In the wake of the 2012 Distributed Denial of Service (DDoS) attacks against Financial Institutions, tt was recently announced by the FFIEC (Federal Financial Institutions Examination Council) that Banks must defend themselves against DDoS attacks.
FFIEC Statement Here:www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf
The statement is not very prescriptive, and gives member institutions six requirements to follow as appropriate (quoted from FFIEC):
1. Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
2. Monitor Internet traffic to the institution’s website to detect attacks;
3. Activate incident response plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack;
5. Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics; and
6. Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
What is interesting about this DDOS requirement is that it is implicitly called out in other data Security Standards is explicitly called out here. It will be interesting to see if the reaction to potential attacks will will again be addressed pointedly or we’ll see a larger data security framework overhaul to include attack vectors for the times we live in today. For those looking to implement the FFEIC ruling and need some guidance, the FFIEC statement includes a DDoS quick guide which touches on DDoS controls by OSI layer.
You can find the publication here:www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf The last column about mitigation options for DDoS by OSI Layer is insightful and should help to define a strategy meeting this new requirement.