Digital 124556-SK-620-Perancangan dan implementasi-Literatur
CSEC 620 TA1 HUMAN FACTORS, THREATS, CULTURE LIABILITY
-
Upload
independent -
Category
Documents
-
view
1 -
download
0
Transcript of CSEC 620 TA1 HUMAN FACTORS, THREATS, CULTURE LIABILITY
1
TA1 – HUMAN FACTORS, THREATS, CULTURE LIABILITY
Team E: Kimberly Christos, Cory Hammock, and Randy Rose
CSEC620, Human Aspects in Cybersecurity: Ethics, Legal Issues, and Psychology
Section 9021, Professor Sung “Peter” Choi
June 2014
2
Contents 1. Introduction ........................................................................................................................... 3
2. JP Morgan Chase................................................................................................................... 4
3. Bank of America .................................................................................................................... 5
4. Wells Fargo ............................................................................................................................ 6
5. The Attack .............................................................................................................................. 7
6. Izz ad-Din al-Qassam Cyber Fighters ................................................................................. 8
7. Regulation Requirements and Possible Liability .............................................................. 10
8. Responsive Measures ............................................................................................................. 14
9. Summary and Conclusion ..................................................................................................... 15
References .................................................................................................................................... 18
3
1. Introduction
It is a common belief that a Denial of Service (DoS) attack is nothing more than an
annoyance or inconvenience for businesses and the customers unable to connect to websites
under attack. Indeed, many organizations targeted for DoS attacks, particularly financial
institutions, want the general public to think just that. In truth, DoS attacks can have much more
serious and lasting ramifications, including significant loss of revenue, loss of customer trust or
confidence, and loss of data confidentiality. In short, a DoS is a network-based attack that targets
availability. In other words, a DoS makes computer or network resources unavailable to their
intended users. A successful DoS prevents legitimate traffic through a network or access to
particular end resources, such as data stored on a particular server, services provided by a web
application, or network services provided by a router. A traffic bottleneck caused by a DoS can
result in a high number of dropped packets, which often looks like a network timeout to users. A
lot of dropped packets results in a decreased quality of service (QoS) and potential connection
failure (DARPA, 2004).
A standard DoS attack typically involves one computer and one internet connection used
to flood a targeted resource with packets, such as TCP SYN or ACK packets (Park, n.d.). Unlike
a standard DoS, a Distributed Denial of Service (DDoS) attack uses multiple computers
connected over many Internet connections, often distributed globally in a robot network, or
botnet, configuration. Botnets are “networks of malware-infected machines that are controlled by
an adversary” (Stone-Gross, et. al., 2009, p. 1) and are used to perpetuate a number of malicious
attacks over the Internet, not limited to attacks on availability. DDoS attacks have rapidly grown
to be the preferred attack method for disrupting services on a very large scale. Not only do they
4
disrupt services for online users, but they can have negative effects on the stability of a nation,
institution, or commercial enterprise (Huu, 2003).
DDoS attacks often used by hacktivists, attackers with a political motivation, intent on
raising awareness about a particular political issue or to gain attention for their cause by way of
cyber civil disobedience. For example, from the fall of 2012 to the summer of 2013, several
major financial institutions including JP Morgan Chase, Bank of America, Wells Fargo, and
more, experienced multiple DDoS attacks by a group identifying themselves as Izz ad-Din al-
Qassam Cyber Fighters, a hacktivist group from Tehran, Iran. This group of attackers claimed
that their actions were a demonstration against U.S. financial institutions as a result of an anti-
Islamic video on YouTube. They contended the attacks would only stop when the video was
removed from the Internet. This paper examines these attacks, their effects, and whether there
was more to the story than a demonstration against an Internet video.
2. JP Morgan Chase
JP Morgan Chase and Company (Chase), has a simple motive: to be the industry leader in
customer service. Of course, that could be said of any business and Chase leadership realizes as
much. Chase sets the bar high, enlisting a set of values and principles that include performing to
the highest standards, improving employees’ association with clients, promoting employee
ethics, and ensuring that employees treat others – both colleagues and clients – with respect (JP
Morgan Chase and Company, 2014). Additionally, Chase published a list of principles to which
they adhere in an effort to become a global financial service leader. Of the 16 principles listed,
the following three apply directly to cyber or information security standards:
