On Tuesday, November 3, 2015, the FFIEC issued a joint statement on cyberattacks involving extortion.  The premise of this memo is derived from the continued threat of an array of strategies used by cyber criminals (hacktivists, cyber terrorists, among others) on financial institutions in an attempt to compromise and hold sensitive data hostage.  From there, they will allow these institutions to purchase the information back, which the attacker will release for a fee.  These methods consist of ransomware, denial of service (DoS), or the theft of business or customer information.  Often times, these schemes can result in significant financial impact to the attacked entities, which will still likely equate to less than the actual loss of the data or the regulatory fines related to consumer protection (or lack thereof).  All of these attack vectors lead to significant risk in categories defined by the FFIEC, such as liquidity, capital, operational, compliance, and reputational.

It is key to train employees on social engineering red flags, and to avoid clicking suspicious links, as a malicious link can download hidden malware on a computer or network.  Other methods of prevention are:

N

Train staff and customers on overall security awareness and relevant attacks;

N

Perform risk analysis;

N

Configure systems to industry best practices and patch when possible;

N

Perform log correlation and system analysis to identify potential anomalous behavior;

N

Test key controls both internally and independently;

N

Review incident response programs to ensure they encompass corporate account takeover (CATO), denial of service (DoS) and distributed denial of service (DDoS) attacks, malware, and the remediation techniques applicable to these attacks;

N

Share security related incidents and information with industry competitors (in this aspect, we are all on the same team) and law enforcement agencies.

If you have any questions about the information contained in either this post or the FFIEC’s statement, please contact either:



Nate Gravel, Director – Information Security Practice

Related articles

 

Need-to-Know Privilege Explained

Need-to-Know Privilege Explained

In this blog post and video, we explore need-to-know privilege in cybersecurity and why it’s important for organizations to assign user permissions on a need-to-know basis.

read more

Pin It on Pinterest

Share This