Pub. 2 2014 Issue 2

www.uba.org 16 EDP Graduating Class Honored attack, especially if your customer base relies heavily on online services. These services could all potentially be unavailable for a few hours (and even a few days), so you’ll need to expect a higher volume of calls. Having a prepared response for your call center to give during this time can also help with any customer concerns. Includ- ing alternate operating procedures for services normally accessed online in your BCP also will help mitigate some of the damage that an outage could cause. As with all areas of information security, you will best be prepared if you assess the risk, implement layers of security, and ensure your incident response procedures are adequate. If you look at these types of attacks with the thought that it’s not a matter of if, but when, then you’ll be ready for attackers and will have procedures in place to seamlessly protect your customers and to continue conducting business as normally as possible. n Stephanie Chaumont is a security and compliance consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem—a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit CoNetrix at www.conetrix. com. D DoS, or distributed-denial-of-ser- vice attacks, seem to be the focus of everyone’s attention right now, and rightly so—we have seen huge increases this year. There are different ways to carry out a denial-of-service attack, but the term generally includes attacks that are meant to interrupt or suspend services connected to the Internet (for a period of hours to days). One example is to flood a bank’s website with incoming messages that essentially overload the site and prevent customers from accessing it. This is a big concern to financial institutions because this type of attack is often used as a distraction to prevent institutions from identifying some type of fraudulent activity occurring during the service interruption. Protecting your payment systems during DDoS attacks should be your primary fo- cus. Here are a few things your bank can do to protect you and your customers from DDoS attackers: 1. Have DDoS protection conversations with your ISP or with your Internet banking vendors. Having an Intrusion Detection/Prevention System (IDS/ IPS) in place is a great tool to have, but if you want to prevent DoS or DDoS attacks, stopping them at your IDS is probably too late as traffic has already flooded your network and accomplished its purpose. You need this traffic stopped earlier in the chain, like at your ISP level. ISPs are now offering special anti-DDoS packages and technologies, so it’s worth exam- ining. If your web server is hosted by a vendor, make sure that vendor is do- ing what they can to limit attacks (e.g. talking to their ISP about anti-DDoS packages and technologies). 2. If your institution does not have call- back verification procedures in place for all wire and ACH activity, then you should strongly consider imple- menting those during a DDoS attack. This is to protect you in the event the DDoS attack was implemented as a distraction while someone submits fraudulent wires or ACH batches. If your institution does currently implement call-back verification for transactions over a certain amount, you might consider lowering that threshold during a DDoS attack. 3. Include DDoS procedures in your Business Continuity Plan. Those pro- cedures need to be things your institu- tion will plan on implementing should you become the target of a successful attack, like the call-back verification listed above. You might also consider expanding your call center or custom- er service personnel during a DDoS Tech Talk- DDoS: What You Need to Know By Stephanie Chaumont, CISA, CISSP, Security+