1. Innovate, test and learn;
5
2. Create powerful brands that carry a commitment of quality and integrity; and
3. Maintain a strong system of internal governance and controls (JP Morgan, 1993).
Information security is often defined and understood in terms of confidentiality, integrity,
and availability. On September 19, 2012, Chase’s websites were completely down for several
hours due to a wide range DDoS attack, completely removing business and client availability. In
other words, this attack removed a crucial factor from the CIA triad away from user
functionality. The attackers targeted various cloud-computing services and infected them with
novel malware called “itsoknoproblembro,” which is capable of turning servers into wide-range
botnets, known specifically in this case as bRobots (Huff, 2013). The DDoS attack flooded JP
Morgan and Chase’s web servers, consuming more bandwidth than the network could manage,
which prevented the servers from effectively processing legitimate data (Erickson, 2008). Little
is known publicly about how multiple DDoS attacks affected Chase’s internal networks as
private industry administrators rarely disclose exploited vulnerabilities. However, what has been
discovered about the attackers and their attack methods are discussed below.
3. Bank of America
Bank of America originated in San Francisco, California in 1904. Its founder, Amedeo
Giannini, originally named it the Bank of Italy, but, in 1929, the institution was renamed Bank of
America. The mission of the institution is a focused marketing plan to reach low and moderate
income families and individuals in communities largely underserved by other financial
institutions.
Dating at least as far back as September 2012 and continuing through the summer of
2013, and again in January of 2014, Bank of America, was also targeted with DDoS attacks
6
reportedly from the same attackers as Chase’s. Bank of America maintained “We’re aware of the
issue and are addressing,” Mark Pipitone, a Bank of America spokesman, said in a statement.
“We’re also working closely with our customers to help alleviate any concerns” (Perlroth, 2013).
With regulators pressuring the organization to make their mitigation efforts public, Bank of
America had no choice but to implement security to protect its clients, employees, and
customers.
4. Wells Fargo
Wells Fargo has a mission is similar to other banks: “We want to satisfy all our
customers’ financial needs and help them succeed financially” (Well Fargo, n.d.). Expounding
on that notion, the organization says, "We believe our customers can save more time and money
if — after carefully shopping around and comparing choices — they bring all their financial
services to one trusted provider" (Browdie, 2013). Maintaining that trust after a cyber-attack,
especially a multi-faceted, multi-year one, is the crux of the dilemma now facing businesses
everywhere.
The principle difference between Wells Fargo and the two aforementioned banks is that
Wells Fargo was transparent about being the victim to a DDoS attack. They notified their
customers about the attack and stated that if they could not logon to try again, as the website was
experiencing intermittent slowdowns due to a DDoS attack. “The vast majority of customers are
not impacted and customer information remains safe,” said Bridget Braxton, a spokeswoman for
the bank. Wells Fargo said it had not experienced any “material losses” related to cyber-attacks
but that enhancing its protections remained a priority (CNBC, 2013).
7
5. The Attack
According to CloudStrike, the initial investigative security firm, the attackers used
thousands of high-powered application servers and directed the mass flooding of traffic at Bank
of America and Chase’s Web servers (Goldman, 2012). Additionally, Keynote’s Web
performance manager expressed that, in all attacks against Chase financial institution’s website,
performance was not decreased like usual DDoS attacks; rather, it was suddenly hit very hard
and very fast (Kitten, 2013).
The only threat actor claiming responsibility for the attack was an organization known as
the Izz ad-Din al-Qassam Cyber Fighters discussed in more in the following section. The group
was responsible for a wide distributed denial of service (DDoS) attack against several U.S.
financial institutions allegedly as a result of anti-Islamic videos posted on YouTube (Huff,
2013). Coined Operation Ababil, the al-Qassam Cyber Fighters targeted JP Morgan and Chase
Company, Bank of America, and Wells Fargo from September 2012 through October 2012.
Chase and Wells Fargo did acknowledge that a cyber-attack occurred due to several users using
social media to post lack of available access. However, none of the banking powerhouses
mention the attack on their public websites.
