The attacks will not necessarily target the companies directly but will go after the back-end support system operators like third-party payment processors where security may be less sophisticated than, say, a JP Morgan Chase or Bank of America.
The stock exchanges have security, said Stiennon, “however, they’re not ready for the kind of DoS attack that could be launched against them. The only question is: Can somebody pull it off and extort enough money to make it worth their while to attack them.
“I believe that in the not too distant future (stock exchanges) will suffer those kind of attacks.”
Attackers will probably use the million-plus bots at their disposal (they can rent the ones they don’t control now) to go after an exchange’s DNS servers, said Stiennon, effectively shutting down the exchange’s ability to conduct business over the Internet. A crippling blow and an attack most organizations would probably pay to stop, said Lyon and Stiennon.
“My gut feeling is, if you’re a manager and you’re in a position where you could make a problem go away and buy yourself enough time to fix a hole, your going to pay that,” said Lyon. “The problem is, once you start paying, it gets around in those communities that you will pay and then you become a bigger target.”
That’s why Charlie Johnson, who leads Symantec’s Global Consulting Group, always advises his clients to contact law enforcement instead of caving to the demands extortionists. Of course, this could be pretty inconvenient and expensive if sensitive databases are encrypted and held hostage—especially given the poor state of cooperation between international law enforcement agencies.
Yet, even Johnson who agrees with Lyon, admits many companies will pay the money just to get their servers back on-line as fast as possible.
“What were still finding is they’re very reluctant to bring law enforcement in to help them with it. … the really smart ones will bring in law enforcement … because, if you don’t shut it down, they’ll keep coming back.”
And therein lies the heart of the problem and very good indication that most companies pay, said Stiennon. “The way you can tell (if companies pay) is if the attacks continue. I believe, just from conversations with bankers, they would cave in a minute to demands for money to stay up.”