With the NCUA reporting an industry record of $8.5 billion in net income earned in 2012 — an increase of 36% over the previous year — it is not surprising that credit unions are more than a blip on the radar for cybercriminals. Bank of America, PNC, Capital One, M&T Bank, and others have been attacked recently. But now, along with these larger institutions, credit unions like Patelco Credit Union and UFCU have also reported incidents.
The extent of Distributed Denial-of-Service (DDoS) attacks in the credit union industry is unclear. NCUA regulations only require the reporting of incidents that result in potential compromise of member data. Since a successful DDoS attack may disrupt service, it does not in itself impose a threat to member data. However, the question still remains, "Why does there seem to be a shift towards the credit unions among cybercriminals?"
To understand “why,” you first need to know “who.”
Who Is Attacking?
Enter the Izz ad-Din al-Qassam Cyber Fighters. This is an organization of cybercriminals with the capacity to launch high volume coordinated attacks against institutions. These attackers are capable of generating up to 75 Gbps of traffic with the objective of taking down a site or service. There has been speculation that Iran or another nation-state has backed the Al-Qassam Cyber Fighters, however this is not proven. Furthermore, they have been instances during investigations where the source of the IPs used by the cybercriminals were from outside of Iran. Al-Qassam claims no alignment to governments or other organizations.
The Al-Qassam Cyber Fighters began Operation Ababil — a multi-phased plan to launch wide spread DDoS attacks on major U.S. financial institutions — in September of 2012.
Why Not Google?
So why go after banks instead of major websites like Google? While Al-Qassam attacks are sophisticated, the amount of havoc they can create in larger institutions may be limited by the defensive capabilities of these organizations. Google has one of the most powerful DDoS protection systems in the world. They also have the network capacity required to manage an incoming 75 Gbps attack in order to prevent harm. So in order to get the attention Al-Qassam wanted, they needed a smaller target with great visibility – U.S. financial institutions. By continuing to find smaller and more vulnerable targets, this group can create more successful attacks and generate more news to emphasize their demands.
How Do We Defend?
Given their demonstrated success, it is apparent that DDoS attacks – whether from Al-Qassam or from other entities – will likely continue. This will be a persistent threat until detection and protection mechanisms can make all targets uninteresting. A possible way to end the attacks is to end the vulnerability, and this is exactly what the NCUA is attempting to accomplish.
The NCUA issued risk alert 13-Risk-01 in February 2013 to bring a heightened awareness of current DDoS threats to the credit union industry. 13-Risk-01 delivers critical and timely information regarding the growing cyber-terror threat and offers some guidelines to strengthen information security programs. Specifically the alert should draw attention to risk mitigation efforts, threat monitoring and reporting and the policies and procedures that help credit unions guard against DDoS type attacks.
While no specific changes are required as a result of the alert, several key areas for emphasis are noted:
Specific strategies for assessing DDoS risks should include testing/exercising with a DDoS attack scenario.
The voluntary filing of a Suspicious Activity Report (SAR) if an attack impacts internet service delivery, enables fraud, or compromises member information. A subjective term such as “impact” should be discussed at the leadership level and communicated to the appropriate responsible department for reporting SARs. “Impact” thresholds may be calculated in terms of hours, financial loss, or reputational risk.
Multi-factor authentication and highly filtered or prohibited internet browsing remain strong tools for mitigating cyber threats.
A reminder that credit unions are responsible for monitoring systems with internet connectivity to detect both actual and attempted attacks into member information systems.
To further strengthen the Information Security Program, recommendations are also made for credit unions to participate in information-sharing organization such as FS-ISAC and US-CERT – both of which provide opportunities for more detailed information on today’s growing cyber threats.
Where Do I Start?
Be part of the solution that will ultimately close the vulnerability gap for you and others by:
Guarding your perimeter accessible services with detection and protection mechanisms
Keeping your credit union peers informed as called for in the NCUA Risk Alert 13-Risk-01
Being aware of what threats exists in the industry and other related areas
Leveraging 3rd party risk assessment and penetration testing services
Following general risk mitigation practices as outlined by NCUA and FFIEC regulations
Ongoing Operations, as a Risk Assessment Partner for NeighborBench, can help provide services and expertise to make you part of the solution. Contact us today to see how we can help your business thrive in an adverse environment of cyber criminals and hacker collectives.
David Ciofalo has many years of experience in the IT industry and has been an infrastructure and support engineer for 2.5 years with Ongoing Operations.