In late December, the Office of the Comptroller of the Currency (OCC) issued a message to CEOs, technology service providers, federal savings associations and other interested parties about targeted DDoS (Distributed Denial of Service) attacks against national banks.
According to the OCC, sophisticated groups are working together to deny Internet access to bank services by directing traffic from compromised computers to the bank, and distracting technical/personnel resources while gaining remote access to accounts. The groups then commit fraud via wire transfers.
As a result, the OCC recommends that banks take a few preparatory security measures, including:
Partnering with third-party service providers, such as secure hosting providers, that can help with identifying and mitigating risks. The OCC recommends that banks do their due diligence in reviewing service providers.
They also recommend banks make sure they have enough staff and resources to help with any potential attacks.
Banks should also ensure their incident response plan is streamlined across all vendors so it can perform smoothly when needed.
Banks should also participate in information-sharing to learn about DDoS attacks and account takeover from other banks and service providers, due to the variety of methods that can be used during an attack.
Banks should also be prepared to communicate to customers about any risks, precautions and alternate banking methods as part of their overall business contingency plan.
When it comes to outsourcing technology to service providers, the OCC recommends adhering to the Information Security and the Outsourcing Technology Services booklet of the FFIEC Information Technology Examination Handbook (IT Handbook). An exhaustive list of outsourcing requirements is provided that banks can use, including a list of ways any organization can do their due diligence in confirming and assessing a service provider:
Existence and corporate history;
Qualifications, backgrounds, and reputations of company principals, including criminal background checks where appropriate;
Other companies using similar services from the provider that may be contacted for reference;
Financial status, including reviews of audited financial statements;
Strategy and reputation;
Service delivery capability, status, and effectiveness;
Technology and systems architecture;
Internal controls environment, security history, and audit coverage;
Legal and regulatory compliance including any complaints, litigation, or regulatory
Reliance on and success in dealing with third party service providers;
Insurance coverage; and
Ability to meet disaster recovery and business continuity requirements. [Learn more about business continuity and disaster recovery by signing up for our Disaster Recovery Webinar Series; the first webinar, Business Continuity in Lean Times, airs January 15th at 2PM ET].
In addition to vetting service providers, banks can also ensure they have certain best practice security technology employed to protect against and detect attacks. Daily log review is a service that includes tracking user activity, transporting and storing log events, log analysis and monthly reporting that can monitor and detect potentially malicious activity and users.
File integrity monitoring can also provide customizable alerts on changes made to system files, and offers insight into your technical environment. Ongoing monitoring can provide a faster response time to any issues that arise.
Or protect web servers and databases with a web application firewall (WAF) that can work better than a traditional IPS/IDS can by detecting and preventing SQL injections.