The first cyber-attack that affected Chase Bank in September 2012 lasted approximately
six hours (though mobile applications were reported to function throughout the entire attack)
(Goldman, 2012). It represents the first known use of the bRobot malware, “itsoknoproblembro”,
to target financial institutions and one of the earliest uses of this novel botnet malware. The
malware uses a rather “sophisticated two-tier combination of compromised commercial servers,
and as a result can generate a higher bandwidth attack from a smaller number of hosts”
(Dissection of ‘itsoknoproblembro,’ the DDos tool that shook the banking world, 2013). The
8
malware targets known software vulnerabilities in web applications, specifically web content
managers, such as GoDaddy, WordPress, or Joomla. It relies on maliciously coded PHP and
other web coded scripts to take over a host and allow an attack to have a command window with
high level access to the infected host. From there, the attacker can run “multiple high-bandwidth
attack types simultaneously” (2013). Most DDoS attacks work because the services and
applications targeted exist outside of the boundary protection devices. In other words, the
Internet is the wild and the devices that are out in the wild do not receive the same protections as
those within the protected enclaves of internal networks.
6. Izz ad-Din al-Qassam Cyber Fighters
Openly claiming responsibility, Izz ad-Din al-Qassam Cyber Fighters (QCF), declared
the attacks were a demonstration of outrage over the anti-Muslim YouTube video, The Innocence
of Muslims, released on September 11, 2012 (Huff, 2013). Google, the owner of YouTube, was
court-ordered to censor the video. In addition to the attacks against banks, the video led to the
death of a U.S. Ambassador and three other Americans, and over 15 other people killed during
various protests of the film. The director, Kaboula Basseley Kaboula, and lead actor Cindy Lee
Garcia, have received death threats from around the world regarding the video (Flock, 2012).
Derived from the name of a historic Islamic Imam, QCF launched multiple DDoS attacks
against at least 26 American financial organizations. The cyber-attacks, dubbed Phase 2
Operation Ababil, ranged from September 12, 2012 and are currently ongoing with no expected
end date. Denying public accusations, QCF is suspected to be an operational cyber-attack unit
out of the Islamic Republic of Iran, specifically embedded within the Quds Force of the
Revolutionary Guard (Flock, 2012; Holden, 2013).
9
The year 2012 marked a peak height in Western sanctions against Iran (Obama, 2013).
Standard Chartered Bank was accused of hiding financial transactions with Iran and Senator Joe
Lieberman announced publicly that financial cyber-attacks occurring in 2012 originated out of
Iran (Holden, 2013). Iran, however, may not have been the only state-sponsored actor. Traces of
the injected malware used, itsoknoproblembro, were discovered in Palestine, Saudi Arabia, and
Lebanon suggesting that proxy devices may have been used.
It is assessed that the attacks from QCF were strategically convenient; demanding a
private company, Google, to remove a video, an act the federal government has no control over.
Additionally, most of the 26 financial institutions have no direct ties or investments with Google
(YouTube) or the video demanding to be removed. Expanding this proxy network, QCF openly
revealed their plans to aid Anonymous’ Operation USA campaign last year. Enabling another
layer of complexity, the Iranian Cyber Army and Iranian based Parestoo are suspected of aiding
the development of QCF’s malicious botnet, bRobot (Herberger, 2013).
American Intelligence officials stated they believe the Iranian government was behind the
attacks, indicating possible retaliation for the Stuxnet virus the United States used to target
centrifuges in nuclear facilities in Iran in 2010 slowly rendering them useless (Huff, 2013). U.S.
Senator Joseph Lieberman (I-Conn.), chairman of the Homeland Security and Governmental
Affairs Committee, stated, “I think this was done by Iran and the Quds Force.” U.S. Intelligence
and other officials also believe the attacks might be retaliation for Western economic sanctions
designed to force Iran to end its nuclear program. The Washington Free Beacon reported “…the
intelligence arm of the Joint Chiefs of Staff said in an analysis Sept. 14, 2012, that the cyber-
attacks on financial institutions are part of a larger covert war being carried out by Tehran”
(Nakashima, 2012).
10
The al-Qassam attacks used malware to attack major servers in cloud computing services
to create “bRobots,” a name dubbed by researchers. These bRobots gave the attackers the
firepower to take down the financial institutions’ websites (Huff, 2013). Whoever the threat actor
and for whatever the reason, it is quite clear financial institutions require security measures to
protect their employees and members from loss.
7. Regulation Requirements and Possible Liability
Federal Financial Examination Institutions Council (FFIEC) regulators issued two
statements in one week for banks to better secure their systems and data. One statement
described steps to take concerning DDoS type attacks, while the other statement warned banks to
watch for large amounts of cash withdrawals from ATMs, larger than the limits the bank already
has set. Criminals have organized a complex system for hacking banks that nets the attackers
millions usually in four hours to two days.
