December 21, 2012

National banking regulator advises on DDoS deluge

The regulator for national banks issued an alert Friday about the apparent uptick in distributed denial-of-service (DDoS) attacks being waged against financial institutions.

The note from the Office of the Comptroller of the Currency (OCC), which was addressed to the heads of national banks, federal branches and agencies, technology service providers and other related organizations, described how a recent wave of DDoS attacks are disrupting the availability of some bank websites. The spate seemed to kick off in early fall, and many top banks are still experiencing on-and-off attacks.

"Each of these groups had different objectives for conducting these attacks, ranging from garnering public attention to diverting bank resources while simultaneous online attacks were underway and intended to enable fraud or steal proprietary information," the alert said.

The bulletin recommends that banks maintain a "heightened sense of awareness regarding these attacks" and ensure they are prepared to deal with them. That includes appropriating staff and third-party contractors to help thwart the attacks; implementing an incident response plan across various departments; and sharing information among affected organizations.

In addition, because often the attacks target banks' service providers, the OCC suggests that financial institutions review the response capabilities of their ISPs and web-hosting vendors. The alert also encourages banks that are sustaining a DDoS attack to remain in communication with customers, conveying any risks they face, as well as safeguards they can take.

The OCC said banks should view their security in terms of risk management. But the alert also reminded institutions that they are obligated to follow the Federal Financial Institutions Examination Council (FFIEC) guidelines, which were updated in 2011 to address corporate account takeovers. Often, DDoS attacks run cover for attackers who are simultaneously logged in to victims' bank accounts while fraudulently transferring out money from their accounts.

Avivah Litan of research firm Gartner said in a blog post Friday that the alert shows the OCC is taking the threat seriously, and this will likely result in increased regulatory enforcement.

"Some banks do spend enough on security – but many do not," she wrote. "This will help ensure that all – and not just some – of the banks regulated by the OCC at least, are putting the requisite resources into defending against DDoS attacks and their attending damage."

Related Articles
Related Topics
Related Links

More in News

NYPD detective charged with hiring hackers so he could spy on ex-girlfriend

Edwin Vargas, 42, was arrested on Tuesday for allegedly buying email login credentials and cracking fellow officers' email accounts.

Twitter begins rollout of two-factor authentication to limit account takeovers

Twitter begins rollout of two-factor authentication to limit ...

Following a series of high-profile Twitter account hijacks, the microblogging service finally has delivered two-factor authentication.

Commission offers suggestions for stemming online spy threat from China

Commission offers suggestions for stemming online spy threat ...

The 100-page report mostly addresses alleged Chinese cyber espionage operations, and suggests it's time for U.S. government agencies and corporations to consider more proactive approaches, possibly including hack-backs.