DDoS And The Small To Mid-sized Bank

How concerned does a community or regional bank need to be regarding distributed denial of service (DDoS) attacks?

We’ve seen numerous headlines over the last year or so about the big guys having their web presence taken offline, or at least slowed to a crawl. Over the weekend came word that Key Bank and TD Bank, with holdings of $89B and $219B respectively, had been hit last week. Many of these attacks have been attributed to “hacktivists,” be they actually ideologically motivated ornot-so-secretly fronting for non-friendly nation-states. It makes sense that these attacks would be perpetrated against the biggest banks. A more visible target equals more visibility for your cause. However, as seen in the more-bark-than-bite OpUSA attack earlier this month, a number of smaller banks and credit unions were included in the publicized list of targets.
1479_large_logo_fdic_380x230More likely, as we’ve seen with the case of San Francisco’s Bank of the West, a smaller financial institution with $2.6B in holdings, DDoS attacks are being executed against the smaller players as a persion from other criminal activities. Dave Ostertag, one of the authors of Verizon’s 2013 Data Breach Investigations Report (DBIR), states that though they haven’t been very frequent, “…What we’ve seen is fraud associated with those attacks, especially in the area of regional banks.”

Credit unions, many of whom fall into the same holdings tier as the banks we’re talking about, have been targeted as well. In a white paper published last month by CO-OP Financial Services, they indicate that a recent survey showed that 33% of respondents had been subject to a DDoS attack.

In December, the Office of the Comptroller of the Currency issued an alert about DDoS activity. This was followed in February by a similar alert from the National Credit Union Administration. Today, the FDIC has joined the ranks of  banking regulators to chime in. This indicates that coming revisions to the guidelines and standards FI’s are subject to may very well call for DDoS reporting and/or mitigation.

While I certainly feel that there are more immediately pressing security issues for these institutions to address, as we’re seeing the expansion of the target set, it certainly needs to be taken into account. For a community bank with $300M in assets to be taken offline for a half hour, the damage can be immense. Not only are they not processing those transactions, they are losing the confidence of their customers. In a smaller community, your reputation really does go a long way, and damage to it can be very difficult to repair.

Unfortunately, DDoS mitigation services tend to be a bit on the pricey side. There are affordable, scalable options out there, though.  For that reason, it is worth taking the time to have someone who understands these types of attacks evaluate your organizational risk.  Dunbar Digital Armor has expertise in an array of DDoS mitigation technologies, and can create a balanced solution that aligns with your objectives.