Page 79 - index
P. 79
Key lesson: The traditional DDoS protection, including firewalls and internal intrusion detection,
proved to be ineffective in repelling the attacks. When systems got socked with abnormal HTTP
traffic, firewalls may have fought to a point but tuned into bottlenecks. Enormous amounts of
bad DNS killed the game. External cyber monitoring platforms may ensure better chance of
success against such attacks.
2. Spear phishing
BAE system director of product Paul Henninger revealed how a spear phishing attack technique
was used to steal sensitive data from an unnamed hedge fund in the US. Speaking to CNBC, he
informed that there was a slight lag between the issuance and execution of the trade, which
may have provided competitive advantage in trading to another firm. The unnamed victim lost
millions of dollars.
Key lesson: the loophole here was the lack of employee training against spear phishing attacks.
Financial institutions should make employees wary of unsolicited emails and messages on
social networks. Internal security teams can only do as much as to locate threats, so financial
firms should provide adequate employee training against these kind of cyber threats.
3. Insider threats
A prime example of this attack is Bank of America’s employee who leaked customer data to an
identity theft group. The hackers obtained Social Security Numbers, driver’s license numbers,
bank accounts numbers, addresses, phone numbers, and customer names; more than $10
million was the financial loss. The group of thieves used the information to modify customer
account information while hiding fake accounts they were creating under the names of victims.
Key lesson: Bank of America didn’t have technology in place to detect the losses over a long
period of time, or processes to identify malicious insiders. Financial institutions should look at
concerning behaviors to prevent insider threats. Warning signs could include resignation and
termination of staff members, as malicious insiders strike shortly before departing with the firm.
4. Cyber eavesdropping
Not all data breaches massive quantities of customer information stored by financial institutions.
Notably, hackers used a web monitoring tool to eavesdrop on Directors Desk, a Nasdaq
platform for facilitating communications for 10,000 company directors and executives. By
eavesdropping, attackers may have gained access to inside information, which could have been
sold on the black market.
79 Cyber Warnings E-Magazine – July 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
