Credit Union DDoS Attacks – NCUA RISK ALERT
In disaster planning, we always teach that it’s not “IF”, it’s “WHEN” an event will occur and unless you are completely isolated from the internet, it makes sense for your Credit Union to assume that it will also come under a cyber threat at some point. In fact, Credit Union DDoS attacks caught the attention of NCUA this year leading them to issue Risk Alert 13-RISK-01 in February. The risk alert provides guidelines to help Credit Unions protect against DDoS attacks. Sometimes guidelines are not enough so I asked our OGO Intelligence team to weigh in on the strategies outlined in the risk alert and provide additional steps you can take today to protect your Credit Union infrastructure!
NCUA recommended strategies for mitigating DDoS risk include:
• Performing risk assessments to identify risks associated with DDoS attacks.
OGO: This part is pretty straightforward. What is your internet presence? Website, online banking, credit reports, loan applications, online loan applications, cash management are but a few processes or systems I can think of that virtually ALL Credit Unions rely on the internet for. You can’t really weigh your risk on when the “bad guy” is going to target your infrastructure but you can work to have alternate delivery channels in place should you lose your internet service. First step? Review your business impact analysis (BIA) and line-by-line designate whether that process requires the internet to function. Not rocket science I know. Sorry for those that thought it would be harder!
•Ensuring incident response programs include a DDoS attack scenario during testing and address activities before, during and after an attack.
OGO: DDoS attacks are not for the weak of heart, mind or stomach. It starts out with a simple report of slowness to your helpdesk and quickly escalates to full blown internet denial of service (thus the name!). Your incident response program probably hasn’t been updated to reflect this growing threat. The best way to prepare? Design a tabletop exercise that simulates a DDoS attack. Walk thru the scenario with your department managers and your executive leadership team. Were all the managers aware of the dependence on the internet? Were there processes that hadn’t been identified as internet driven?Do you have a backup ISP and will it handle the workload required to meet your strategic recovery goals?
•Performing ongoing third party due diligence in particular on Internet and web-hosting service providers to identify risks and implement appropriate traffic management policies and controls
OGO: As one of those “3rd party vendors” who provide service that is internet based, I can’t tell you how important it is for both our client and our own team to understand the underlying dependencies of the Credit Union on the service and to use that to establish mutually agreed upon service level agreements. Your 3rd party provider should willingly provide you with their own DR/BCP plans and be willing to share some level of detail on their recovery experiences both good and bad. Does your 3rd party provider share the same risk tolerance level that you do? Make sure you are a good fit with your provider before entrusting your internet driven applications to them.
Related Content:
How Many Kinds of DDoS Attacks are there? – Part 1
Mitigating Credit Union DDoS Attacks – It’s Time To Push Back
Credit Union DDoS Attacks – Understanding the Dangers
Have Questions? Contact Us:
Welcome to the Ongoing Operations blog archive.
For our most up-to-date information, please visit ongoingoperations.com.
HOME