The US Federal Financial Institution Examination Council’s (FFIEC) recent guidance on distributed denial of service (DDoS) attacks, provides financial institutions with at least six-steps as part of their responsibility to mitigate risk.
The announcement in a press release outlines expectations to ensure businesses are aware of DDoS attacks and then expect organizations to conduct a risk assessment.
DDoS announcements such as this are not new. The National Credit Union Association (NCUA) released one in early 2013 and long before, the FFIEC’s IT handbook covered DDoS.
If services are unavailable, what’s the cost to the business? This depends on the organization and their online presence for their customer-base. Beyond availability, agencies are cautioning that DDoS tactics are used as a mechanism to defraud organizations when they are scurrying around fighting the onslaught of saturated services.
The fraud may not be detected as a result of transaction analytics missing important indicators and alerting key personnel, as well as stolen credentials from consumers, allowing the fraudsters to login and wire funds while teams are busy defending the attack.
With recent attacks eclipsing 300-400Gbps, this is a significant undertaking for a fully-staffed team with significant technical and human resources, let alone SMBs who may lack specialization and the knowledge to begin with. Between availability and possible fraud, these are a couple of the reasons why the FFIEC has reinforced their guidance in the wake of the mounting attacks.
Solution providers have been continuing to invest resources into their infrastructure and intelligence to help not only their existing customers, but perhaps a new wave of pending contracts as organizations turn to those who can help. DDoS vendors in the on-premise, cloud, and intelligence space include:
For organizations just getting started or looking to enhance what they are already equipped with, they should turn to US-CERT for a quick start overview.
US-CERT hosts a DDoS Quick Start Guide which should not be overlooked by practitioners in their day-to-day operations. Before contacting solution providers, teams should obtain the guide and become familiar with the different attack methods.
The value in US-CERT’s guide will help organizations understand at a glance the tactics which can be used and then learn what they mean to better explain to executives what DDoS means to the business.
DDoS mitigation is a technology initiative to support the business. As security becomes more visible in the board room, teams will need to continue to be able to translate complex agenda topics in terms executives can understand.