ARLINGTON, Va. — The Federal Financial Institutions Examination Council (FFIEC) has released two statements concerning ways that financial institutions, including credit unions, can identify and mitigate cyber-attacks that compromise user credentials or use destructive software, known as malware.
Also, the FFIEC has provided information on what such institutions can do to prepare for and respond to these threats.
Noting that cyber-attacks have increased in frequency and severity over the past two years, FFIEC warned that credentials used by customers, employees, and third parties to authenticate themselves when accessing business applications and systems can often be stolen. Cyber-criminals can use stolen credentials to commit fraud or identity theft, modify and disrupt information system, and obtain, destroy, or corrupt data. In addition, cyber-criminals often introduce malware to business systems through e-mail attachments, connecting infected external devices, such as USB drives, to computers or networks, or by introducing the malware directly onto the business systems using compromised credentials.
In response to such threats, FFIEC advised financial institutions to:
- securely configure systems and services
- review, update, and test incident response and business continuity plans
- conduct ongoing information security risk assessments
- perform security monitoring, prevention, and risk mitigation
- protect against unauthorized access
- implement and test controls around critical systems regularly
- enhance information security awareness and training programs
- participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.
The FFIEC also listed several online resources that can provide practical information for strengthening user awareness regarding safe online practices: Federal Trade Commission's On Guard Online; National Cyber Security Alliance's Stay Safe Online; US-Cert Security Tip (STI-003) "Handling Destructive Malware"; Joint Security Awareness Report (JSAR-12-241-01B) "Shamoon/DstTrack Malware"; National Institute of Standards and Technology "Cybersecurity Framework"; US-CERT "Cyber Resilience Review"; and NSA/CSS Information Assurance Directorate (MIT-001R-2015) "Defensive Best Practices for Destructive Malware."