The Federal Financial Institutions Examination Council(FFIEC) has made it clear that the ongoing cyberattacks targeting web-based ATMand card authorization systems may be inevitable for financial institutionsthat do not act quickly.
The attacks are attributed to a scheme dubbed “UnlimitedOperations” by the U.S. Secret Service. Unlimited Operations hackers, nonewcomers to the cybercrime landscape, have shed their highly sophisticatedtechniques and turned to a tried and true means of initial access: throughfinancial institution employees who inadvertently help them gain access tosystems when they fall victim to social engineering tactics.
The criminals begin with phishing, where emails appearing tobe from an authentic and legitimate source—aka, the phish—contain malware thatis activated when an institution’s employee opens a link or attachment withinthe phony email. The FFIEC describes the broad and concerning consequences ofthis tactic: “once installed, criminals use the malware to monitor theinstitution’s network to determine how the institution accesses ATM controlpanels and obtain employee login credentials …”
Just one successful phish can provide cybercriminals withthe keys to the kingdom, because they can gain access to such powerful systemrights as the ability to remove withdrawal limits. According to the FFIEC, onesuccessful phishing scheme yielded an almost unbelievable $40 million for the cybercriminals, who only needed 12 debit cards tocarry out the heist.
With respect to its new guidance, the FFIEC “expectsfinancial institutions to take steps to address this threat by reviewing the adequacyof their controls over Information Technology networks, card issueauthorization systems, systems that manage ATM parameters, and fraud detectionand response processes.”
Among its recommendations, the agency is calling onfinancial institutions to follow several risk-mitigating steps, including conductingexercises that simulate this type of attack. To accomplish this, you can employtwo industry solutions that, hand-in-hand, help determine the attack patternsthat can be used in your environment to accomplish these goals: advancedsocial engineering with network exploitation and internalpenetration testing.
With advanced social engineering, third-party consultantsconduct thorough reconnaissance on your organization and its employees, performa safe and precise strike on your systems using the intelligence gatheredduring reconnaissance efforts, and mimic real-world attacks by diving deep intoyour organization’s infrastructure, systems and data. They do so usingproprietary software and remote connections that are largely undetectable byantivirus, firewall and other security implementations.
Beyond this “outside-in” testing approach, internalpenetration testing simulates the activity of an attacker on your internalnetwork and attempts to gain privileged access to sensitive systems and datawithout interruption of service. Throughhands-on, manual testing and research, consultants identify vulnerabilities,issues and situations that a basic scan would not detect, allowing them toprovide insight into the attack chains and sequence necessary to conduct areal-world attack against your organization.
The FFIEC also recommends using its prescribed riskmitigation measures as an ongoing guide, as outlined within its IT ExaminationHandbooks. These measures fall into seven categories:
1. Routine and ongoing information security riskassessments
2. Security monitoring, prevention and mitigation
3. Protection against unauthorized access
4. Implementation and routine testing of controls for criticalsystems
5. Information security awareness and training programs
6. Testing of incident response plans
7. Information sharing within the industry
So, as cyberthreats continue to increase and evolve, ensureyour financial institution remains in compliance with the FFIEC using advancedsocial engineering and internalpenetration testing to help you identify your weaknesses before criminalshave the chance.
And download our free white paper, Think Like aHacker, to gain powerful insight into today’s most dangerous cyberthreats.
Tyler Leet is directorof Risk and Compliance Services for CSI Regulatory Compliance. With experiencein network/security administration, Tyler also conducts information securityreviews for financial institutions and specializes in external penetrationtesting.