A U.S. Department of Homeland Security memo that said the May 7 distributed denial of service attacks threatened by the so-called “hacktivist” collective Anonymous against government and financial websites would be more bark than bite prove to be true.
As of the morning of May 8, NCUA Public Affairs Specialist John Fairbanks said the agency had not received any reports of credit unions being hit with the threatened May 7 attacks. Likewise, targeted credit unions reported no ill effects.
Jeanette Mack, manager, corporate communications for the $54 billion Navy FCU of Vienna, Va., reported all operations were normal. Representatives from the $5.6 billion American Airlines FCU of Fort Worth, Texas; the $27 billion State Employees’ Credit Union of Raleigh, N.C.; and the $6.2 billion San Diego County Credit Union also reported no problems.
Mack, SECU President/CEO Jim Blaine and SDCCU President/CEO Teresa Halleck added that their organizations will continue to be prepared for the attacks.
“With [May 7] being the announced date, everybody gears up,” Halleck said, “but it could happen any day. So, we are maintaining a state of awareness.”
A group claiming to be affiliated with Anonymous posted a target list April 24 on website Pastebin, saying its May 7 OpUSA effort would target nine government sites and 133 financial institutions. In addition to Navy Fed, SECU, American Airlines FCU and SDCCU, the credit unions on the list included the $16 billion Pentagon FCU of Alexandria, Va.; the $12 billion Boeing Employees Credit Union of Tukwila, Wash.; the $9.8 billion SchoolsFirst FCU of Santa Ana, Calif.; the $8.2 billion The Golden 1 Credit Union of Sacramento, Calif.; the $5.4 billion Suncoast Schools FCU of Tampa, Fla.; the $8.3 billion Alliant Credit Union of Chicago; the $7.2 billion Security Service FCU of San Antonio; and the $5.8 billion America First FCU of Riverdale, Utah.
CUNA Spokesman Pat Keefe said his trade association, which was the first to alert credit unions to the May 7 attacks, said CUNA was relieved there were few, if any, attacks.
“We had acknowledged from the beginning that there certainly was the possibility that no threat would in fact materialize,” Keefe said. “But we continue to strongly believe maintaining the trust of members in the security of their credit unions is worth the effort of advising credit unions of risks to them and their members. In fact, if our cautions to credit unions played any role in diminishing a threat, so much the better.”
Brian McGinley, CEO of IDT911 Consulting, a Scottsdale, Ariz.-based data risk management firm that has approximately 30 credit union clients, said any credit union could suffer what he called collateral damage if they share service providers with an institution hit by a DDoS attack.
“That’s really the key message of why these attacks are different,” he said. “Since most credit unions use a third-party IT supplier, the attack, per se, goes through the provider to hit them.”
When a DDoS attack floods a website with traffic, he explained, that traffic goes through switches that may be shared by hundreds of institutions, and all could feel the effects. Although the attacks so far have been targeted at online banking programs, McGinley said they could extend to platforms that support teller terminals, systems that open new accounts or those that process loans, he said, because they are delivered through web services. Cloud distribution could also be subject to disruption, he added.
The inclusion of credit unions on the May 7 target list should serve as a wake-up call for all credit unions to initiate meetings with IT service providers to hammer out what communication and technical plans would be implemented were an attack to occur, and what to expect in terms of service levels, he said.
“And, when you’re talking about large providers serving hundreds or thousands of clients, if there is an attack, somebody needs to ask who would get priority in getting back up online,” he said.
Kevin Prince, chief technology officer at the Santa Ana, Calif.-based technology management firm Compushare, said his firm has worked on an FBI task force for a long time combating Anonymous cyberattacks. But he said the bureau “is having a hard time doing anything about it.” He described law enforcement attempts to fight the loose collective like chopping off one head, only to find two more have grown back in its place. Prince, who was a guest on a May 6 CUNA press call, recently released a white paper that reassures small financial institutions they’re not likely targets, but nonetheless provides ways to prepare in case they are, or simply worry they may be.
In reality, he said, there’s very little a small credit union can do to stop a DDoS attack.
“You can’t just tweak the firewall. It simply doesn’t work that way,” he said.
Instead, Prince agreed with McGinley that credit unions should work with their Internet service providers to stop the attack upstream before it gets to the credit union’s website or online banking service, and review third party due diligence.
The white paper, “DDoS Attacks: How Real Are the Risks for Community Financial Institutions,” is available for download on Compushare’s website.+
Corporate credit unions weren’t listed a potential victims, but nonetheless Scott Hunt, the NCUA’s director of the Office of National Examinations and Supervision emailed a letter to corporate credit unions May 7 providing information regarding the attacks and instructing corporates what they should do if they are attacked.
In the letter, Hunt said the main May 7 anticipated attack vectors included not just DDoS, but also Structured Query Language injection and cross-site scripting. DDoS attacks could peak at approximately 30 gigabits per second, and could be globally attributed, “with anticipated network spikes of up to nine GBPS originating from Indonesian class C Internet protocol address space.”
Hunt told corporates the FBI recommends DDoS mitigation techniques should include limiting the number of sessions from each IPA, reducing connection timeout wait time and analyzing infrastructure with publically available vulnerability scanning tools and patching that include the latest application and security updates.
“An effective configuration/patch management process provides a substantial defense to exploitive hacker tactics like SQLi and XSS and is foundational to an effective information security program intended to assure the safety and soundness of insured institutions,” Hunt said in the letter.
The chief examiner of all corporate credit unions and natural person credit unions with more than $10 billion in assets further told the corporates should they experience any significant cyber-attack activity, they should notify their NCUA district examiner and state regulator, if applicable.
“The will allow NCUA to take necessary steps to ensure appropriate defensive actions are taken at other credit unions,” he said.
Fairbanks confirmed that no corporates were targeted by Anonymous for May 7, but said because all financial institutions are subject to cyber threats and fraudulent attempts to break in, the regulator “remains diligent in reviewing security controls at credit unions.”