Reactions to the HSBC DDoS attack

Last week HSBC’s online banking website was taken down by a DDoS attack, leaving thousands of customers unable to access its services.

Here are some of the comments Help Net Security received.

Justin Harvey, CSO at Fidelis Cybersecurity

Justin Harvey, CSO at Fidelis Cybersecurity

HSBC has done the right thing by announcing to customers that it has been targeted by a DDoS attack, it’s just unfortunate that the attack has happened on a date that will disrupt so many users of the online service. Spreading awareness about these types of attacks and reporting them to the authorities is the best way for data to be gathered on an attack which can help track down the culprits and bring cybercriminals to justice.

While any organisation can be targeted with a DDoS attack, there are some guidelines that can be followed to mitigate the impact. Strong external network-facing access control lists (ACLs) should be instituted to keep out-of-profile traffic off services, robust monitoring should be put in place to identify these types of attacks in their early stages, and high-risk organisations should oversubscribe their network bandwidth to better absorb the brunt of inbound DDoS attacks. The upstream ISP should also be notified to place mitigations on their connected devices to protect networks.

Ross Brewer, VP and Managing Director for international markets at LogRhythm

Ross Brewer, VP and Managing Director for international markets at LogRhythm

Banks are prime targets for cybercriminals, so it’s no surprise that HSBC has been on the receiving end of the latest high-profile attack. Defending from today’s attacks can be a challenge for banks – primarily because of their sheer size and siloed nature. It’s therefore refreshing to hear of an attack that was apparently successfully thwarted before any long-term damage was done. While the timing is inconvenient for a large number of customers, what’s important is that customer transactions have been unaffected and hackers have, according to HSBC, been unable to access any customer data.

This attack highlights how vulnerable the banking and critical national infrastructure industries are to today’s attacks. In this case, the damage appears to have been mitigated – although details are still being revealed – however this isn’t always the case.

It only takes one hacker to make its way onto the network unnoticed for there to be significant and serious repercussions. By taking an intelligent approach and monitoring the networks at all times for unusual activity, including a DDoS attack like this, banks and large organisations can identify and neutralise threats straightaway – making sure they are always in damage limitation mode.

Mark James, Security Specialist at ESET

Mark James, Security Specialist at ESET

DDoS attacks, regardless of motive, are never good for any organisation, whether they are driven purely as a means to cause downtime, force the owner to pay extortion fees or as a cover for malware activity it quite often mostly affects us the users the most. HSBC have stated that “HSBC UK internet banking was attacked this morning. We successfully defended our systems.

But what’s the real damage caused? Just stopping people accessing their systems seems pointless unless it’s driven from a competitor (extremely unlikely), making a vocal statement about what they do or don’t do from a moral standpoint (not this case) so maybe it’s a cover to test, damage or control their online systems. At this stage its only hearsay or rumour and I am sure we will find out sooner or later, either way the bank will take a PR hit from this.

In this day of technology, convenience speed is of the essence, when we want to do something nowadays we expect it to happen now, not later or tomorrow. If you’re inconvenienced by not being able to access your bank accounts (more than once for HSBC) then its users may vote with their feet rather than be understanding and stay with them.

As in all situations like this please be mindful of the after effects, nothing may happen but just be a little bit more cautious when opening emails or taking calls from people claiming to be associated with your financial organisations. Remember NO bank will take offence if you want to double check things by calling back or verifying who they actually are, it’s a few minutes of your time that may save you hundreds or even thousands of pounds and definitely make sure you have good regularly updating internet security software installed on your computer or mobile device.