It’s no secret that a DDoS (Distributed Denial of Service) attack can have a devastating impact on your credit union and unless you simply are in denial – you are probably taking some sort of proactive measure to investigate mitigation strategies that meet your RTO/RPO goals. For those in cyber-denial, an industry-wide wakeup call came from the FFIEC just this month REQUIRING financial institutions to recognize the risk and to do something about it. In this post, we’ll highlight the main points and the full notice can be found here
In what is being called a ground-breaking move, the FFIEC has developed the following six steps it EXPECTS every financial institution (in accordance with regulatory requirements including but not limited to 12 C.F.R. Part 748, Appendix A and B (NCUA) :
1. Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
§ On a webinar today I discussed how cyber-threats were seeming to crop up during NCUA audits with my clients. It’s pretty obvious with the new guideline that information security as it relates to ALL things internet has taken a front seat! Start with an inventory of your internet dependent processes and systems. Prioritize them based on your BIA (Business Impact Analysis). Assessing the risk needs to be done jointly with the process owner – not just by the IT staff. It is often the case that “hidden” dependencies are uncovered during these sessions.
2. Monitor Internet traffic to the institution’s website to detect attacks;
§ All credit unions have some sort of network protection/monitoring system (or service) in place such as a firewall or IPS. I wish I could tell you that was sufficient but it’s not. By design they are engineered to detect illegitimate activity whereas certain DDoS attack vectors such as HTTP floods, are composed of millions of legitimate sessions and would go undetected!
3. Activate incident response plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
§ To activate an Incident Response Plan (IRP), you actually have to have one. Components of your DDoS IRP should include: communications strategies for your members (don’t count on a simple website posting either – it might be unreachable) , tactics for redirecting incoming credit union traffic if your RTO calls for immediate resolution and contact information for DDoS expert level resources. The time to develop and gather this data is NOW – not during the crisis.
4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack;
§ Again, start the conversations now! As a minimum, find out what your ISP has in place for DDoS detection and protection. Keep in mind, most DDoS attacks last for days. Do you have ample staff to stay fully engaged in the remediation? This isn’t the time to think “I’ll do it myself”. Pick up the phone and expand your team by partnering with an experienced DDoS provider.
5.Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics; and
§ Mweh – I know that not everyone likes to air their dirty laundry but sometimes it is for the benefit of everyone. These organizations are in place to rapidly disseminate information on attacks and provide timely information to thwart additional attacks.
6. Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
§ Lightening CAN strike twice! Learn from your experience and take swift action to close any gaps. The credit union industry is highly collaborative – reach out to other credit union leaders, your peers and CUSO’s to gather additional information that might help you develop your DDoS Mitigation Program.
Cyber-attacks are new territory for credit union leaders to tackle. Unlike virus protection, spam filtering or similar “buy a box/software to fix threat”, DDoS requires a multi-faceted approach which generally includes hardware/software, monitoring services, take down tools and most importantly sophisticated DDoS mitigation experts. You have the guidelines – now what actions will you take today?