Cyber attacks on financial institutions have become so relentless in their frequency and severity, that the Federal Financial Institutions Examination Council (FFIEC) directed banks this past month to enhance their information security programs to better defend against attacks that compromise user credentials and deploy destructive software.

Recent reports indicate that bank information systems have been compromised, resulting in the theft of large volumes of user credentials – such as passwords, usernames, and other forms of authentication information. These attacks have taken several forms, including phishing (social engineering and technical subterfuge), malvertising (injection of malware into legitimate online advertising sites), watering holes (injection of malware into commonly visited web sites), and web-based attacks (targeting of systems and services that contain customer credentials). The stolen user credentials have been sold in online forums and used to commit fraud and identity theft.

The FFIEC also acknowledged that destructive software (malware) has compromised large quantities of data and rendered information systems inoperable. The malware has infiltrated systems through phishing emails, compromised external devices, and from unauthorized parties who have accessed systems without authorization with stolen user credentials. Due to the damage caused by malware, the FFIEC stated “In today’s rapidly evolving cyber threat landscape ... comprehensive resilience depends on the ability to identify and contain damage, recover data, and restore operations from a broader set of scenarios that include cyber attacks involving destructive malware on critical information systems or the institution’s underlying infrastructure.”

The FFIEC stated that financial institutions should consider taking the following measures to increase the security of their information systems and to better protect the data they process, transmit and store:

  • Securely configure systems and services;
  • Review, update, and test incident response and business continuity plans;
  • Conduct ongoing information security risk assessments;
  • Perform security monitoring, prevention, and risk mitigation;
  • Protect against unauthorized access;
  • Implement and test controls around critical systems regularly;
  • Enhance information security awareness and training programs; and
  • Participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.