Buck-passing Banks: did HSBC do enough to stop the DoS attack?

Are our banks doing enough to fend off cyber attacks? Last week HSBC again succumbed to a Denial of Service (DoS) attack that took down its customer banking websites. I say again because the bank suffered a similar problem four years ago and yet little seems to have changed. Yes, the bank was quick to alert its customers and yes the actual impact of the attack was limited, with customer transactions not being affected, but the question remains as to whether the bank has done enough to thwart such attacks.

The financial sector itself hasn’t sat on its hands. Highly publicised cyber attack scenarios such as Waking Shark I and II have been staged to test the resilience of our financial systems to targeted or sustained attacks and to assess how these organisations handle the reporting and crisis response process. This helped inform the development of a standard specific to the banking sector, CBEST, which uses simulated exercises based on the latest cyber threat intelligence to test security posture. It’s not without its critics, however, from those questioning whether the involvement of GCHQ provides an exploitable insight into our financial institutions to those that believe it should have been made compulsory and may even be superseded by the forthcoming EU GDPR.

Of course, we don’t know whether HSBC has applied CBEST testing to its infrastructure and that’s as it should be. Transparency in the security space is not always a good thing. But what we do know is that its services were compromised using a well-known well-documented form of sabotage and that HSBC had the benefit of hindsight.

Back to January 2016 and HSBC spun the story that it had “successfully fought off a DoS attack” with John Hackett, UK COO for HSBC, quick to reassure customers they could still use the bank’s services by going to their local branch or resorting to telephone banking. That’s a tick in the box for customer relations. But the technical reassurances weren’t so fast in coming. The attack happened in morning but by mid afternoon Internet and mobile services were only “partially recovered”. Many press reports seemed to conveniently cite research from a security supplier that DoS attacks have become more powerful over the past decade, with some botnets able to launch attacks at up to 500Gbps, the implication being that most businesses would not be able to withstand such an attack.

We don’t know the scale of the attack launched against HSBC but it seems to me this repeat attack could place the bank on thin ice with its customers who want technical assurances. Yes, DoS attacks can be colossal but there are ways for organisations to proactively mitigate this threat. The 2012 attack was attributed to Islamic hacktivists by the press and if this is the case, social media monitoring, focused threat assessments, and real time monitoring via a security operations center (SOC) would have significantly reduced the odds of a successful attack. Banks have to do more to demonstrate they have done everything in their power to maintain BAU and that means adopting a more vigilant proactive form of threat assessment.

Jamal Elmellas

Jamal Elmellas is Technical Director at Auriga Consulting Ltd where he manages and oversees the technical administration of complex projects, and business strategy, assisting the implementation team with all aspects of security architecture. Previously Director of Data Barrier Ltd, a company that was instrumental in the deployment of a PAN Government Cloud solution in the UK, Jamal joined Auriga as a direct result of the company’s acquisition in 2011.