Lessening the impact of a DDOS Impact

Bank robbery used to be simplistic. People, in masks, walk in with guns, real or pretend, and take whatever money was in the local vault. Unfortunately, the first warning anyone got that there was about to be a robbery was when the robbers burst into the bank in ski or comic masks. Today’s “robbers” don’t have to walk in the doors to be effective. They can sit comfortably in their living rooms with their feet propped up and commit crimes that undermine consumer confidence and a financial institution’s reputation in moments.

From a technologist’s standpoint, the technology behind the DDOS (Distributed Denial of Service) attack is brute force in nature. The attack’s target is internet facing servers that accept a certain number of connections and can then be overwhelmed by too many connections; basic and easy to perform.

There are steps you can proactively take to lessen the potential attack. These require:  

Planning

• Banks with established incident response teams have a greater opportunity to control the impact of a denial of service attack.
• Teams should rehearse an attack and the planned response
• Teams should have assigned roles and responsibilities with multiple methods of contact
• If a bank is a consistent target, perhaps cyber insurance should be considered.

Communication

• Banks need to decide who will be the liaison with the FBI Cyber Unit, Homeland Security and any other security agencies that manage cyber incidents.
• A phone tree should be created with security, legal, compliance, marketing or Public Relations and technology individuals who have actionable roles.
• A plan for communicating with customers in some other method than through the public call center numbers should be established.

Active monitoring

• Internet providers have tools that monitor traffic 24/7. Servers have tools that report the number of connections, whether it’s successful connections, waiting connections or failed connections. Metrics should be easily available that reflect normal traffic for the time of the month and day. There may be occasional outliers but for the most part, traffic is somewhat predictable. A rise in connections could be an attack beginning. When IT staffs see this type of increase in traffic, it should be investigated and preventative measures taken to avoid an attack completing shutting down the bank’s websites. 
• If a bank does not have the type of active monitoring discussed then they should consider using a 3^rd party to either a) host their web servers or b) implement monitoring for the bank.
• Monitoring the web server interfaces will again offer insight into predictable traffic patterns. Outliers should be considered potential signs of an attack.

Training

• Providing employees with training on how to detect an attack will go a long way toward lessening the potential impact.
• Providing customers with training on ways to recognize potential malware that could launch an attack will also help.
• Create two-factor authentication requirements and train customers on the need to have separate passwords for their banking environments and other browsing needs.

Successful patching program

• Although a bank can’t do a lot to avoid zero-day exploits that have yet to be realized by the security company, a number of institutions are lax in their patching processes. Windows servers are no longer the lone targets. Teams can underestimate the hypervisor environment’s potential payload and with many institutions using virtual environments to lessen the physical server overhead, this is a potential gold mine for Trojans and malware.

If a bank is a target of a DDOS attack, the chances are there will be some impact. Following the steps above are designed to lessen the potential impact.

Ode to Doug Woods

 

 Over the years, I’ve had some interesting work experiences. You can’t work for thirty years without having some great experiences and some – not so great. OR, you could do as I have done – and wonder – is it the situation or is it me? My preference is to think – it’s the situation. I say that rather tongue-in-cheek as people that know me, would understand.

I met Doug Woods after I moved to Jacksonville. I was working as a consultant on an Active Directory project that resulted from a less than glorious audit finding. Doug’s career had traversed the development focus in the banking/mortgage industry. As a consultant, I was only exposed to him in progress meetings.

My first observations were that Doug was quiet spoken and exuded authority. I later found that he was a seasoned professional who asked intelligent questions and quickly got to the point without a lot of rhetoric. Little did I know at the time, there were a lot of changes going on in the department. At the end of the Active Directory project, I would go from being a consultant to being the Director of Operations Infrastructure. That’s when I learned about the man, Doug Woods.

Doug was a cowboy at heart. I don’t just mean someone who rode a horse and wore a cowboy hat and boots. Doug did do those things but he reminded me of the cowboy heroes that could be counted on to always try to do the right thing. Doug grew up in Oklahoma so I am guessing hard work was in his backbone; it definitely seemed to be. I’m not going to try to make Doug out to be an all-seeing, all-knowing super-hero. He was not a saint and he had his faults. If I tried to state otherwise, he would smack me on the back of the head, much like Gibbs in NCIS. I’m sure he could do it, all the way from heaven.

What Doug did do was allow people to work within their strengths. He allowed for the fact that no one person can know everything and not make mistakes. He had a phrase and a tone that I remember to this day, “That’s not good”. While he said that in an even tone, you could feel the disappointment wash over you. It’s not that Doug ever withheld direction from you. He expected you to put forth your best effort and if he suspected you had done less than that, you knew – he knew. I’ll never forget getting a call from him on my way to the office one morning and an invitation to meet him at Starbucks. I’m certain Starbucks lost money when Doug passed away. I didn’t know at the time that a morning invitation to meet at Starbucks was his way of having a conversation that didn’t place you in the formality of being in the CIO’s office. I appreciated his grace and thoughtfulness. I had many Starbucks meetings with Doug over the years we worked together. Some were to discuss problems in the department, some to talk about strategy and focus. Those meetings were when personal details came to light and I learned to appreciate the man Doug Woods was.

At some point in his life, Doug had the wisdom to learn patience. I suspect patience was not in his initial makeup. I know it certainly was not in mine. I had and still have an impatience for people not putting forth their best effort. Doug helped me temper that impatience though and become more understanding. Doug and I shared an empathy for people.  We shared a belief that people should be truthful in their dealings and a handshake or an agreement was golden. I’ll admit Doug and I both experienced disappointments when dealings didn’t turn out that way.  Doug had been in the business world long enough to believe you hold people, whether they be employees, peers or vendors to certain standards. He wasn’t blind to people’s shortcomings but was tolerant and gave people the opportunity to make amends. He treated vendors like partners but knew how to get the best possible deal. He was always willing to be a reference for vendors and gave a lot of them opportunities to grow because of his support.

Doug was a gentleman who had a respect for women that I appreciated. Women in technology are a minority and having worked in technology for over twenty-five years, I had been met with prejudice and discrimination on many occasions. Doug asked my opinion and for my expertise in infrastructure many times and appreciated my willingness to tell him when something was outside of my area of expertise.

An open-minded manager, Doug encouraged open conflict in an effort not to stymie the creative process, but also knew when to put the brakes on to keep the discussions from becoming personal. At times, he would cut through the postulating and territorial behavior to find common ground. His expectation was that everyone would work together to find the best possible solution for the business. If anything was his undoing, it was his underestimating the ferocity of people stuck in their ways.

It’s been three years since Doug Woods passed away from cancer. He fought his cancer with a quiet strength that spoke of the way he lived. He is sorely missed.