FFIEC Releases Statements on Identifying and Mitigating Cyber-Attacks
March 30, 2015 – The Federal Financial Institutions Examination Council (FFIEC) on Monday released two statements about ways that credit unions and other financial institutions can identify and mitigate cyber-attacks that compromise user credentials or use destructive software, known as malware.
The FFIEC also provided information on what institutions can do to prepare for and respond to these threats.
The FFIEC pointed out the increased frequency in cyber-attacks over the past two years, and noted that the attacks often involve the theft of credentials used by customers, employees and third parties to authenticate themselves when accessing business applications and systems. Not only can cyber criminals use stolen credentials to commit fraud or identity theft, modify and disrupt information systems and obtain, destroy or corrupt data, they can also introduce malware to business systems through email attachments, connecting infected external devices, such as USB drives, to computers or networks, or by introducing the malware directly onto the business systems using compromised credentials.
The FFIEC suggested that institutions follow FFIEC guidance in responding to these growing threats:
- Securely configure systems and services;
- Review, update and test incident response and business continuity plans;
- Conduct ongoing information security risk assessments;
- Perform security monitoring, prevention and risk mitigation;
- Protect against unauthorized access;
- Implement and test controls around critical systems regularly;
- Enhance information security awareness and training programs; and
- Participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.
The FFIEC also listed several online resources that provide information for strengthening user awareness when it comes to safe online practices:
- Federal Trade Commission’s On Guard Online
- National Cyber Security Alliance’s Stay Safe Online
- US-CERT Security Tip (STI-003) “Handling Destructive Malware”
- Joint Security Awareness Report (JSAR-12-241-01B) “Shamoon/DstTrack Malware”
- National Institute of Standards and Technology “Cybersecurity Framework”
- US-CERT “Cyber Resilience Review”
- NSA/CSS Information Assurance Directorate (MIT-001R-2015) “Defensive Best Practices for Destructive Malware”