According to FFIEC, the attack known as “Unlimited Operations” begins with phishing
emails to bank employees loaded with malicious software designed to steal login credentials.
Once in the system, the attackers steal account information and personal identification numbers
(PINs). The attackers then create fake debit or ATM cards using the data in order to withdraw
funds. Attacks on European banks were so well orchestrated, that while employees rushed to
fight the DDoS attack, hackers withdrew $9 million within two hours from ATMs in 46 cities,
according to Francis de Souza, president of products and services for Symantec Corp.
Symantec’s investigations into the DDoS attacks revealed the two-way attacks were fast, cheap
ways to rob a bank. The biggest problem is everyone is focused on the denial of service and not
watching out for the real threat of the robbery.
11
A spokesperson for the Office of the Comptroller of the Currency (OCC) said this
warning is directed towards small and mid-size banks, where web-based control panels are likely
to be used on their ATMs (Crosman, 2014). Nevertheless, DDoS attacks affect every institution
and are used to slow or shutdown servers, and can be used in conjunction with other attacks.
It’s not enough to weather through a DDoS attack. In regards to steps recommended for
protection, "The regulators are saying this is important enough to the well-being and stability of
the U.S. economy that we are putting you all on notice that you have to do these things," says
Rodney Joffe, senior vice president and senior technologist at Neustar, a provider of DDoS
detection and mitigation solutions. Financial institutions that do not implement regulation
requirements straight away leave themselves open to fraud losses, liquidity and capital risks.
(Crosman, n.d.)
Due to the high number of DDoS attacks already, and increasing at an alarming rate, the
FFIEC issued a Joint Statement with the OCC regarding regulation requirements for institutions
to protect against DDoS attack. The steps required are:
1. Maintain a Risk Assessment Program;
2. Monitor traffic for attack attempts;
3. Activate incident response plans that include communication with
customers about the safety of their accounts;
4. Ensure sufficient staffing during attack;
5. Consider sharing information with law enforcement and other institutions
to aid in security countermeasures;
6. Analyze the incident response data for improvement opportunities and
implementation (FFIEC, 2014).
12
The FFIEC is requiring financial institutions to take the matter seriously, and conduct
security risk assessments, utilize intrusion detection systems and up-to-date antivirus protection.
Many institutions have basic security controls such as account lockout once password attempts
exceed a certain limit, security questions, and Captcha code to ensure it is a live attempt.
Banks must be insured under FDIC to cover theft of funds for individual customers,
which helps ensure that they do not suffer major losses in the event of a breach, but are not
required to keep this same coverage for business accounts. The bank is not liable for business
accounts and therefore the business must get insurance coverage if they plan to survive an attack
(PhillyTech, 2013).
In an interview by Ben Dipietro of the Wall Street Journal, Tom Kellermann, managing
director with advisory firm Alvarez & Marsal, stated, “The safety and soundness, trust and
confidence of these financial institutions is directly proportional to the cyber vision of the
organization. Financial institutions should hold with high priority the safeguarding of accounts
and capital. They should be viewing cybersecurity not as an expense, but as a function of doing
business” (Dipietro, 2013). Mr. Kellermann gave the following advice:
1. Don’t try to stop DDoS attacks, rather concentrate on protecting customer data
and funds from attackers.
2. Focus on how to preserve payment systems to protect credentials.
3. Learn to identify live attacks.
4. Spend the money to get adequate protection (Dipietro, 2013).
Dan Holden of Arbor’s Security Engineering and Response Team suggests “In order to
defend networks today, enterprises need to deploy DDoS security in multiple layers, from the
perimeter of their network to the provider cloud, and ensure that on premise equipment can work
13
in harmony with provider networks for effective and robust attack mitigation” (Holden, 2012). It
is significant to note that, in Chase’s case, the website only discloses that the organization
periodically reviews corporate security policies and business practices that protect confidential
information (Chase, n.d.). The liability rests solely however with the financial institution,
regardless of their cybersecurity implementation methods.
The Federal Government does have several laws and regulations that dictate acceptable
cyber behavior. One such law which can be used to prosecute cyber criminals stateside is 18 U.S.
