The National Credit Union Association (NCUA) has released new guidance on the proper mitigation of distributed denial-of-service attacks (DDoS) aimed at credit unions. While the direct risks to member funds or data are not as great as a direct penetration style attack, the potential secondary consequences can add up to be just as significant.

The Risks

Not only does a successful DDoS attack cripple a credit union’s online presence, but may also completely disable internet connectivity. Such an event can lead to serious business disruption as secondary internet connections are brought online or struggle under the strain of the increased usage. In today’s environment, interconnectivity between credit unions and other correspondent financial institutions is critical to maintain business operations.

A more subtle risk exists as a result of successful DDoS attacks; a clever attacker can use the chaos caused by the DDoS to slip through the credit union’s usual defenses. The attack may cause the credit union to use secondary internet connections that were never designed to handle its secure traffic. Without careful planning and coordination, this can result in potentially weaker perimeter controls (such as a lack of intrusion detection services, especially if the connection to the remote service provider is disrupted).

Mitigation Techniques

The mitigation techniques discussed in NCUA’s February 2013 letter are not new; however, implementing them to additionally cover the risks presented by DDoS attacks requires additional consideration. The most successful and most straightforward key strategies include:

  • Conducting a risk assessment that includes the identification of DDoS attack risks.
  • Ensuring the credit union’s incident response plan includes DDoS attacks in scenario descriptions, tests and specific response steps.
  • Performing ongoing third-party due diligence to identify risks, and implement controls associated with current service providers, especially internet and web-hosting service providers.

Risk Assessments

Risk assessments should consider the threats posed by DDoS attacks, as well as potential mitigating controls currently in place and the final residual risk after applying controls.

To improve the credit union’s ongoing risk assessments and threat monitoring, the NCUA further recommends that credit unions join information-sharing organizations, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). Credit unions should also pay close attention to current threats in the environment by monitoring the United States Computer Emergency Readiness Team (US-CERT) and the Internet Storm Center(ISC).

Incident Response Plans

The credit union’s incident response plan should be updated to include DDoS as a potential attack scenario.

Good response practices include proper implementation of traffic management, intelligent firewalls designed to drop packets associated with the DDoS or have secondary internet connections with the same level of control and security ready as the primary connections.

Credit union response practices should also include proper notification procedures based on DDoS attacks sustained by the credit union. Credit unions should file Suspicious Activity Reports and directly contact the NCUA Regional Office or state supervisory authority, when appropriate.

Once the credit union has implemented appropriate controls based on its own risk assessment, the credit union should consider obtaining third-party testing over the updated plan and the technical controls implemented. Credit unions desire to maintain a 24/7 internet presence, and therefore DDoS testing is generally not included in security tests performed by third-parties. In order to ensure the credit union is ready, a plan should be put in place to test for DDoS weaknesses. This can include initiating tests during posted system maintenance periods or on test systems.

Third-Party Due Diligence

Service providers play an integral role in today’s credit union environment. However, there are risks to the credit union. Proper due diligence should be performed on an ongoing basis, especially for mission critical vendors providing internet and web-hosting services. These services will be a primary target as part of a DDoS attack and the credit union must ensure the service provider has implemented appropriate controls to mitigate risks associated with the DDoS attack vector.

Credit unions should discuss and coordinate its DDoS risk mitigation strategies with its service providers. By coordinating strategies there is a much greater opportunity for success. For example, if both the credit union and its service provider have coordinated a plan to deploy a secure, secondary connection ahead of time, including testing and proving it functions, there is a greater chance of this failover functioning successfully when a DDoS attack occurs.


The NCUA’s new guidance on mitigation of DDoS attacks requires you to rethink the current attack mitigation techniques employed by credit unions. DDoS attacks present a unique threat that must be addressed separately from common direct attacks.

It is imperative that credit unions ensure their risk assessment, incident response plan and third-party testing is addressing the risks associated with DDoS attacks to ensure the credit union is ready to deal with them.

In conclusion, credit unions should remain vigilant in their transaction monitoring, patch management, configuration management and security testing as a general recommendation.

To learn more, contact our dedicated IT Assurance and Security Group professionals in Troy, Mich., Houston, Texasand Ft. Lauderdale, Fl.