National banking regulator advises on DDoS deluge
The regulator for national banks issued an alert Friday about the apparent uptick in distributed denial-of-service (DDoS) attacks being waged against financial institutions.
The note from the Office of the Comptroller of the Currency (OCC), which was addressed to the heads of national banks, federal branches and agencies, technology service providers and other related organizations, described how a recent wave of DDoS attacks are disrupting the availability of some bank websites. The spate seemed to kick off in early fall, and many top banks are still experiencing on-and-off attacks.
"Each of these groups had different objectives for conducting these attacks, ranging from garnering public attention to diverting bank resources while simultaneous online attacks were underway and intended to enable fraud or steal proprietary information," the alert said.
The bulletin recommends that banks maintain a "heightened sense of awareness regarding these attacks" and ensure they are prepared to deal with them. That includes appropriating staff and third-party contractors to help thwart the attacks; implementing an incident response plan across various departments; and sharing information among affected organizations.
In addition, because often the attacks target banks' service providers, the OCC suggests that financial institutions review the response capabilities of their ISPs and web-hosting vendors. The alert also encourages banks that are sustaining a DDoS attack to remain in communication with customers, conveying any risks they face, as well as safeguards they can take.
The OCC said banks should view their security in terms of risk management. But the alert also reminded institutions that they are obligated to follow the Federal Financial Institutions Examination Council (FFIEC) guidelines, which were updated in 2011 to address corporate account takeovers. Often, DDoS attacks run cover for attackers who are simultaneously logged in to victims' bank accounts while fraudulently transferring out money from their accounts.
Avivah Litan of research firm Gartner said in a blog post Friday that the alert shows the OCC is taking the threat seriously, and this will likely result in increased regulatory enforcement.
"Some banks do spend enough on security – but many do not," she wrote. "This will help ensure that all – and not just some – of the banks regulated by the OCC at least, are putting the requisite resources into defending against DDoS attacks and their attending damage."