In three statements, the Federal Financial Institutions Examination Council (FFIEC) cautioned financial institutions about data security threats, such as distributed denial-of-service (DDoS) attacks, cyber attacks targeting ATMs and recent security encryption vulnerabilities.
DDoS attacks targeting financial institutions have increased in both number and sophistication and intensity in recent years, the FFIEC said. Often coupled with attempted fraud, the attacks present both operational and reputational risks.
All financial institutions have an obligation to address such attacks as part of their information security and incident response plans, the regulators said. Specifically, banks should be prepared to assess and prioritize possible risks to both online accounts and external websites, monitor Internet traffic to detect potential attacks, and launch a response plan in the event of an attack, complete with communication strategies with customers about the safety of their accounts.
The regulators suggested that precontracted third-party services might be appropriate for the duration of a DDoS attack and reminded financial institutions to consider sharing information about the attack with other organizations and law enforcement. In the wake of attacks, financial institutions should take stock of their plans and fill in any gaps.
In a second statement, the FFIEC warned financial institutions that ATMs are facing a new type of fraud resulting in large dollar losses. In this type of attack, dubbed “Unlimited Operations” by the U.S. Secret Service, hackers gain access to ATM web-based control panels used by small and medium-sized financial institutions and then alter the settings, allowing unlimited amounts of cash beyond control limits or customer balances.
The FFIEC members said they “expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorization systems, systems that manage ATM parameters, and fraud detection and response processes.”
To meet regulatory expectations, the statement presented a multistep process beginning with ongoing information security risk assessments and the performance of security monitoring, prevention and risk mitigation, as well as protection against unauthorized access. Because an Unlimited Operations attack often begins with a phishing e-mail sent to bank employees, financial institutions should ensure that antivirus and firewall protections are up to date. Consider limiting the number of elevated privileges, updating all credentials and establishing authentication rules, the FFIEC advised.
Controls and incident response plans should be implemented and tested regularly, with reports to senior management or the board of directors, and employees should be trained in information security awareness, including guidance on how to identify and prevent phishing attempts. Financial institutions might also think about participating in industry information-sharing forums, the regulators added.
Just days later, after news reports detailed widespread problems related to the “Heartbleed” bug, the regulators issued a supplemental alert. Financial institutions that use OpenSSL to encrypt data in transit for websites, e-mail servers or other applications are vulnerable after the discovery of the Heartbleed coding error, leaving them open to a variety of cyber attacks.
Among other things, financial institutions are expected to (a) upgrade vulnerable systems as soon as possible to eliminate the possibility for attackers to decrypt, spoof or perform attacks on network communications, (b) verify that third-party vendors are taking appropriate mitigation steps to upgrade and patch all implicated systems and monitor the vendors’ efforts, and (c) conduct testing to ensure success.
In addition, “[f]inancial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch,” the FFIEC wrote.
To read the FFIEC’s statement on DDoS attacks, click here.
To read the FFIEC’s statement on ATM cyber attacks, click here.
To read the FFIEC’s statement on Heartbleed, click here.
Why it matters: Data security threats are a major concern for financial institutions and recent happenings—from the Heartbleed bug to data breaches to ATM cyber attacks—reinforce the importance of taking steps to prevent such threats and being prepared to react if and when they do occur.