White Paper
- CUNA Explains Thinking Behind Warning
- Reactions Vary to May 7 Warning
- DDoS Attacks Often Fraud Diversions
- Mark Your Calendar (or Not) for May 7 Attacks
- CUNA Issues May 7 DDoS Warning