On Tuesday, November 3, 2015, the FFIEC issued a joint statement on cyberattacks involving extortion.  The premise of this memo is derived from the continued threat of an array of strategies used by cyber criminals (hacktivists, cyber terrorists, among others) on financial institutions in an attempt to compromise and hold sensitive data hostage.  From there, they will allow these institutions to purchase the information back, which the attacker will release for a fee.  These methods consist of ransomware, denial of service (DoS), or the theft of business or customer information.  Often times, these schemes can result in significant financial impact to the attacked entities, which will still likely equate to less than the actual loss of the data or the regulatory fines related to consumer protection (or lack thereof).  All of these attack vectors lead to significant risk in categories defined by the FFIEC, such as liquidity, capital, operational, compliance, and reputational.

It is key to train employees on social engineering red flags, and to avoid clicking suspicious links, as a malicious link can download hidden malware on a computer or network.  Other methods of prevention are:

N

Train staff and customers on overall security awareness and relevant attacks;

N

Perform risk analysis;

N

Configure systems to industry best practices and patch when possible;

N

Perform log correlation and system analysis to identify potential anomalous behavior;

N

Test key controls both internally and independently;

N

Review incident response programs to ensure they encompass corporate account takeover (CATO), denial of service (DoS) and distributed denial of service (DDoS) attacks, malware, and the remediation techniques applicable to these attacks;

N

Share security related incidents and information with industry competitors (in this aspect, we are all on the same team) and law enforcement agencies.

If you have any questions about the information contained in either this post or the FFIEC’s statement, please contact either:



Nate Gravel, Director – Information Security Practice

Related articles

 

Top 3 Red Flags of Phishing

Top 3 Red Flags of Phishing

We explore the top 3 red flags of phishing that businesses & employees should be aware of in order to recognize & mitigate a threat.

read more

Pin It on Pinterest

Share This