FFIEC Issues Cyber-attack Extortion Alert

On Nov. 3, 2015, the Federal Financial Institutions Examination Council has issued an alert calling on financial institutions to take specific risk mitigation steps due to an increase in the frequency and severity of cyber-attacks involving extortion.

The FFIEC statement was prompted by recent reports of distributed denial-of-service attacks tied to extortion, such as those by the group known as DD4BC. Ransomware attacks have also been on the rise. The FFIEC is urging banks to take specific steps to mitigate these risks.

Increasing Awareness

The FFIEC member agencies issued the joint statement to increase awareness among its institutions on the trend of cyber-attacks involving extortion. The FFIEC member agencies update guidance and examination processes to address evolving cybersecurity risks and threats.

The FFIEC emphasizes that financial institutions need to develop programs to ensure that they are able to identify, protect, detect, respond to and recover from these types of attacks. Cyber criminals and activists use a variety of tactics, such as ransomware, denial-of-service attacks and theft of sensitive business and customer information to extort payment or other concessions from the affected banks.

The FFIEC recommends that banks take theses 8 steps:

  1. Conduct ongoing information security risk assessments
  2. Securely configure systems and services
  3. Protect against unauthorized access
  4. Perform security monitoring, prevention and risk mitigation
  5. Update information security awareness and training programs, as necessary, to include cyber-attacks involving extortion
  6. Implement and regularly test controls around critical systems
  7. Review, update and test incident response and business continuity plans periodically
  8. Participate in industry information-sharing forums.

Why Now?

While this isn’t news to many banks, as analysts have predicted that extortion would be the biggest cybersecurity threat trends facing banks in the future. It’s a sign of how bad things have gotten. The timing of the announcement makes sense, given the Angler and Nuclear zero-day malware exploit kits now in widespread use.

Banks need to be worried about the rise in extortion-related attacks because cyber criminals typically install malware throughout a network before making it operational. These exploits often hang around and are difficult to get rid of because they are so hard to pinpoint.

Take A Proactive Stance

The FFIEC’s latest statement illustrates its shift from a reactive to a proactive stance on fighting cybercrime. Their goal is to provide a framework that helps banks assess the maturity and efficacy of their risk mitigation plans.

Most banks should be looking at their desktop hygiene, file server security and anti-phishing awareness campaigns. Banks also need to monitor actions of third-party vendors and consider new contract clauses related to liability for the impact of malware. Banks also need to take a good look at their storage backup and disaster recovery. It is a tried and true technology, and these attacks should be a wake-up call to ensure your systems are in place.

If you have any questions about these developments and additional steps that your bank should be taking, contact ITPAC today.