Code § 1030 Fraud and related activity in connection with computers, which identifies cyber
criminals as such:
Whoever— … intentionally accesses a computer without authorization or exceeds
authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a
card issuer as defined in section 1602 of title 15, or contained in a file of a consumer
reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting
Act (15 U.S.C. 1681 et seq.);
(B) Information from any department or agency of the United States; or
(C) Information from any protected computer…
Additionally, the law expands criminal classification to include those who “knowingly and with
intent… accesses a protected computer without authorization, or exceeds authorized access” or
“knowingly and with intent to defraud traffics… in any password or similar information through
which a computer may be accessed without authorization” (Cornell University Law School,
n.d.).
14
8. Responsive Measures
Besides the FFIEC legislating six mandatory requirements for financial institutions to
adhere to in preparation for DDoS attacks, the US has taken limited action in response. The only
official public section reaction came from the White House and State Department, demanding an
economic embargo against Iran (Defence Intelligence Group, 2013). Limited government
reactions can result in private industries hacking back against malicious cyber users.
Additionally, with such a limited US response, American citizens may start to lose faith not only
with US banking organizations but also with assurance in private service providers. The financial
organizations attacked by the QCF struggle with reassuring clients of continued availability and
undoubtedly face difficult tasks related to securing against future threats, especially with limited
public response measures taken. Effective information security policy typically identifies that
maintaining security throughout the entire lifecycle is an essential task and violators of the policy
will be held accountable for their actions (Rudolph, 2009).
The liability from the DDoS attacks launched by QCF rest with three parties, the QCF
threat actor, US Federal Government (specifically the Department of Justice, Department of
Defense, and FFIEC), and the financial institutions themselves. The botnet ring used to conduct
the DDoS attacks via cloud-computing servers and independent Web servers compromised
information security, affecting several stakeholders and questioning risk management strategies
(Hallberg, Hutt, Kabay, & Robertson, 2009). Although QCF did not deliberately attack United
Kingdom banking systems, the Bank of England and the Treasury within British Parliament
responded internally by giving British financial organizations one year to create cyber-attack
defense plans (Aldrick, 2013).
15
Internet Protocol addresses traced most origination out of Iran, inferring that digital
forensics were utilized on the infected cloud and Web servers. The Islamic Republic has six
internet service providers (ISP) and, if traced correctly, the investigation would have revealed
which ISP was used to route any remote commands to the cloud servers. If assessed correctly, a
US response most likely occurred behind public appearance in an effort to collect methods on
how QCF penetrated secured networks rather than attacking back. A cyber-attack initiated
against Iran (publicly for a second time) would increase a percentage of sabotage efforts within a
state vs. state environment, something both nation-states are not willing to economically risk.
9. Summary and Conclusion
DoS attacks have been occurring since at least 1990, originally by computer whiz kids
just for fun. In 2000, a 15-year-old boy, a.k.a. Mafiaboy, launched a DDoS attack on Yahoo!,
servers, crippling the search engine and email provider. Just one year and a huge leap in
sophistication later, the attacks go from megabytes per second to gigabytes per second of attack
traffic. In 2004, attackers start making money by extorting company-owned websites with DDoS
attack threats. A few years later, 2007 began with state-sponsored DDoS attacks that crippled the
nation of Estonia for days. 2009 brought the first large scale attacks on the United States and
South Korea with 27 websites attacked at once. To put it into perspective, it was around that
same time that Stuxnet malware was unleashed by the US on an Iranian nuclear facility causing
devastating results to the reactor and surrounding area. (DefenseNet, 2014)
The US acknowledged that financial institutions were targeted and attacked in 2012 with
DDoS at a speed unprecedented at that time. The same year also touts a large nation state-
sponsored attack from Iran on major banks in the West, as discussed above. Then 2013 heralds
the largest recorded DDoS attack size at speeds above 300 Gbps.
16
At the time of writing, it is midway through 2014 and attacks continue to grow in size
and complexity. DDoS attacks are used as ‘smokescreens’ for more serious attacks.
The huge jump in Gbps is attributed to the Network Time Protocol (NTP) Reflection
attack, which is an attack that manipulates a timing mechanism in a standard protocol. NTP is
such an important and widespread protocol which is used by nearly every device on the Internet,
that an attack that leverages NTP weakness can be significantly more damaging than what would
otherwise be a small and rather ineffective assault. CloudFlare chief executive Matthew Prince
said the attack tipped 400Gbps (Pauli, 2014).
