US Government Makes DDoS Protection Mandatory for Banks

This week, the Federal Financial Institutions Examination Council released their six-step plan to better protect major financial institutions from the rampant threat of online DDoS attacks.

For anyone out of the loop, DDoS attacks occur when a hacker launches the collective might of dozens, hundreds, or even thousands of computers at a single website at once in an attempt to overload the lines. If successful, the sheer weight of the increased traffic will force the server on the other end to go through an automatic reboot sequence, and it’s during the restart process the system is at its weakest. That’s when hackers strike.

According to the FFIEC, these new steps will help to safeguard American banks from the persistent threat of script kiddies with too much time on their hands, and better prepare firms like Bank of America and Chase Manhattan for the day when a botnet a billion strong comes knocking on their backdoors.

Most of the steps involve standard practices that many banks have likely already implemented on their own, independent of any advice from the FFIEC, while others suggest creating a more intimate and immediate relationship between the banks and the ISPs who provide them with their links to the rest of the world.

“In the latter half of 2012, an increased number of DDoS attacks were launched against financial institutions by politically motivated groups,” the FFIEC statement says. “These DDoS attacks continued periodically and increased in sophistication and intensity. These attacks caused slow website response times, intermittently prevented customers from accessing institutions’ public websites, and adversely affected back-office operations.”

The full list of prevention tactics and suggested protections can be seen here:

  • Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts
  • Monitor Internet traffic to the institution’s website to detect attacks
  • Activate incident response plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts
  • Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack
  • Consider sharing information with organizations , such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics
  • Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments and adjust risk management controls accordingly

The FFIEC has yet to place any strict limitations for a timeline on these rules, however they expect that most banks should be able to adhere to the program in no more than the next few months at most.