More with a Whimper than a Bang: the FFIEC Issues Guidelines for Destructive Malware Risk Mitigation



The FFIEC is the latest government agency to warn industry of the potential for destructive malware attacks, issuing guidelines to banks and credit unions last month. As the potential for destructive malware attacks increases, follow these guidelines to help keep your systems and data secure.

Cisco’s 2014 Annual Security Report is blunt: “100 percent of business networks analyzed by Cisco have traffic going to websites that host malware.” Clearly, no organization is impervious to attack. The question is not whether your organization will be attacked, but how often. And the more interesting follow-on question: how do you repel the attacks or minimize the damage from them?

To answer those questions, you can’t do much better than to look to The Federal Financial Institutions Examination Council (FFIEC). The FFIEC sets standards for all federal banks and credit unions examinations, ensuring that your money is safe in those institutions. In late March, the FFIEC issued a set of recommended risk mitigation procedures for financial institutions to prevent destructive malware attacks - that is, attacks that use malware capable of destroying data beyond recovery.

While they were once considered a rare threat, warnings from the FBI and NSA, as well as several high profile destructive malware attacks in recent years (including the Sony Pictures hack and the Shamoon malware attack on oil giant Saudi-Aramco), are indicative of an increased concern over the potential for incidents involving destructive malware. The FFIEC's guidelines come as the latest warning from a federal agency on the issue. While these guidelines are aimed at banks and credit unions, they offer some excellent best practices for preventing malware attacks at any organization. Here's our breakdown.

Securely configure systems and services:

  • Use protections such as logical network segmentation, physical network segmentation (also known as air gapping: isolating secure networks physically, electrically, and electromagnetically), and maintaining an inventory of authorized software and hardware.
  • Ensure consistency in system configuration.
  • Remove or disable unused applications, functions or components.

Review, update, and test incident response and business continuity plans:

  • Test to ensure that all employees understand corporate policies regarding cyber-security, especially those employee in the IT and IT security groups.
  • Include third party processors in the assessment.
  • Consider an exercise that simulates a cyber attack involving destructive malware.

Conduct ongoing information security risk assessments:

  • Maintain a risk assessment program to consider new and evolving threats and adjust customer authentication, layered security and other controls in response to those threats.
  • Assess the risk to critical systems and apply appropriate security measures.
  • Ensure that third party vendors do the same.

Perform security monitoring, prevention and risk mitigation:

  • Ensure that software and hardware threat detection systems are up-to-date and that firewalls are correctly configured.
  • Monitor system alerts to identify, prevent and contain attacks.
  • Follow industry security standards for applications developed internally and conduct due diligence of third party software and services.

Protect against unauthorized access:

  • Limit the number of users with credentials with elevated privileges, applying the principle of least privilege (granting users access only to those systems needed for the performance of their duties).
  • Use industry-standard practices such as preventing unpatched systems (e.g., home computer systems) from accessing internal systems, requiring regular password changes, and using virtual private networks (VPNs) for access to systems and services.
  • Change all default passwords.

Implement and test controls for critical systems:

  • Implement controls including access control, encryption, and fraud detection systems.
  • Implement alert systems to notify employees if the baseline controls are modified.
  • Test the adequacy of these controls periodically and report results to senior management.

Enhance information security awareness and training programs:

  • Conduct mandatory training for all employees.
  • Ensure the training is relevant to employee responsibilities.
  • Make security awareness and training an ongoing program for employees rather than a standalone event.

Participate in industry information sharing programs:

  • Share and incorporate information from other organizations in your market.
  • Use government resources such as the U.S. Computer Emergency Readiness Team (US-CERT) to track threat information.

No set of controls guarantees that your systems are completely impervious to attack. However, these controls will go a long way to reducing the number of successful attacks on your systems and minimizing the damage from those that do succeed.

Harriet Cohen

Advanced Threat Protection - Building a Kill Chain Defense

Detect and stop targeted attacks with a data-centric approach that protects sensitive data regardless of the source of attack.

Download now

Related Articles
How Chip-and-PIN is Shifting Cybercrime

Attackers are nothing if not creative, and when one path of entry is taken away, they will find another. We’ve seen this many times over the years, whether it’s with malware or vulnerabilities or something else, and the latest example is the reaction by cybercriminals to the move to chip-and-PIN (EMV) cards.

How Fast Tech Growth Left Us with a Ton of Security Flaws

A few recent events have reminded us of the consequences when demand for innovation outpaces security efforts.

From the Government Accountability Office: Aviation Cyber Security Capabilities Lacking

Cyber security has become a mounting concern for the aviation industry – and rightfully so. Most recently, a study conducted by the GAO identified several critical risks in the Federal Aviation Administration’s cyber program.

Harriet Cohen

Harriet Cohen is a senior product manager at Digital Guardian where she works in the Office of the CTO to turn innovative ideas for enhanced threat protection into product reality. Harriet has over ten years of experience in the security arena, encompassing both data protection and identity and access management.

Please post your comments here