DDoS or distributed-denial-of-service attacks seem to be the focus of everyone's attention right now, and rightly so - it has seen huge increases this year. There are different ways to carry out a denial-of-service attack, but the term generally includes attacks that are meant to interrupt or suspend services connected to the Internet (for a period of hours to days). One example is to flood a bank's website with incoming messages that essentially overload the site and prevent customers from accessing it. This is a big concern to financial institutions because this type of attack is often used as a distraction to prevent institutions from identifying some type of fraudulent activity occurring during the service interruption. Protecting your payment systems during DDoS attacks should be your primary focus. Here are a few things your bank can do to protect you and your customers from DDoS attackers:
- Have DDoS protection conversations with your ISP…or with your Internet banking vendors. Having an Intrusion Detection/Prevention System (IDS/IPS) in place is a great tool to have, but if you want to prevent DoS or DDoS attacks, stopping them at your IDS is probably too late as traffic has already flooded your network and accomplished its purpose. You need this traffic stopped earlier in the chain – like at your ISP level. ISPs are now offering special anti-DDoS packages and technologies, so it's worth looking into. If your web server is hosted by a vendor, make sure that vendor is doing what they can to limit attacks (e.g. talking to their ISP about anti-DDoS packages and technologies).
- If your institution does not have call-back verification procedures in place for all wire and ACH activity, then you should strongly consider implementing those during a DDoS attack. This is to protect you in the event the DDoS attack was implemented as a distraction while someone submits fraudulent wires or ACH batches. If your institution does currently implement call-back verification for transactions over a certain amount, you might consider lowering that threshold during a DDoS attack.
- Include DDoS procedures in your Business Continuity Plan. Those procedures need to be things your institution will plan on implementing should you become the target of a successful attack, like the call-back verification listed above. You might also consider expanding your call center or customer service personnel during a DDoS attack, especially if your customer base relies heavily on online services. These services could all potentially be unavailable for a few hours (and even a few days), so you'll need to expect a higher volume of calls. Having a prepared response for your call center to give during this time can also help with any customer concerns. Including alternate operating procedures for services normally accessed online in your BCP will also help mitigate some of the damage that an outage could cause.
As with all areas of information security, you will best be prepared if you assess the risk, implement layers of security, and ensure your incident response procedures are adequate. If you look at these types of attacks with the thought that it's not a matter of if, but when, then you'll be ready for attackers and will have procedures in place to seamlessly protect your customers and to continue conducting business as normally as possible.