More with a Whimper than a Bang: the FFIEC Issues Guidelines for Destructive Malware Risk Mitigation
The FFIEC is the latest government agency to warn industry of the potential for destructive malware attacks, issuing guidelines to banks and credit unions last month. As the potential for destructive malware attacks increases, follow these guidelines to help keep your systems and data secure.
Cisco’s 2014 Annual Security Report is blunt: “100 percent of business networks analyzed by Cisco have traffic going to websites that host malware.” Clearly, no organization is impervious to attack. The question is not whether your organization will be attacked, but how often. And the more interesting follow-on question: how do you repel the attacks or minimize the damage from them?
To answer those questions, you can’t do much better than to look to The Federal Financial Institutions Examination Council (FFIEC). The FFIEC sets standards for all federal banks and credit unions examinations, ensuring that your money is safe in those institutions. In late March, the FFIEC issued a set of recommended risk mitigation procedures for financial institutions to prevent destructive malware attacks - that is, attacks that use malware capable of destroying data beyond recovery.
While they were once considered a rare threat, warnings from the FBI and NSA, as well as several high profile destructive malware attacks in recent years (including the Sony Pictures hack and the Shamoon malware attack on oil giant Saudi-Aramco), are indicative of an increased concern over the potential for incidents involving destructive malware. The FFIEC's guidelines come as the latest warning from a federal agency on the issue. While these guidelines are aimed at banks and credit unions, they offer some excellent best practices for preventing malware attacks at any organization. Here's our breakdown.
Securely configure systems and services:
- Use protections such as logical network segmentation, physical network segmentation (also known as air gapping: isolating secure networks physically, electrically, and electromagnetically), and maintaining an inventory of authorized software and hardware.
- Ensure consistency in system configuration.
- Remove or disable unused applications, functions or components.
Review, update, and test incident response and business continuity plans:
- Test to ensure that all employees understand corporate policies regarding cyber-security, especially those employee in the IT and IT security groups.
- Include third party processors in the assessment.
- Consider an exercise that simulates a cyber attack involving destructive malware.
Conduct ongoing information security risk assessments:
- Maintain a risk assessment program to consider new and evolving threats and adjust customer authentication, layered security and other controls in response to those threats.
- Assess the risk to critical systems and apply appropriate security measures.
- Ensure that third party vendors do the same.
Perform security monitoring, prevention and risk mitigation:
- Ensure that software and hardware threat detection systems are up-to-date and that firewalls are correctly configured.
- Monitor system alerts to identify, prevent and contain attacks.
- Follow industry security standards for applications developed internally and conduct due diligence of third party software and services.
Protect against unauthorized access:
- Limit the number of users with credentials with elevated privileges, applying the principle of least privilege (granting users access only to those systems needed for the performance of their duties).
- Use industry-standard practices such as preventing unpatched systems (e.g., home computer systems) from accessing internal systems, requiring regular password changes, and using virtual private networks (VPNs) for access to systems and services.
- Change all default passwords.
Implement and test controls for critical systems:
- Implement controls including access control, encryption, and fraud detection systems.
- Implement alert systems to notify employees if the baseline controls are modified.
- Test the adequacy of these controls periodically and report results to senior management.
Enhance information security awareness and training programs:
- Conduct mandatory training for all employees.
- Ensure the training is relevant to employee responsibilities.
- Make security awareness and training an ongoing program for employees rather than a standalone event.
Participate in industry information sharing programs:
- Share and incorporate information from other organizations in your market.
- Use government resources such as the U.S. Computer Emergency Readiness Team (US-CERT) to track threat information.
No set of controls guarantees that your systems are completely impervious to attack. However, these controls will go a long way to reducing the number of successful attacks on your systems and minimizing the damage from those that do succeed.