Fingers now are united in pointing to Iran as the nation state behind a wave ofpowerful Distributed Denial of Service (DDoS)attacks that recently have crippled the Web services of banks suchas Bank of America, Capital One, Wells Fargo and HSBC.

And that raises the question: will credit unions be next?

Especially worrisome about the latest attacks is that they arevastly more powerful than what has been seen before. Rather thanleveraging off a network of zombie PCs – so called botnets – the latest attacks hijack data centers, letting loosea potent gusher of nonsensical information that overwhelmsundefended Internet gateways and can also stun even well-protectedones.

The sophistication of the attack is why fingers are pointed atIran.

For the record, authorship of the attacks has been claimed by a groupcalled Izz ad-Din al-Qassam Cyber Fighters. In a recent post, itstated: “Rulers and officials of American banks must expect ourmassive attacks! From now on, none of the U.S. banks will be safefrom our attacks.”

Credit unions are not mentioned, so are they safe? Expertopinion is divided.

On the one side, there are experts who believe that creditunions are too small to win the kinds of headlines the attackerscrave.

In that regard, Adam Bosnian, an executive vice president atsecurity provider Cyber-Ark, said to me in an interview: “You haveto ask, what's the goal of the attacker? So far it seems to be toraise awareness that Iran can be a thorn in the United States'side.”

But other experts suggested that large, military andgovernment-related credit unions might be attractive targets to Izzad-Din.

Still others think corporate credit unions are a weak link.

Paul Ferguson, vice president of threat intelligence at InternetIdentity, said that in his opinion “credit unions are vulnerableand we see the attackers shifting targets. They are nimble. It iseasy for them to repoint the attack at another institution” – andif they decide to go after credit unions, woe to the cooperatives,he suggested.

That – plus the persistence of lower-level DDoS mounted bypeople with grudges (such as ex-employees) – is why many expertsnow say credit unions cannot assume they have a free pass to dodgeDDoS.

So, what should they do?

Hemant Jain, a vice president at security company Fortinet, toldme in an interview that basic DDoS protection for a smaller creditunion likely would run around $300,000 for a DDoS mitigationappliance, with annual service fees adding another 10% or 15% tothe price tag.

That spend would be ample for warding off old-style DDoSattacks.

What the appliance does is inspect incoming traffic. It knowswhat DDoS attacks have looked like and it blocks them. Impact onlegitimate users is minimal and, at least with traditional DDoSattacks, the institution's operating abilities should beuninterrupted. Nation state attacks – with their high volumes – mayhowever overwhelm most appliances.

That is why another strategy – sometimes used instead of anappliance, often used in tandem with – is enlisting Internetservice provider assistance to help thwart aggressive DDoSattacks.

At Internet traffic company Akamai, for instance, what itprovides customers in inspection of all incoming traffic beforethat traffic reaches the institution. Akamai “scrubs” traffic itdeems unsafe, meaning it is removed from the stream (and shouldcause no disruption to the institution).

Rich Bolstridge, chief strategist, financial services at Akamai,said the costs for “smaller firms” would run $10,000 and upwardsper month. He added that the tools “work. We are successfullyhandling attacks for our banking customers on a daily basis.”

Many, bigger financial institutions deploy some combination ofboth approaches, said the experts. For day-to-day protection theyrely on in-house appliances. When the DDoS volume exceeds theirability to handle it internally, they turn to outside contractors –with whom they have prior agreements – to step in and help blockthe incoming bad data. They also may set up an alternative incomingInternet pipe to assist legitimate incoming traffic in getting toits destination.

These protections are not cheap and protecting against nationstate attacks gets pricey.

Worrisome is that “most credit unions are naked. They don't haveany protections,” said Bolstridge.

Even worse, when an institution is taken down by the currentattackers, they gloat in public Internet posts – meaning “therewill be no hiding from the fact that you were hit with a DDoSattack,” said Bolstridge.

Bosnian, by the way, raised a particularly creepy thought: Areyour data centers protected against conscription into the Izzad-Din al-Qassam Cyber Fighters' DDoS network? The present backboneof the attack is hijacked systems – typically owned by legitimatebusinesses with no clue that their computers are waging war on U.S.financial institutions. “If your systems are hijacked they can beused as a weapon. You need to prevent that,” said Bosnian.

Stay tuned: there will be more DDoS coverage in future columnsbecause, right now, this is the biggest security topic in banking.The next focus: how vulnerable are corporate credit unions?