Don't neglect the human basics of security just because it's not a transaction system.

DDoS and web site security: what CU marketers need to know

We’ve had some questions from clients about DDoS attacks on credit union web sites, what they mean to their website’s security. Here’s what CU marketers need to know:

What does DDoS mean?

In a Denial of Service (DoS) attack, a malicious hacker or group of hackers attempts to overwhelm a web server with a huge amount of bogus traffic. A Distributed DoS (DDoS) attack means they’re using a large number of computers in many locations to accomplish this. They gain control of these computers via malicious software that allows the hackers to control the computers remotely.

A DDoS means your site may not be available to members or it may become very slow to respond. It does not mean that hackers have gained control of your site, but it can damage your CU’s reputation and cost you a lot of wasted time and frustration. Depending on your hosting arrangements, an attack may also cost you extra money in bandwidth charges or staff time spent to counter the attack.

Why would anyone do this?

Quite often, it’s just vandalism. Sometimes it’s part of a fraud attempt. The DDoS attack may serve as a distraction to enable some other type of fraud, or they may hope that it causes such an inconvenience that frustrated members or staff will bypass normal security measures (for example, give passwords to someone who calls and claims to be from the CU or an IT vendor).

I’m the one responsible for our site. What can I do to prevent or reduce the effects of an attack?

1) Make sure you understand how and where your site is hosted. Is your site hosted in a dusty closet down the hall, or in a hardened data center with 24/7 high-level staffing and multiple levels of redundancy? Is your site hosted on a single server that also hosts many other web sites and services, or is it part of a “cloud” or “cluster” of many machines that share the load? The second option on both questions is recommended.

2) Make sure you understand who is responsible for securing and maintaining systems on what level. Is it Bob from IT, who works 8am to 5pm, or a dedicated 24-hour operations team with years of experience? Does your web host actively detect and respond to attacks before you even know anything happened, or do they wait for you to call?

3) Control access to your web site with the same care as your transaction systems. Don’t neglect the human basics of security just because it’s not a transaction system. If you’re using a Content Management System to update your web site, use strong passwords, keep them safe, don’t write passwords down or send passwords via email, and never share accounts. Make sure you can track and roll back changes if needed, and if someone leaves the credit union, make sure you remove their access to the CMS. In addition, make sure you stay on top of renewing your domain name registration and keep the information secure.

Brian Wringer

Email this article to a friend or coworker.