NCUA Issues Risk Alert Concerning the Mitigation of DDoS Attacks

Around the same time that President Obama was issuing the executive order regarding cyber threats, the National Credit Union Administration (NCUA) issued Risk Alert No. 13-RISK-01.  The alert provides guidance and steps that credit unions can follow to mitigate distributed denial-of-service (DDoS) attacks.

Risk Mitigation

The alert identifies appropriate policies and procedures to guard against DDoS attacks. Such attacks are sophisticated, requiring the vigilance of credit unions offering Internet-based financial services. As the goal of DdoS attacks is causing service outages rather than stealing funds or data, typical network security controls, such as Firewalls and Intrusion Detection and Prevention Systems, may offer inadequate protection.

Key strategies for mitigating DdoS risk include:

  • Performing risk assessments to identify risks associated with DdoS attacks;
  • Ensuring incident response programs include a DdoS attack scenario during testing and address activities before, during, and after an attack; and
  • Performing ongoing third-party due diligence, in particular on Internet and web-hosting service providers, to identify risks and implement appropriate traffic management policies and controls.

In addition, credit unions should voluntarily file a Suspicious Activity Report (SAR) if an attack impacts internet service delivery, enables fraud or compromises member information.

DdoS attacks may also be paired with attempts to steal member funds or data.

Credit unions should follow the controls set forth in the 2011 FFIEC supplemental guidance on Authentication in an Internet Banking Environment.

General risk mitigation practices for credit unions with an internet presence include:

  • Maintaining strong information security awareness programs for employees and members.
  • Utilizing transaction monitoring, verification procedures, and appropriate limits commensurate with the risk of applicable funds transfers.
  • Implementing strong controls over computers used to process commercial payments, including but not limited to:
    • Multifactor authentication.
    • Removal of hardware tokens upon session completion.
    • Prohibited or highly filtered use of Internet browsing.
    • Dedicated, corporate-owned systems without administrator privileges.
  • Following network and application security best practices with regard to configuring systems, patch management, and security testing.

Threat Monitoring

Appendix A to Part 748 of NCUA’s Rules and Regulations requires credit unions to monitor systems to detect actual and attempted attacks on or intrusions into member information systems. NCUA also encourages credit unions to participate in information-sharing organizations, such as industry trade groups and the Financial Services Information Sharing and Analysis Center (FS-ISAC). In addition, the United States Computer Emergency Readiness Team (US-CERT) provides information on the methods used to launch attacks and risk mitigation tactics to reduce their impact.

Credit unions significantly affected by DdoS or other cyber-terror attacks should notify their NCUA Regional Office or State Supervisory Authority. When applicable, credit unions must also follow notification procedures outlined in NCUA Rules and Regulations Part 748 Appendix B, “Response Programs for Unauthorized Access to Member Information.”

The alert also provides a number of links to various resources that credit unions can use.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Advocacy News, Compliance News, Events, NCUA.