In February 2013, the NCUA published a risk alert advising credit union CEOs and boards of directors on steps they should take to evaluate risks associated with Distributed Denial-of-Service (DDoS) attacks.
The risk alert addresses three strategies for mitigation:
- Performing risk assessments to identify risks associated with DDoS attacks
- Ensuring that incident-response programs include a DDoS attack scenario during testing and address activities before, during, and after an attack
- Performing ongoing third-party due diligence, in particular on Internet and web-hosting service providers, to identify risks and implement appropriate traffic-management policies and controls
As the alert states, DDoS attacks can be sophisticated. DDoS attacks can take a variety of forms and can be hard to detect because the traffic often appears legitimate. There is no way to completely eliminate the effect of every DDoS attack, especially well-organized ones such as those that are sponsored from foreign countries. Even huge organizations such as eBay, Google, MasterCard, and others have been victims of coordinated attacks.
For our part, CU*Answers already uses high-capacity equipment such as firewalls, hardware-load balancers, and SSL offloading accelerators that can help mitigate the effect should we ever be targeted by a DDoS attack. We are also working closely with our Internet service providers to review what additional in-network protections they may be able to offer. In our opinion, the best place to mitigate the effect of these attacks is to stop the DDoS traffic before our network borders are reached. Therefore, we encourage credit unions to do the same with their ISPs and incorporate findings into their ongoing risk-management and due-diligence processes.
CU*Answers will continue to evaluate effective DDoS defenses and balance these opportunities against the cost to us and our clients. The reality of DDoS is no solution can provide a guarantee the network will be completely protected against these attacks.