Akamai Diversity

The Akamai Blog

FFIEC DDoS Notice: The next step in the evolution of DDoS

The joint statement issued in early April by the FFIEC should come as no surprise to the banking and finance community in the U.S. Beginning in 2012 and continuing throughout most of 2013, banks suffered massive DDoS attacks, with dozens of banks attacked during 2013, and up to 50 banks attacked in a single week. A response from regulators such as this is part of the ongoing evolution of DDoS and information security for the financial sector, and is a positive step forward for the industry.
In the notice issued on April 2, the FFIEC included the following 6 steps that institutions are now expected to follow:

  1. Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
  2. Monitor Internet traffic to the institution's website to detect attacks;
  3. Activate incident response plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
  4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow. Identify how the institution's ISP can assist in responding to and mitigating an attack;
  5. Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics; and
  6. Evaluate any gaps in the institution's response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.

Although ground-breaking in some respects, the notice is the culmination of a long series of notices and reports from authorities directed to the industry related to information security and cyber security. The notice includes references to an alert from 2012, an information security examination handbook from 2006, another from 2007, and other resources from prior years.

The U.S is not alone in pushing forward with new requirements for financial institutions. Canada's Office of the Superintendent of Financial Institutions (OSFI) called out cyber security in its Plans and Priorities for 2013-2016, and also directed institutions to complete a Cyber Security Self-Assessment in 2013. In Japan, the National Information Security Center (NISC) is progressing with cyber security guidelines for over a dozen critical industries, including financial services. These are just a few examples of efforts underway around the world.

What's Next in the Evolution?

Along with increased scrutiny of the regulators, we can expect:

  1. Further emphasis on information sharing. Nearly every notice and report by the U.S. agencies mentions the important of information sharing and specifically cites the FS-ISAC. 
  2. Global information sharing. In early 2013, FS-ISAC's board approved an extension to its charter share information between financial services firms world-wide, and they are actively signing up banks around the world. Many countries have established local financial services information sharing organizations as well.
  3. Security automation. Today the large majority of information sharing is done using email or other manual methods. While the human touch will always be required, efforts are well underway to automate threat intelligence sharing in the financial services sector. FS-ISAC's Security Automation Working Group (SAWG) is leading the way.
  4. More cyber attack simulations. From Quantum Dawn 2, to Cyber Attack Against Payment Processors, to the numerous other such exercises held around the world, we will see many more drills in the future.
  5. DDoS testing. Just as companies perform software testing and load testing of their websites today, in the future we can expect more companies to undertake volume DDoS testing of their systems, to validate their DDoS security solutions and prepare their organizations for future attacks. 

I could continue with this list, but I would like to hear what you expect to see in the future. If you are attending the FS-ISAC Fall Summit May 4-7 in Florida, please reach out to me. I'll be representing Akamai at the summit and would look forward to meeting with you.