The Federal Financial Institutions Examination Council (FFIEC) has issued a cybersecurity alert to banks. The alert entitled “Cybersecurity of Interbank Messaging and Wholesale Payment Networks” is the latest warning for banks since the Bangladesh Bank lost $81 million in a recent hacking attack.
Since the original attack on the Bangladesh Bank there have been reports that other banks have also had their interbank messaging client system breached. Three weeks ago the SWIFT Banking Network alerted banks that a second unnamed bank had been attacked. BAE Systems Applied Intelligence division later said that the victim was a commercial bank in Vietnam. The FBI has also issued its own warning to banks.
While this series of attacks is not a direct breach of the SWIFT Banking Network core systems it does rely on the client side messaging components being compromised. In the two attacks that have been made public, both banks were breached by hackers with what SWIFT called: “a deep and sophisticated knowledge of specific operational controls’ at targeted banks and may have been aided by malicious insiders or cyber attacks, or a combination of both.”
BAE has blamed the attacks in North Korea citing evidence that some of the code used was also present in the attack on Sony Pictures. That claim has since been substantiated by Symantec who published their research into the attack. Yesterday at Infosecurity Europe, Mikko Hyppõnen from F-Secure reiterated the fact that the security industry is convinced this is a state sponsored attack.
What has the FFIEC warned of?
The FFIEC has told member banks that they must: “actively manage the risks associated with interbank messaging and wholesale payment networks.” It goes on to remind all financial institutions that they should review their risk management practices and controls over IT and payment systems. They are told to pay particular attention to: “authentication, authorization, fraud detection, and response management systems and processes.”
The statement makes it clear that this is an advisory and not a change in regulatory expectations. However it does point financial institutions at the FFIEC IT Examination Handbook and in particular the information on regulatory expectations regarding IT risk management.
Steps to mitigate risk
In order to provide more prescriptive guidance, the statement provides a list of seven steps that should be taken when looking to mitigate risk. Each step goes into a significant amount of detail providing key points that IT can use to check their security. The seven steps are:
- Conduct ongoing information security risk assessments
- Perform security monitoring, prevention, and risk mitigation
- Protect against unauthorized access
- Implement and test controls around critical systems regularly
- Manage business continuity risk
- Enhance information security awareness and training programs
- Participate in industry information-sharing forums
- A message for any enterprise
While the FFIEC is concerned solely around financial institutions the details in the seven steps above is important. They have been written in such a way that makes them easy to adopt by any enterprise IT security team. For Chief Security Officers and even Audit Committees inside companies who are struggling to put together a set of metrics by which they can evaluate security inside enterprises, these steps and their detailed notes are a good start.
While it has taken four months between the attack on the Bangladesh Bank and the FFIEC issuing this alert and guidance to financial institutions it does show that there is significant concern over this attack. The depth of knowledge demonstrated by the attackers of the SWIFT network and the client side messaging systems used by banks connecting to it shows that this is an attack that is unlikely to go away.
At present all the attacks have been focused on smaller countries and banks that appear to have weak security in other parts of their IT environment. As the attackers refine their skills and learn more about the local interbank messaging client systems it surely won’t be long before we see attacks on larger banks and financial institutions.