CO-OP Financial Services has announced release of a free DDoS mitigation white paper intended to offer guidance to credit unions, especially in the run up to the possible May 7 attacks announced by groups affiliated with the hacker organization Anonymous.
The white paper is here. It was written by Ray Zadjmool, president of Tevora, a Lake Forest, Calif., information assurance consulting firm.
Included in the white paper is DDoS incidence reporting where a sampling of credit unions were asked if they had ever experienced a DDoS attack. One-third – 33% – said yes. Forty-three percent said they did not kno
- Was May 7 Only a Test?
- May 8: Attacks But No Time to Let Guard Down
- Mixed Views in LinkedIn Poll on May 7 Warning
- No Takedowns Reported Tuesday
- Anonymous May 7 Target List Includes CUs
- Krebs: DHS Memo Says ‘More Bark Than Bite’
- Threat of the Week: May 7, Ready or Not
- CUNA Explains Thinking Behind Warning
- Reactions Vary to May 7 Warning
- DDoS Attacks Often Fraud Diversions
- Mark Your Calendar (or Not) for May 7 Attacks
- CUNA Issues May 7 DDoS Warning
Importantly, of the credit unions that had experienced a DDoS attack, none had reported it to external parties, making doing incidence counts difficult.
Only a handful – 7% – said they had DDoS mitigation tactics in place.
The white paper succinctly recaps the recent history of DDoS, and it also offers a non-technical look at the kinds of DDoS that financial institutions have recently been subjected to,
Core to its advice is this: “Credit unions should ... plan for a strategy that deals with DDoS much the same way as a natural disaster; an event that could disable critical services and impacts the ability to conduct business.”
It also follows NCUA’s guidance in outlining a three-pronged approach:
*”Perform risk assessments to identify risks associated with DDoS attacks.
* Ensure incident response programs include a DDoS attack scenario during testing and address activities before, during, and after an attack.
* Perform ongoing third-party due diligence, in particular on Internet and Web-hosting service providers, to identify risks and implement appropriate traffic management policies.”
The paper’s conclusion: “Implementing a DDoS mitigation strategy should take into account a formal assessment of risk, prior planning, third party due diligence, and capital investment. By implementing a variety of methods, credit unions and credit union service organizations can prepare for a security threat that is poised to grow over time.”