WASHINGTON — Over the last year, there has been a plethora of denial of service attacks (DDoS) at financial institutions, including Patelco Credit Union, University (of Texas) FCU, Key Bank, M&T Bancorp and Zions Bank, among others.
But for some credit unions, the attacks aren't always a direct hit.
"Although our credit union infrastructure has never suffered a direct DDoS attack, our online banking provider suffered a DDoS attack, which resulted in temporary unavailability of our online banking," said David Martinez, Partnership Federal Credit Union's director of business technology.
This particular vendor attack resulted in a sudden influx of traffic that was distributed over multiple geographic locations. As a result, the Partnership FCU realized a temporary but noticeable loss of a key member-facing channel. "With over 50% of our membership actively using online banking each month, during this brief outage we saw online banking traffic shift to our call center and branches," said Martinez.
Going For Best Of Breed
Martinez lauded the credit union's "meticulous vendor-management program and its partnering with best-of-breed vendors" for the effective reaction that allowed members to seamlessly complete transactions through alternate channels. And while online banking was restored within approximately one day, the experience served as a cautionary tale.
With 13,034 members and $147 million in assets, Partnership FCU turned to IT service provider, Horsetail Technologies, to ensure another DDoS attack would be highly unlikely. "Last year, maybe there was a little too much reaction to the press over DDoS attacks, but credit unions should be aware of the threats," said Horsetail's principal and co-founder, Chris Sachse. "Many vendors are up to speed about what they need to keep credit union clients protected."
Since the credit union's attack was via a third party, a system Sachse couldn't access during assessment, a different diagnostic approach was required. "We had to set up a trap outside the host to find where the attacks were coming from, and we did," Sachse said.
Prior to the attack, Martinez said the credit union was actively monitoring for DDoS attacks and continuously monitoring selected vendors for their infrastructure security measures.
Since the event, coupled with media coverage, he and his team are even more active in conversations with peers and partners discussing best practices and preventative measures.
"Horsetail Technologies assessed all credit union systems to ensure our internal network was not being targeted, and then helped us coordinate with the impacted vendor to understand the scope of the attack and the anticipated recovery time," said Martinez.
Regulators such as the National Credit Union Administration and the Federal Financial Institutions Examination Council offer guidance with the publishing of periodic documents, which contain timely advice and best practices. Along with partnering with Horsetail Technologies, these resources have been valuable to Martinez.
"Our credit union religiously reviews these documents and adopts any recommended best practices that we are not already implementing," said Martinez. "Additionally, given that DDoS attacks are a widespread inter-industry issue, we've also obtained valuable information from general news publications and industry leading IT and security companies."
Too Much Media Hype?
According to Prolexic Technologies' Q3 2013 Global DDoS Attack Report, DDoS perpetrators changed tactics in the third quarter of this year to boost attack sizes in an attempt to hide identities. "The major concern is that reflection attacks are accelerating dramatically, increasing 265% over Q3 2012 and up 70% over Q2," noted Stuart Scholly, president of Prolexic.
"The bottom line is that DDoS attackers have found an easier, more efficient way to launch high bandwidth attacks with smaller botnets and that's concerning."
While there is merit to Prolexic Technologies' findings, not all industry analysts are reading the tea leaves the same.
CUNA Mutual Group Risk Management Senior Consultant Ken Otsuka said he has seen a slight decline in DDoS attacks in recent months, adding that Izz ad-Din al-Qassam Cyber Fighters, who threatened huge DDoS attacks against financial institutions last year, "simply didn't materialize."
"This doesn't mean risks went away or DDoS is a passing fancy," said Otsuka. "Credit unions have to keep their guards up and can't be complacent."
Like Partnership FCU, TTCU The Credit Union has also taken proactive steps by placing trust in third-party providers.
"We previously had hosted our home banking and corporate web sites locally on site, but have since moved them to third party providers. So there's no longer much reason to attack us here," said Kevin Rogers, TTCU's vice president of IT security.
"While still a concern, we have little control over what the third-party host does on their own to mitigate these kinds of threats, and frankly they don't discuss it much." To play it safe in the event of a massive attack, Kroger added that a failsafe is in place.
"We also have a secondary Internet provider that links to another branch that we could utilize in case of a failure of our primary provider," he added.