CNET reported in August 2013 that a DDoS attack was used in an apparently unrelated
heist where millions of dollars were stolen. In an interview with SCMagazine.com, Avivah
Litan, an analyst at research firm Gartner, stated hackers used a low-powered DDoS attack as a
cover while they stole millions from at least three banks. She stated, “Once the DDoS is
underway, this attack involves takeover of the payment switch (eg, wire application) itself via a
privileged user account that has access to it." Additionally, she describes that rather than having
to the slow process of targeting one customer account at a time, “the criminals can simply
control the master payment switch and move as much money from as many accounts as they can
get away with until their actions are noticed" (Musil, 2013).
In a recent report, the Department of Homeland Security revealed an attack on a U.S.
public utility. The attack resulted in the compromise of its control system but did not negatively
affect the utility’s primary functions. The attack was real, and unauthorized access identified, but
it was mitigated and controlled without affecting the utility, according to the Industrial Control
Systems Cyber Emergency Response Team (ICS-CERT). The Team also stated that these kinds
of attacks are rarely disclosed to the public.
17
DDoS in combination with fraud and theft makes a formidable foe not just for banks and
businesses, but for everyone. The question is not about whether but how can analysts determine
when DDoS attacks are used as smoke screens? Additionally, if companies continue to refuse to
publicize attacks for fear of the ramifications of negative publicity, what other methods can
allow cyber defenders use to learn about real-world cyber-attacks taking place?
Regulations and policies are ineffective if not implemented by those for which they are
written. Most companies still do not know how to protect themselves or what to protect. Many
believe the Internet is broken or needs more regulation. Some believe it can be patched, while
others want an entirely new infrastructure. Whichever the case, everyone can do their part to help
safeguard their information by deploying defense in depth and maintaining an awareness of
security concerns and best practices. Businesses need not think if an attack might occur, but
when, and take the necessary steps to safeguard their data before they are attacked. Whether or
not DDoS attacks are independent or part of a grand scheme by large nation states, the fact
remains that companies, financial institutions, and individuals alike need to take security
seriously, implement protective measures, and use precautions when computing.
18
References
Aldrick, P. (2013). FPC gives banks a year to create cyber attack plan. Retrieved from
http://www.telegraph.co.uk/finance/bank-of-england/10346987/FPC-gives-banks-a-year-
to-create-cyber-attack-plan.html
Browdie, B. (2013). Wells Fargo Endures Second Cyber Attack in Nine Days. Retrieved from
http://www.americanbanker.com/issues/178_65/wells-fargo-endures-second-cyberattack-
in-nine-days-1058059-1.html
Chase. (n.d.). Online and mobile security. Retrieved from https://www.chase.com/resources/
online-banking-security#!chase-online-security:enforcing-security
CNBC. (2013). Wells Fargo: Cyber Attack Disrupting Website. Retrieved from
http://www.cnbc.com/id/100593748
Cornell University Law School. (n.d.). 18 U.S. Code § 1030: Fraud and related activity in
connection with computers. Retrieved from http://www.law.cornell.edu/
uscode/text/18/1030
Crosman, P. (2014). Banks Urged to Beef Up Defenses against DDoS Attacks, ATM Fraud.
Retrieved from http://www.americanbanker.com/issues/179_66/banks-urged-to-beef-up-
defenses-against-ddos-attacks-atm-fraud-1066714-1.html
DARPA. (2004). Distributed Denial of Service-Defense Attack Trade-off Analysis. US Air Force
Research Lab: Johns Hopkins University, DARPA Order No. M101.
DDoS attack timeline. (2014). Retrieved from http://www.defense.net/ ddos-attack-timeline.html
Defence Intelligence Group. (2013). Cyber attacks on U.S. financial institutions [PDF
document]. Retrieved from http://cscss.org/featured/USFinancial/
CSCSS_CDIG_Special_Report_Public.pdf
Dissection of ‘itsoknoproblembro,’ the DDos tool that shook the banking world. (2013).
Retrieved from http://www.infosecurity-magazine.com/view/30053/dissection-of-
itsoknoproblembro-the-ddos-tool-that-shook-the-banking-world
Erickson, J. (2008). Networking. In J. Erickson, Hacking: The art of exploitation (2nd ed., pp.
195-278). San Francisco: No Starch Press.
