Critics of CUNA’s decision to publicize a possible May 7 DDoS attack led by the hacker group Anonymous have been numerous and vocal in their complaints to Credit Union Times – “fear mongering” is the usual charge.
But the trade association believes it did the right thin
- Was May 7 Only a Test?
- May 8: Attacks But No Time to Let Guard Down
- Mixed Views in LinkedIn Poll on May 7 Warning
- No Takedowns Reported Tuesday
- Anonymous May 7 Target List Includes CUs
- Krebs: DHS Memo Says ‘More Bark Than Bite’
- Threat of the Week: May 7, Ready or Not
- CO-OP Issues DDoS White Paper
- Reactions Vary to May 7 Warning
- DDoS Attacks Often Fraud Diversions
- Mark Your Calendar (or Not) for May 7 Attacks
- CUNA Issues May 7 DDoS Warning
In written responses to questions late Tuesday, the trade group explained its decision in warning credit unions to be aware of the threat to take down their websites, including considering warning members to avoid online banking that day and come into the branch.
Q: What did CUNA think would be the gain from publicizing this?
CUNA: We believe that credit unions are better forewarned rather than not knowing. Seeing an event develop before their eyes and having little, if any, information at their fingertips for why it is occurring can be disconcerting.
Q: Why does CUNA take the threat seriously? (Many experts don't see much there.)
CUNA: CUNA believes that any cyber-threats to credit unions, in this day and age, must be taken seriously. We were privy to information from others within the credit union space who look out for these sorts of threats assiduously through their own analysis (based on their own experiences in the past of being subject to such DDoS, particularly in their part of the country). We evaluated their analysis and, after careful consideration, determined that credit unions would be better off knowing of the threat, and be prepared for it.
Q: Given that it would be impossible for any credit unions (except possibly for the two or three largest) to buy defenses in time for May 7, what was the intent of the announcement?
CUNA: Again, we believe that credit unions are better off knowing of the threat. As we detailed in our News Now coverage last week, there are steps that any credit union can take, including:
· Alerting its network team to actively monitor inbound Internet traffic that day. The team should be prepared to block traffic from specific IP addresses in an effort to maintain their website’s ability to respond to normal business requests;
· Educating call center staff on the symptoms of a denial of service attack so they can better serve the members and notify their network teams if an attack is under way. The call center staff should be prepared with alternatives to serve the members.
Certainly it is possible that no threat will, in fact materialize; but we strongly believe that maintaining the trust of members in the security of their credit unions is worth the effort.
One more piece of information: Just last week, CUNA held an exploratory cyber security conference call with four of the biggest players in the CU space in this area. The goal of the call was to talk about if there are any standards or common things that credit unions and credit union organizations can align around to better protect the CU system. Some things that came out of that discussion:
· Many credit unions don't have a cyber security response plan, don't have a board policy, may not be aware of the special insurance coverages specific to cyber security.
· Many credit unions are looking for vendors that can help in this area.
· One of the core takeaways was the we need better communication on this whole issue, so CUNA is looking to take a leadership role in sharing information in this area.