FFIEC To Update Security Guidance for Banks After Assessments
The Federal Financial Institutions Examination Council (FFIEC) is updating their cybersecurity guide for banks after they carried out a cybersecurity assessment pilot program this past summer, finding that a variety of ‘connection types’ can introduce a potential entry point for attacks. Their pilot program analyzed 500 financial institutions and how prepared they were in the event of a cyber attack.
Another reason for an update to their security guidelines is how technology has evolved in financial services, from the widespread use of ATMs in the 1980-90s, to web-based banking and mobile banking. The advent of mobile payments (e.g. Apple Pay) is another era changing the financial industry and presenting new, possibly unknown risks, as the FFIEC explained in a webinar, Executive Leadership of Cybersecurity: What Today’s CEOs Need to Know About the Threats They Don’t See (PDF).
The specific points of entry within a bank (and any organization) that are often targets of attack include virtual private networks (VPNs), wireless networks, telnet/File Transfer Protocol (FTP), local area networks that connect to other networks or Internet service providers, and bring your own device (BYOD).
The FFIEC also points out inherent risks that can be found in each type of technology used by banks, including those to support customers and employees - core systems, automated teller machines (ATMs), web and mobile-based applications, and cloud computing resources.
Some of the cybersecurity controls the FFIEC recommends include:
- Classify and encrypt different types of sensitive data, including proprietary and important technical information
- Scan IT networks for vulnerabilities and anomalies on a regular basis
- Test systems for their potential exposure to cyber attacks
- Remediate issues when identified
- Review reports on corrective controls in place across critical systems and that of their third-party vendors
The recent JPMorgan Chase breach of 76 million personal records and 7 million small business data shows the need for heightened security in the financial sector. According to the Wall Street Journal, attackers used the same offshore servers to hack the bank and a small website, the JPMorgan Corporate Challenge.
A small security firm reported that a repository of a billion stolen credentials found online also contained some race participants that had signed up on the corporate challenge website managed by an outside vendor, the online platform for the bank’s series of annual charitable races sponsored in different cities.
The NYTimes.com Dealbook claims that evidence suggests that hackers tested stolen credentials on an older system that handled bank employee benefits, then moved to using those credentials on other bank systems until they got access.
But if all it took were the use of banking credentials to get access to bank systems, then banks weren’t following FFIEC guidelines for online banking security anyway. In 2011, the FFIEC released a supplement to their 2005 banking document that addressed changes in the threat landscape, called the Supplement to Authentication in an Internet Banking Environment.
They recommend the use of two-factor, out-of-band authentication (OOBA) to protect banking activity. That is, two different delivery channels of authentication. One might be via the Internet and involve the primary use of credentials like a username and password, while the second could be carried out with the use of a smartphone app or secure token.
In addition to JPMorgan, at least 13 other financial service companies were targeted in the attack. The bank’s CEO reported plans to double their cybersecurity budget over the next five years, proving a significant need for different, and better, security measures than those used in the past.
Perhaps the new updates, three years since the last, will bring awareness to the type of security controls that banking institutions should have in place to protect consumer data.