Pub. 8 2013-2014 Issue 3

www.nebankers.org 16 Extraordinary Service for Extraordinary Members. DDoS: What You Need to Know Stephanie Chaumont , CISA, CISSP, Security+ D DoS, or distributed-denial- of-service attacks, seem to be the focus of everyone’s atten- tion right now, and rightly so—we have seen huge increases this year. There are different ways to carry out a denial-of-service attack, but the term generally includes attacks that are meant to interrupt or suspend services connected to the Internet (for a period of hours to days). One example is to flood a bank’s website with incoming messages that essentially overload the site and prevent customers from accessing it. This is a big concern to financial institutions because this type of attack is often used as a distraction to prevent institutions from identifying some type of fraudulent activity occurring during the service interruption. Protecting your payment systems during DDoS attacks should be your primary focus. Here are a few things your bank can do to protect you and your customers from DDoS attackers: the event the DDoS attack was implemented as a distraction while someone submits fraudulent wires or ACH batches. If your institution does currently implement call-back verification for transactions over a certain amount, youmight consider lowering that threshold during a DDoS attack. 3. Include DDoS procedures in your Business Continuity Plan. Those procedures need to be things your institution will plan on implement- ing should you become the target of a successful attack, like the call- back verification listed above. You might also consider expanding your call center or customer service personnel during a DDoS attack, especially if your customer base relies heavily on online services. These services could all potentially be unavailable for a few hours (and even a few days), so you’ll need to expect a higher volume of calls. Having a prepared response for your call center to give during this time can also help with any customer concerns. Including al- ternate operating procedures for services normally accessed online in your BCP also will help mitigate some of the damage that an outage could cause. As with all areas of information security, you will best be prepared if you assess the risk, implement layers of security, and ensure your incident re- sponse procedures are adequate. If you look at these types of attacks with the thought that it’s not a matter of if, but when, then you’ll be ready for attack- ers and will have procedures in place to seamlessly protect your customers and to continue conducting business as normally as possible.  tech talk Stephanie Chaumont is a security and compliance consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem—a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit CoNetrix at www.conetrix.com. 1. Have DDoS protection conversa- tions with your ISP or with your Internet banking vendors. Having an IntrusionDetection/Prevention System (IDS/IPS) in place is a great tool to have, but if you want to pre- vent DoS or DDoS attacks, stopping them at your IDS is probably too late as traffic has already flooded your network and accomplished its purpose. You need this traffic stopped earlier in the chain, like at your ISP level. ISPs are now offering special anti-DDoS pack- ages and technologies, so it’s worth examining. If your web server is hosted by a vendor, make sure that vendor is doing what they can to limit attacks (e.g. talking to their ISP about anti-DDoS packages and technologies). 2. If your institution does not have call-back verification procedures in place for all wire and ACH activity, then you should strongly consider implementing those during a DDoS attack. This is to protect you in