Home > All, Security Issues > The Federal Financial Institutions Examination Council mandates DDoS preparedness

The Federal Financial Institutions Examination Council mandates DDoS preparedness

The Federal Financial Institutions Examination Council (FFIEC) made it clear last week that US financial institutions are now expected “to address DDoS readiness as part of ongoing information security and incident response plans.” There are six specific requirements:

  1. maintain ongoing assessment of the risk
  2. monitor traffic to detect attacks
  3. activate an incident response plan if an attack is suspected
  4. ensure adequate staffing for the duration of an attack and consider hiring third-party services
  5. consider sharing information with organizations such as the Financial Services Information Sharing and Analysis Center and law enforcement
  6. evaluate any gaps in the response following an attack and adjust risk management accordingly

This is good advice that should be followed by all companies. The danger is that it is a response to the Izz ad-Din Al Qassam Cyber Fighters who attacked US banks over a year ago over the offensive Innocence of Muslims video film – the advice is for financial institutions following attacks on financial institutions; and other companies could believe the threat is only towards financial institutions. This is far from reality – all companies, including SMBs – must now prepare their defences against DDoS attacks.

The second weakness is that the advice is primarily about recognizing attacks and learning from attacks. There is nothing about coping with or mitigating attacks that are in progress. This is despite the very clear warning from the FFIEC on the effects of DDoS:

These attacks caused slow website response times, intermittently prevented customers from accessing institutions’ public websites, and adversely affected back-office operations. In other cases, DDoS attacks served as a diversionary tactic by criminals attempting to commit fraud using stolen customer or bank employee credentials to initiate fraudulent wire or automated clearinghouse transfers.
Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources

The Izz ad-Din Al Qassam attacks were pure hacktivism. They attacked the banks to punish the West for insulting Islam. They even had a formula that worked out bank downtime costs in relation to video views. But other DDoS attacks on other companies can have purely criminal motivations, including extortion and attacks by competitors – and all internet companies need to be ready to defend themselves.

Nevertheless, while these requirements don’t offer or advise any specific DDoS mitigation approach, they could lead the institutions towards one. “We believe that mandated controls, like those proposed by the Federal Financial Institutions Examination Council (FFIEC) will drive organizations to take proactive steps to regaining control of their online presence,” explained Ashley Stephenson, CEO of Corero Network Security (a DDoS mitigation company). “These mandates, at a minimum offer guidance for Financial Institutions for appropriate DDoS activity monitoring and adequate incident response planning, this will ultimately lead to the deployment of more effective DDoS defence solutions.”

The DDoS threat has now grown to such an extent that DDoS mitigation should be seen as one of the must-do’s of security – along with staples like anti-virus and data loss prevention – and this is a good starting point.

Categories: All, Security Issues
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s