The accepted opinion among security professionals is that most credit unions will get a free pass to dodge the Distributed Denial of Service (DDoS) blitzkrieg that has been knocking big banks offline and that is because the attackers have exhibited a strong preference for hitting targets that – when they go down – generate headlines, like Bank of America or Capital One.
Knockdown a $100 million teachers’ credit union and the press will yawn.
Except, in conversations with Credit Union Times, several security professionals suggested that if most of the credit union industry were taken out, that would win headlines aplenty -- and the way to do it, they suggested, might be to aim DDoS at a handful of corporate credit unions.
Overwhelm their networks – which is what DDoS does – and that would leave their members at a loss for item processing, among other services provided by Corporates, and in effect a large midsection of the nation’s credit unions would cease to be able to operate effectively.
Question: how well protected against DDoS are the corporates?
Keep in mind that today’s attacks are enormous in their scale. Historically, DDoS attacks were driven by pings from a ragtag Zombie PC botnet. Today’s attacks against big banks are said to be organized by a nation state and they harness not Zombie PCs but industrial-grade web hosts and data centers.
Prolexic, a DDoS mitigation firm that claims many top banks as clients, recently reported that in 2012 “large attacks got larger. In Q4, Prolexic mitigated seven attacks with an average bitrate over 50 Gbps; in Q3 Prolexic mitigated seven attacks over 20 Gbps.”
There is no need to understand the geek talk. What Prolexic is saying is that the attacks it is seeing have more than doubled in force -- and a DDoS defense created to ward off the historic Zombie botnets would be about as useful as waving a bayonet at a U.S. Marine Corps Bell Viper attack helicopter.
The NCUA, for its part, responded to a Credit Union Times request for clarification of its DDoS requirements with this: “NCUA is monitoring recent distributed denial of service (DDoS) attacks directed at banks, and recognizes that credit unions may also be targeted.
Wrote spokesperson John Fairbanks in the email: “All credit unions, both corporate and natural person, are expected to ensure their Incident Response Policy and Procedures are current and tested in order to minimize the impact of a DDoS or other types of cyber-attacks.”
The email continued: “NCUA considers detailed information about credit union transactional websites to be sensitive and non-public. ... NCUA is in the process of developing guidance to credit unions on this topic, with supervisory expectations similar to other financial services regulators. We anticipate releasing this industry guidance in the near future.”
Explicit guidance from federal banking agencies is equally vague. Large-scale DDoS is a new kind of threat and regulators are scrambling to devise suggestions about how to cope.
What exactly are corporate credit unions doing?
When asked what its DDoS defenses are, Alloya, the Warrenville, Ill.-based corporate with more than 1,000 owner-members, offered this comment: “Alloya takes the threat of DDoS attacks seriously. To guard against them, we have deployed defenses at multiple levels, both internal and external to our organization. Simultaneously we have put processes in place to protect member data and transact business should an attack ever occur,” said Vic Vrigian, an Alloya vice president.
Catalyst, the Plano, Texas-based corporate with nearly 1,300 owner-members, said about its defenses: “As a practice we do not publicly discuss our computer security standards.” It ignored a request for elaboration.
Corporate America, the Irondale, Ala., cooperative, also declined to comment.
Corporate One, the Columbus, Ohio-based institution serving around 1,000 member credit unions, agreed to tell what defensive steps it is taking, and the tactics boil down to beefing up internal skills and resources but also turning to an outsider vendor – in this case, Cincinnati-based IT solutions company CBTS - for emergency assistance in the event an attack unfolds.
That outside help, experts told Credit Union Times, is typically essentially because very few organizations have the spare Internet pipe to successfully absorb and deflect a 2013 DDoS attack. Bring in an ally with pipe and defense is possible.
The detailed Corporate One response is here.
The reluctance of other institutions to share details is understandable – but are there good reasons to believe that in fact they could stand up to a withering DDoS assault?
That’s a question natural person credit unions need to be asking because there is no letup in sight for DDoS attacks – and at any moment the credit union industry’s free pass could be revoked.
What would happen then?