The U.S Cybersecurity industry was alerted to the threat of an Al Qaeda cyber-attack on both banking and U.S. stock market internet sites to occur in the month of December. The reaction to the threat was largely downplayed by the industry as well as Homeland Security Department spokesperson Russ Knocke, ranking the threat as "...a routine matter and out of abundance of caution…”,. Spokespersons for the NYSE and Nasdaq have not commented on the threat.

The question again arises: how to discern between credible versus non-credible threats and is such an attack even plausible on an industry considered to have extremely well fortified communications architecture? Before such a question can be answered, a brief overview of this communications infrastructure is warranted.  Post 9/11, a technology subsidiary of the NYSE and American Stock Exchange formed SFTI (Secure Financial Transactions Infrastructure). The impetus for the formation of SFTI was the collapse of the World Trade Center which severed connections between firms on Wall Street and their respective data centers. SFTI affords the entire securities industry a resilient and reliable infrastructure serving as a central access facility for not only trading systems but clearing and settlement systems, market data distribution and core industry utilities. This is achieved via physically diverse, highly redundant and high bandwidth networks with multiple access points. In other words, this ensures the infrastructure possesses no single point of failure. Additionally, extensive filtering and “policers” (with rate limiters) inherent in the system impede DoS (Denial of Service) attacks. DoS attacks involve the flooding of a particular system with data packets that consume the resources intended for allowing legitimate users to gain access to particular services. While SFTI certainly could defend against such an attack in the short term-it is extremely difficult to ward off a dedicated and sustained DDoS (Distributed Denial of Service) attack which involves large numbers of coordinated attack agents.

Could al Qaeda achieve such a sustained attack? It could be achieved utilizing botnets. Through various means, attackers can harvest hundreds or thousands of zombie machines. This certainly isn’t new. The Blaster worm compromised hundreds of thousands of computers enabling a coordinated attack of massive scale on any system (although the intended target was Microsoft, the attempt was thwarted). There is scant information regarding such attacks on financial services firms yet in March of 2000, the World Bank revealed that “Denial-of-Service attacks that caused major disruption of trading on the NASDAQ.”.  Since it is estimated there are at least million computers in some compromised state linked to the internet and given that the largest botnet found to date was around 120, 000 machines it stands to reason that renting access to only a 10,000 strong botnet could inflict serious damage to or completely take down a bank or brokerage house. Since CERT has shown that there are indeed 50,000 node botnets in existence then the theory that there are many smaller botnets for rent out there is not far-fetched.

The economic impact of disruptions of DoS attacks on financial firms can be severe due not only because the inherent time-sensitive nature of transactions that are disrupted but the immeasurable impact of eroding confidence in the banking and financial sector that would certainly result from such attacks. As a result, we cannot afford to become complacent.

© 2006 Netwatch, Inc.