Skip to main content
United States flag An official website of the United States government
Show

Mitigating Distributed Denial-of-Service Attacks

13-RISK-01 / February 2013
Mitigating Distributed Denial-of-Service Attacks
Subject
Cybersecurity
To
Federally Insured Credit Unions
Status
Active
To
Federally Insured Credit Unions
Subj
Mitigating Distributed Denial-of-Service Attacks

Dear Board of Directors and Chief Executive Officer:

The increasing frequency of cyber-terror attacks on depository institutions heightens the need for credit unions to maintain strong information security protocols.  Recent incidents have included distributed denial-of-service (DDoS) attacks, which cause Internet-based service outages by overloading network bandwidth or system resources.  DDoS attacks do not directly attempt to steal funds or sensitive personal information, but they may be coupled with such attempts to distract attention and/or disable alerting systems.

Risk Mitigation

This alert identifies appropriate policies and procedures to guard against DDoS attacks.  Such attacks are sophisticated, requiring the vigilance of credit unions offering Internet-based financial services.  As the goal of DDoS attacks is causing service outages rather than stealing funds or data, typical network security controls – such as Firewalls and Intrusion Detection and Prevention Systems – may offer inadequate protection.  

Key strategies for mitigating DDoS risk include:

  • Performing risk assessments to identify risks associated with DDoS attacks.
  • Ensuring incident response programs include a DDoS attack scenario during testing and address activities before, during, and after an attack.
  • Performing ongoing third-party due diligence, in particular on Internet and web-hosting service providers, to identify risks and implement appropriate traffic management policies and controls.

In addition, credit unions should voluntarily file a Suspicious Activity Report (SAR) if an attack impacts Internet service delivery, enables fraud, or compromises member information.  

DDoS attacks may also be paired with attempts to steal member funds or data.  

Credit unions should employ controls described in the 2011 FFIEC supplement to guidance on Authentication in an Internet Banking Environment, and in various recent alerts. (See the Appendix on the final page of this letter.)  

General risk mitigation practices for credit unions with an Internet presence include:

  • Maintaining strong information security awareness programs for employees and members.
  • Utilizing transaction monitoring, verification procedures, and appropriate limits commensurate with the risk of applicable funds transfers.
  • Implementing strong controls over computers used to process commercial payments, including but not limited to:
    • Multifactor authentication.
    • Removal of hardware tokens upon session completion.
    • Prohibited or highly filtered use of Internet browsing.
    • Dedicated, corporate-owned systems without administrator privileges.
  • Following network and application security best practices with regard to configuring systems, patch management, and security testing.

Threat Monitoring

http://www.fsisac.com (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .  In addition, the United States Computer Emergency Readiness Team (US-CERT), http://www.us-cert.gov (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , provides information on the methods used to launch attacks and risk mitigation tactics to reduce their impact.

Credit unions significantly affected by DDoS or other cyber-terror attacks should notify their NCUA Regional Office or State Supervisory Authority.  When applicable, credit unions must also follow notification procedures outlined in NCUA Rules and Regulations Part 748 Appendix B, Response Programs for Unauthorized Access to Member Information.

If you have any questions or concerns, please contact your NCUA Regional Office or State Supervisory Authority.
 

Sincerely,

/s/

Debbie Matz
Chairman

 

Appendix

NCUA Resources

Interagency Resources

Other Resources

Footnotes

Last modified on
01/12/23