The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
Federal Financial Institutions Examination Council 3501 Fairfax Drive Room B7081a Arlington, VA 22226-3550 (703) 516-5588 FAX (703) 562-6446 http://www.ffiec.gov Joint Statement Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources PURPOSE The Federal Financial Institutions Examination Council (FFIEC) members1 (“members”) are issuing this statement to notify financial institutions of the risks associated with the continued distributed denial-of-service (DDoS) attacks on public websites. The statement also outlines the steps that institutions are expected to take to address these attacks, and provides resources to help institutions mitigate the risks posed by such attacks. BACKGROUND In the latter half of 2012, an increased number of DDoS attacks were launched against financial institutions by politically motivated groups. These DDoS attacks continued periodically and increased in sophistication and intensity. These attacks caused slow website response times, intermittently prevented customers from accessing institutions’ public websites, and adversely affected back-office operations. In other cases, DDoS attacks served as a diversionary tactic by criminals attempting to commit fraud using stolen customer or bank employee credentials to initiate fraudulent wire or automated clearinghouse transfers. RISKS Financial institutions of all sizes that experience DDoS attacks may face a variety of risks, including operational risks and reputation risks. If the attack is coupled with attempted fraud, a financial institution may also experience fraud losses as well as liquidity and capital risks. RISK MITIGATION The members expect each financial institution to address DDoS readiness as part of ongoing information security and incident response plans. In accordance with regulatory requirements2, 1 The FFIEC is comprised of the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee. 2 12 C.F.R. Part 30, Appendix B (Office of the Comptroller of the Currency); 12 C.F.R. Part 208, Appendix D-2, and Part 225, Appendix F (Federal Reserve); 12 C.F.R. Part 364, Appendix B (Federal Deposit Insurance Corporation); 12 C.F.R. Part 748, Appendix A and B (National Credit Union Administration). and the FFIEC Information Technology (IT) Handbook on Business Continuity Planning3 and Information Security4 booklets, the members expect institutions to take the following steps, as appropriate: 1. Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts; 2. Monitor Internet traffic to the institution’s website to detect attacks; 3. Activate incident response plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts; 4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring precontracted third-party servicers, as appropriate, that can assist in managing the Internetbased traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack; 5. Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics; and 6. Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly. ADDITIONAL RESOURCES In addition to the FFIEC guidance, several other publications are available to help organizations mitigate the risks from DDoS attacks. The Department of Homeland Security’s National Cybersecurity and Communications Integration Center published a DDoS Quick Guide on January 29, 2014. This Quick Guide provides useful information on attack possibilities and traffic types and should be shared with an institution’s IT department and the institution’s online banking service provider, if applicable. The Quick Guide is available at www.uscert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf . Additionally, publications such as National Institute of Standards and Technology Special Publication 800-61, Computer Security Incident Handling Guide, (http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf), offer specific instructions for IT staff members to help implement incident response plans. The following are additional reference materials: Office of the Comptroller of the Currency - Distributed Denial of Service Attacks and Customer Account Fraud, December 21, 2012; http://www.occ.gov/newsissuances/alerts/2012/alert-2012-16.html 3 http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning.aspx 4 http://ithandbook.ffiec.gov/it-booklets/information-security.aspx 2 National Credit Union Administration - Mitigating Distributed Denial-of-Service Attacks, February 2013; http://www.ncua.gov/Resources/Pages/RSK2013-01.aspx US-CERT - Security Tip, Understanding Denial-of-Service Attacks, November 4, 2009; http://www.us-cert.gov/ncas/tips/ST04-015 3