• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

FFIEC Issues Warnings on Malware and Cyber Attacks

April 7, 2015 By Privacy, Cyber & Data Strategy Team

The Federal Financial Institutions Examination Council (FFIEC) has issued two joint statements warning of specific cyber risks.  The warnings, which were issued on March 30, 2015, address risks arising from destructive malware, which can destroy sensitive data, and cyber-attacks that compromise user credentials.  In both statements, the FFIEC also provides guidance on how to mitigate these risks.

The statement on destructive malware warns financial institutions about the increasing use of malware that successfully compromises databases and destroys the information or renders the system hosting it inoperable, or that overwrites the data such that it is not recoverable.  Examples of this type of malware include “Shamoon,” which has a destructive module that “renders infected systems useless by overwriting the Master Boot Record (MBR), the partition tables, and most of the files with random data.”  (Similar considerations likely apply to ransomware, such as “Cryptolocker.”)  The FFIEC also warns that data backup repositories may also be targeted or that the use of data replication as a business continuity tool may lead to compromised or corrupted data overwriting useful recovery data.  Financial institutions therefore “should ensure that recovery strategies address” this risk to ensure data availability.

The specific risks posed by this type of malware include “liquidity, capital, operational, and reputation risks, due to such events as fraud, data loss, and disruption of customer service,” according to the statement.  The FFIEC advises financial institutions to ensure their cyber-risk management and business continuity processes address these risks, consistent with its IT Examination Handbook.  Specific measures recommended in the statement include: secure configuration of systems and services; review, revision, and testing of incident response and business continuity plans; ongoing risk assessments; security monitoring, prevention, and risk mitigation; protection against unauthorized access; implementation and regular testing of controls around critical systems; enhancing security awareness and training programs; and participation in information sharing forums (such as FS-ISAC).

The statement on cyber-attacks compromising credentials warns of the “growing trend of cyber-attacks for the purpose of obtaining online credentials for theft, fraud, or business disruption…”  Specifically, the FFIEC cautions that large numbers of usernames, passwords, and other credentials used to authenticate to financial institution systems, as well as system credentials such as certificates (e.g., those used for HTTPS/SSL), are being stolen.  There are numerous methods attackers are using, including “phishing and spear-phishing, malvertising, watering holes, and web-based attacks.”  One example of such an attack was the “‘Dyre’ Banking Malware” phishing campaign.  The statement also warns of “vulnerabilities in authentication systems (e.g., OpenSSL ‘Heartbleed’) or . . . compromising the credentials of trusted third parties (e.g., fraudulent certificates)” as attack vectors.  FFIEC states the stolen credentials are usually sold on the black market to other criminals.

The specific risks posed by the exfiltration of user credentials include “loss of the confidentiality and integrity of sensitive data, such as customer information and confidential business information,” as well as the potential disruption or degradation of systems or processing of fraudulent financial transactions.  FFIEC recommends a similar set of risk mitigating activities to combat these attacks as it did for destructive malware.

Although the joint statements do not create new regulatory obligations, financial institutions should be sure to review the documents and assess their cybersecurity programs for vulnerabilities specifically warned against by the FFIEC.

Filed Under: Cyber Risk, Cybercrime, Cybersecurity, Data Protection, Regulation

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules
  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.