The Federal Financial Institutions Examination Council (FFIEC) has issued two joint statements warning of specific cyber risks. The warnings, which were issued on March 30, 2015, address risks arising from destructive malware, which can destroy sensitive data, and cyber-attacks that compromise user credentials. In both statements, the FFIEC also provides guidance on how to mitigate these risks.
The statement on destructive malware warns financial institutions about the increasing use of malware that successfully compromises databases and destroys the information or renders the system hosting it inoperable, or that overwrites the data such that it is not recoverable. Examples of this type of malware include “Shamoon,” which has a destructive module that “renders infected systems useless by overwriting the Master Boot Record (MBR), the partition tables, and most of the files with random data.” (Similar considerations likely apply to ransomware, such as “Cryptolocker.”) The FFIEC also warns that data backup repositories may also be targeted or that the use of data replication as a business continuity tool may lead to compromised or corrupted data overwriting useful recovery data. Financial institutions therefore “should ensure that recovery strategies address” this risk to ensure data availability.
The specific risks posed by this type of malware include “liquidity, capital, operational, and reputation risks, due to such events as fraud, data loss, and disruption of customer service,” according to the statement. The FFIEC advises financial institutions to ensure their cyber-risk management and business continuity processes address these risks, consistent with its IT Examination Handbook. Specific measures recommended in the statement include: secure configuration of systems and services; review, revision, and testing of incident response and business continuity plans; ongoing risk assessments; security monitoring, prevention, and risk mitigation; protection against unauthorized access; implementation and regular testing of controls around critical systems; enhancing security awareness and training programs; and participation in information sharing forums (such as FS-ISAC).
The statement on cyber-attacks compromising credentials warns of the “growing trend of cyber-attacks for the purpose of obtaining online credentials for theft, fraud, or business disruption…” Specifically, the FFIEC cautions that large numbers of usernames, passwords, and other credentials used to authenticate to financial institution systems, as well as system credentials such as certificates (e.g., those used for HTTPS/SSL), are being stolen. There are numerous methods attackers are using, including “phishing and spear-phishing, malvertising, watering holes, and web-based attacks.” One example of such an attack was the “‘Dyre’ Banking Malware” phishing campaign. The statement also warns of “vulnerabilities in authentication systems (e.g., OpenSSL ‘Heartbleed’) or . . . compromising the credentials of trusted third parties (e.g., fraudulent certificates)” as attack vectors. FFIEC states the stolen credentials are usually sold on the black market to other criminals.
The specific risks posed by the exfiltration of user credentials include “loss of the confidentiality and integrity of sensitive data, such as customer information and confidential business information,” as well as the potential disruption or degradation of systems or processing of fraudulent financial transactions. FFIEC recommends a similar set of risk mitigating activities to combat these attacks as it did for destructive malware.
Although the joint statements do not create new regulatory obligations, financial institutions should be sure to review the documents and assess their cybersecurity programs for vulnerabilities specifically warned against by the FFIEC.