DDoS Group Says More FI Attacks Are Planned

A group responsible for several distributed-denial-of-service (DDoS) attacks against financial institutions over the past year announced its plans for further attacks against financial institutions, in an online posting on July 23, according to BankInfoSecurity.com.

Mike Smith, from online security provider Akamai Technologies, warns that with each new phase of the group’s attack, it creates a new format that most targets are not expecting. 

Whether the attack focuses on a new target, a larger botnet, or new technologies, the Izz ad-Din al-Qassam Cyber Fighters employ unforeseen tactics as a response to the heightened DDoS-mitigation strategies financial institutions have implemented.

Since the group’s first DDoS campaign launched Sept. 18, each phase has lasted longer than the one before. There is no estimated time frame for how long the fourth phase of the attacks may last but it is projected to last longer than the eight weeks that phase three claimed, the article predicts.

“Financial institutions should continue to be aware of the ongoing DDoS threats, and follow regulations on Internet and data security, as well as Federal Financial Institutions Examination Council guidance on Internet authentication,” said Dennis Tsang, regulatory counsel for the Credit Union National Association (CUNA).

CUNA also encourages credit unions to be aware of the National Credit Union Administration’s (NCUA) Risk Alert (13-Risk-01), which identifies appropriate policies and procedures for guarding against DDoS attacks for credit unions.

To mitigate effects from DDoS attacks, the NCUA recommends that credit unions:

  • Perform risk assessments to identify risks associated with DDoS attacks
  • Ensure incident response programs include a DDoS attack scenario during testing and address activities before, during, and after such an attack
  • Perform ongoing third-party due diligence, in particular on Internet related providers, to identify risks and implement appropriate traffic management policies and controls

For a more in-depth look at how credit unions can protect themselves, CUNA’s Credit Union Magazine has featured an article, “Learn Strategies to Mitigate Cyberattacks,” in its April issue (members only).

Also, the CUNA Technology Council has posted a recording of its May webinar on “Mitigating and Responding to a Distributed Denial of Service (DDoS) Attack,” which features speakers including CUNA BITS Task Force member Bill Podborny, chief security officer of Alliant CU.

Source: CUNA News Now

Other Resources

FFIEC Guidance
NCUA Risk Alert (13-Risk-01)
CUNA Technology Council Webinar on DDoS
CU Magazine Article (members only)
Compushare/CUNA Strategic Services DDoS Attacks: How Real Are they white paper


Questions? Contact the Compliance Hotline: 1.800.546.4465, compliance@nwcua.org.

Posted in Compliance News, CUNA, NCUA.