FFIEC Issues Malware, Attack AlertsRegulators Detail Destructive Malware, Cyber-Attack Threats
The Federal Financial Institutions Examination Council warns U.S. financial institutions that they're at increased risk from attacks that are designed to steal online credentials - for the purpose of committing fraud or disrupting business - as well as from destructive malware attacks that are designed to wipe all data from a system and "brick" devices, leaving them unbootable.
The FFIEC on March 30 issued two five-page alerts - one concerning cyber-attacks compromising credentials, and the other detailing destructive malware threats and related safeguards that the organization recommends.
The FFIEC recommends that the advisories be routed to every organization's CEO, CIO and CISO.
The alerts do not contain "any new regulatory expectations," but are rather intended to make financial organizations aware of risks, the FFIEC says. "Financial institutions should refer to the appropriate FFIEC IT Examination Handbook booklets ... for information on regulatory expectations regarding IT risk management," it adds.
The FFIEC in February updated that handbook, adding a 16-page appendix to its Business Continuity Planning Booklet, which for the first time introduces the term of "cyber-resilience," which refers to an organization's ability to minimize the disruption or impact of a successful online attack against it (see FFIEC to Prepare New Cyber-Risk Policy).
While the FFIEC has not said if it will issue new guidance relating to online attacks and destructive malware, a top Office of the Comptroller official in February hinted that such measures could be on the way.
"It is interesting to see the FFIEC issue these [warnings] as historically financial institutions have been keen to downplay the threat of cyber-attacks to their systems as it may generate concerns amongst their clients," says Dublin-based information security consultant Brian Honan, who's a cybercrime adviser to Europol. "However, given the widespread coverage of recent, major security breaches, it is good to see this [warning] being issued and acknowledging the threat posed by online criminals.
The new FFIEC cyber-attack statement warns that there are an increasing number of online attacks that target "online credentials for theft, fraud or business disruption," and says financial firms "should address this threat by reviewing their risk management practices and controls related to information technology networks and authentication, authorization, fraud detection and response management systems and processes."
If there's an attack vector that could be exploited to harvest large amounts of credentials at once, then criminals will likely try to exploit it, before putting purloined data up for sale on underground marketplaces, the FFIEC alert warns. "User credentials can be stolen in many ways, including phishing and spear-phishing, malvertising, watering holes, and Web-based attacks," it says. "Stolen credentials are often sold in criminal forums and then used to commit fraud through account takeovers and identity theft."
One recent data breach involving a large financial institution reportedly succeeded by using relatively simple attack techniques. The 2014 JPMorgan Chase breach reportedly began after an employee fell for a social-engineering attack, and the attacker was able to access a server that accidentally lacked two-factor authentication.
To better defend against - or mitigate - all such attacks, the FFIEC recommends financial firms take the following steps:
- Conduct ongoing information security risk assessments;
- Perform security monitoring, prevention, and risk mitigation;
- Protect against unauthorized access;
- Implement and test controls around critical systems regularly;
- Enhance information security awareness and training programs;
- Participate in industry information-sharing forums.
The destructive malware - a.k.a. wiper malware - warning, meanwhile, comes after one such attack was launched, in November 2014, against Sony Pictures Entertainment. The FBI has attributed that attack to North Korea. But previous wiper attacks have targeted South Korean banks and broadcasters - many information security experts suspect North Korea was involved - as well as Saudi Arabia's state-owned oil, gas and petroleum producer Saudi Aramco.
"Financial institutions and technology service providers should enhance their information security programs to ensure they are able to identify, mitigate and respond to this type of attack," the FFIEC says. "In addition, business continuity planning and testing activities should incorporate response and recovery capabilities and test resilience against cyber attacks involving destructive malware."
Information security experts say that one of the most important defenses for guarding against wiper malware is to maintain offsite, offline and disconnected backups of all essential systems and data, as well as regularly verify and test them. In the event that systems get infected by wiper malware - or for that matter, ransomware, which can encrypt all data on a PC or server and potentially also on any other systems to which it connects via the network or cloud - the infected machines can be wiped and restored, or else replaced, using the backups.
"I have not yet seen any financial firms focus specifically on the effects of a wiper-malware attack," says Honan, who also heads Ireland's computer emergency response team. "However, when we engage with our clients in the financial sector, we recommend they integrate their incident response plans with their business continuity plans, so that cybersecurity scenarios can be catered for as part of their business continuity plans."
Such plans must take into account not just the many different ways in which online attackers could successfully compromise or disrupt a business, but also related mitigation and cleanup efforts. "These scenarios should cover widespread data loss, the long-term unavailability of critical equipment resulting from a forensics investigation, or other prolonged outages," Honan says.