Should financial institutions fear a cyber attack?

According to Reuters, financial firms have been warned about the possibility of al Qaeda cyber attacks. CNN did a short blurb to chime in. And the SANS Internet Storm Center stated it this way: US DHS banking alert.

And I quote Johannes Ullrich (SANS): "My short take on it: Make sure you follow best practices and keep your guard up. Its probably not going to be Al Qaeda, but someone will probe your defense tomorrow as they did today. And whatever helps against them will help if Al Qaeda should launch a cyber attack after all."

So, let’s think about the how of it. Let’s pretend that al Qaeda or any other terrorist group has trained up some geeks and they decide to take down all the major financial websites in the United States. How could terrorists accomplish this?

DDoS – Distributed Denial of Service attacks is one way it can be done. (US-CERT does a good job of describing these types of attacks here). And maybe 5-8 years ago this was a possibility, but I don’t think it’s possible to do a large scale DDoS attack any more.

Check out Cisco’s informational page on the topic. Better yet, read this whitepaper entitled “Distributed Denial of Service Attacks: Risks, Mitigation and Best Practices”. Today’s routers, switches, firewalls, and intrusion prevention systems have automatic defense mechanisms against DDoS attacks. Not to say that every major ISP has done everything right, but let’s assume they have done most things right in structuring a layered defense against these types of attacks.

For instance, web servers themselves can limit the number of connections. Intrusion Prevention systems and routers can drop the offending packets before they ever reach their intended target. I am over simplifying this, but my point is that I just don’t think the terrorists can launch a global DDoS attack as successfully as some fear. I think Johannes is right. There are probably a lot more insidious ways to hurt America than flinging muddy packets through cyber space.