FFIEC. (2014). Federal Financial Institutions Examination Council. Retrieved from
http://www.ffiec.gov/default.htm
19
Flock, E. (2012). How 'Innocence of Muslims' Spread Around the Globe and Killed a US
Diplomat. Retrieved from http://www.usnews.com/news/articles/2012/09/12/ how-
innocence-of-muslims-spread-around-the-globe-and-killed-a-us-diplomat
Goldman, D. (2012). Major banks hit with biggest cyberattacks in history. Retrieved from
http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/
Hallberg, C., Hutt, A. E., Kabay, M. E., & Robertson, B. (2009). Management responsibilities
and liabilities. In S. Bosworth, M. E. Kabay, & E. Whyne, Computer security handbook
(5th ed., Vol. 2, pp. 63.1-63.33). Hoboken, New Jersey: John Wiley and Sons, Inc.
Herberger, C. (2013). The art of cyber war: Strategies in a rapidly evolving theatre. Retrieved
from http://www.dataconnectors.com/events/2014/01raleigh/ pres/radware.pdf
Holden. (2013). Deconstructing the Al-Qassam cyber fighters assault on US banks. Retrieved
from https://www.recordedfuture.com/deconstructing-the-al-qassam-cyber-fighters-
assault-on-us-banks/
Holden, D. (2012). Lessons learned from the US financial vices DDoS attacks. Retrieved from
ARBOR Networks: http://www.arbornetworks.com/asert/2012/12/ lessons-learned-from-
the-u-s-financial-services-ddos-attacks/
Huff, S. (2013). U.S. intelligence suspects Iran of using 'bRobots' to DDoS American banks.
Retrieved from https://betabeat.com/2013/01/u-s-intelligence-suspects-iran-of-using-
brobots-to-ddos-american-banks/
Huu, T. (2003). Evaluation of a Multi-Agent System for Simulation and Analysis of Distributed
Denial-of-Service Attacks (Master's thesis, Naval Postgraduate School, Monterey,
California). Retrieved from http://www.dtic.mil/dtic/tr/fulltext/u2/a420448.pdf
J.P. Morgan Chase and Company. (2014). Values. Retrieved from https://www.jpmorgan.com/
pages/jpmorgan/about/culture/values
J.P. Morgan, J. (1993). Our business principles. Retrieved from
http://www.jpmorganchase.com/corporate/About-JPMC/document/
PrinciplesBooklet_13.0613_ada.pdf
Kitten, T. (2013). DDoS is back; 2 banks attacked. Retrieved from
http://www.bankinfosecurity.com/ddos-back-3-banks-attacked-a-5951
Musil, S. (2013). Cybercrooks use DDoS attacks to mask theft of banks'millions. Retrieved from
http://www.cnet.com/news/cybercrooks-use-ddos-attacks-to-mask-theft-of-banks-
millions/
Nakashima, E. (2012). Iran blamed for cyberattacks on US banks and companies. Retrieved
from http://www.washingtonpost.com/world/national-security/iran-blamed-for-
cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html
Obama, B. (2013). Presidential Documents. Federal Register, Vol. 78, No.114, 1 - 4.
20
Park, K. (n.d.). Endto-end communication: Structure of IP, UDP, and TCP, Part 3 [PDF
document]. Retrieved from https://www.cs.purdue.edu/homes/park/cs536-lectures.html
Pauli, D. (2014). IT News for Australia. Retrieved from
http://www.itnews.com.au/News/372033,worlds-largest-ddos-strikes.aspx
PhillyTech. (2013). Commercial Deposit Insurance Agency: your bank doesn't repay cybertheft.
Retrieved from http://technical.ly/philly/2013/04/10/commercial-deposit-insurance-
agency/
Robertson, J. (2013). Cheapest Way to Rob Bank Seen in Cyber Attack Like Hustle. Retrieved
from http://www.bloomberg.com/news/2013-05-06/cheapest-way-to-rob-bank-seen-in-
cyber-attack-like-hustle.html
Rudolph, K. (2009). Implementing a security awareness program. In S. Bosworth, M. E. Kabay,
& E. Whyne, Computer security handbook (5th ed., Vol. 2, pp. 49.1-49.43). Hoboken,
New Jersey: John Wiley and Sons, Inc.
Stone-Gross, B., et. al. (2009). Your botnet is my botnet: Analysis of a botnet takeover.
University of California, Santa Barbara. Retrieved from https://seclab.cs.ucsb.edu/
media/uploads/papers/torpig.pdf
US-CERT. (2014). Alert (TA14-150A). Retrieved from US-CERT: http://www.us-
cert.gov/ncas/alerts/TA14-150A
Wells Fargo. (n.d.) Our vision. Retrieved from https://www.wellsfargo.com/
invest_relations/vision_values/3