NCUA issued a risk alert (13-Risk- 01) addressing the need for strong information security protocols to combat the increased incidence of distributed denial-of-service (DDoS) attacks.
DDoS attacks cause Internet based service outages by overloading system resources, preventing legitimate users from accessing websites.
Although the attacks don’t directly attempt to steal funds or sensitive personal information, they’re sometimes used by cyber thieves to distract attention or disable alert systems during account takeovers.
Because the goal of DDoS attacks is causing service outages rather than stealing funds or data, typical network security controls—such as firewalls and intrusion detection/ prevention systems—might offer inadequate protection.
Key strategies for mitigating DDoS risk include:
Performing risk assessments to identify risks associated with DDoS attacks.
Ensuring incident response programs include a DDoS attack scenario during testing and address activities before, during, and after an attack.
Performing continuing third party due diligence, in particular on Internet and Web-hosting service providers, to identify risks and implement appropriate traffic management policies and controls.
In addition, credit unions should voluntarily file a Suspicious Activity Report (SAR) if an attack affects Internet service delivery, enables fraud, or compromises member information.
DDoS attacks also might accompany attempts to steal member funds or data. Credit unions should employ controls described in the 2011 supplemental interagency Internet authentication guidance.
General risk mitigation practices for credit unions with an Internet presence include:
Maintaining strong information security awareness programs for employees and members.
Using transaction monitoring, verification procedures, and appropriate limits commensurate with the risk of applicable funds transfers.
Implementing strong controls over computers used to process commercial payments, including but not limited to multifactor authentication; removal of hardware tokens when sessions are completed; prohibited or highly filtered use of Internet browsing; and dedicated, corporate-owned systems without administrator privileges.
Following network and application security best practices with regard to configuring systems, patch management, and security testing.
NCUA encourages credit unions to participate in information-sharing organizations, such as industry trade groups and the Financial Services Information Sharing and Analysis Center (fsisac.com).
Also, the U.S. Computer Emergency Readiness Team provides information on the methods used to launch attacks and risk mitigation tactics to reduce their impact (us-cert.gov).
Credit unions significantly affected by DDoS or other cybert error attacks should notify their NCUA regional office or state supervisory authority, and follow Part 748-Appendix B’s member notification procedures when necessary.
Find additional cyberattack resources at ncua.gov.
With privately insured credit unions that meet certain requirements eligible to join the FHLB program starting July 5, CUNA compliance staff has developed a final rule analysis with an overview of new requirements.