Tips To Address New FFIEC DDoS Requirements

Sean Leach | May 19, 2014

Recently, the FFIEC released statements that describe steps it expects financial institutions to take to address cyber-attacks -- like distributed denial of service (DDoS) attacks -- and highlight resources institutions can use to help mitigate the risks posed by such attacks.

The statement went so far as to say that FFIEC members “expect financial institutions to address DDoS readiness as part of their ongoing information security and incident plans. More specifically, each institution is expected to monitor incoming traffic to its public website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate.”

While this is common practice for many of the largest financial institutions today, these new recommendations have thrown many smaller banks and credit unions for a loop. In an effort to help financial institutions of all sizes address the new FFIEC guidelines, Verisign and Juniper Networks recently held a joint webinar to highlight what exactly these new guidelines mean for financial institutions, and explain DDoS attacks and common options that leading institutions use today for DDoS protection and mitigation. All of this was discussed in the context of the six key focus areas described by the FFIEC statement: risk assessment, monitoring, incident response, staffing, information sharing, and ongoing evaluation and assessment.  

There were several questions during the webinar, but I wanted to call out the following two as they highlight some key industry challenges:

Q: How does the financial industry compare with others in terms of frequency of DDoS attacks?

At Verisign we compile and analyze data on attack attempts against our customers. Based on 2013 attack activity, about 45 percent of DDoS attacks targeted the financial services industry. Our customer base is weighted toward financials – indicative of the importance of this type of protection to the industry - so it’s not too surprising that the vertical represents a high percentage of activity.

Q: NTP attacks have been in the news lately. What are these?

In the webinar, I described NTP amplification attacks that we’ve seen over the past several years, which rely on a weakness in the User Datagram Protocol (UDP) protocol that allows an attacker to impersonate (spoof) the victim when requesting data from a third-party server.  By sending small requests to many third parties that result in large responses directed towards the victim, the attacker can overwhelm victim resources while using relatively few of his own.  NTP is a UDP-based protocol like DNS, but it's used to allow computers across the Internet to synchronize their internal clocks so they all agree on what time it is.  There are many "open" NTP servers on the Internet that will respond to any request, and the attackers use these servers as the third party in amplification attacks against their victims.  The majority of large attacks we have seen over the last year have been amplification attacks.  Having a robust network and application layer DDoS protection solution is the best way to protect against these attacks.

For more information about how to implement a DDoS protection strategy, watch the on-demand webinar or read one of my earlier blog posts, How Financial Institutions Can Up Their Game Against DDoS Attacks.