About Us | Contact Us
View Cart

Two New Statements, One Read!

By Dan Hadaway | Tuesday, March 31, 2015 - One Comment

Are they worth the read?

Yes, but you only have to read the first one!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

Note:  If you haven’t figured it out, on 03/30/15 the FFIEC posted two new “statements.”  While we do not announce new FFIEC Guidelines (as we believe most of our readership that WANTS this information is already getting it directly from their regulators) we will, from time-to-time, try to post a quick analysis, so that you can know what’s coming up, in our opinion!

Real quick summary:  Read the Credentials statement first.  If you aren’t implementing the controls at the bottom of this article, then read the Malware statement as well.

03/30/15 Statement #1:
Cyber Attacks Compromising Credentials

Is it worth the read? 

Heck yes!  It’s about four pages of reading material and though there’s not a lot new, it rephrases some important control information related to credentials.


Does it have any new requirements?  Well . . .   while it says, “No new regulatory expectations,” we have noticed a couple of items in the statement that we will be quoting as we try to sell our Managed Security Services.  For example, event log management will need to be used to do some of the stated log monitoring requirements, and establishing the baseline is what we do during the tuning period for our IPS/IDS systems!


One thing we found interesting:  In an attempt to delineate examples of attack vectors, the FFIEC defines Phishing, Spear-Phishing, Malvertising, Watering Holes, and Web-based Attacks

  • Phishing and Spear-Phishing:  Conducting attacks using social engineering by sending e-mails disguised as legitimate messages; tricking users into disclosing names and passwords, payment card information; or clicking on links or attachments that deliver malware to their computers.
  • Malvertising:  Injecting malware into legitimate online advertising and downloading the malware to the computer of any person who visits the Web site containing the advertisement.
  • Watering Holes:  Injecting malware into a vulnerable Web site frequented or commonly visited by targeted victims. The compromised site facilitates the downloading of malware to the computer of any person who visits the Web site.

infotex Notes about these definitions: 

  •  In infotex lore, Spear-phishing is phishing that targets specific groups, like “employees of First Bank Nowhere,” or “all email addresses in the xyz department” whereas phishing is more of a “generic” attack.   
  • Malvertising:  While some would argue this is a “watering hole tactic,” rather than a different vector altogether, who cares.  But it is also important to add that “bloatware” and other “unwanted applications” also carry associated risks.
  • Many organizations refer to Watering Holes as Drive-by Attack Sites. 

Later in the document, it lists the following additional attack vectors:

  •  It also cites weak passwords as an exacerbating risk factor.
  • System credentials may be targeted directly through vulnerabilities in authentication systems (e.g., OpenSSL “Heartbleed”)6 or indirectly by compromising the credentials of trusted third parties (e.g., fraudulent certificates).

We will be turning these into a “drill-down risk assessment” on Credentials soon!

Impact Factors:

The guidance also includes these impacts of stolen credentials, which we will be alluding to in our drill-down risk assessment:

  • Stolen customer credentials may give an attacker access to customers’ account information to commit fraud and identity theft.
  • Stolen employee and third-party credentials may provide initial access to trusted internal systems that may be used to leverage system administrator level access to obtain confidential business and customer information, modify and disrupt information systems, and destroy or corrupt data.
  • Stolen system credentials may also be used to gain access to internal systems and data to further distribute malware or impersonate the financial institution to facilitate fraud such as accessing payment processing systems for automated clearing house transactions.
  • Compromised credentials may expose financial institutions to a range of risks that include loss of the confidentiality and integrity of sensitive data, such as customer information and confidential business information.
  • Further, compromised credentials enable cyber attackers to disrupt and degrade systems or process fraudulent financial transactions that may not be recovered by the institutions

Mitigating Controls:

The statement articulates the following controls for credentials:

  •  [referring to the 2005 Guidance on Authentication, and the 2011 supplement] . . . The guidance requires, among other things, security measures to reliably authenticate customers accessing their financial institutions’ Internet-based services.
  • Conduct Ongoing Information Security Risk Assessments (you’ve read this a hundred different ways, we won’t rehash in this article)
  • Perform security monitoring, prevention, and risk mitigation.
  • Ensure protection and detection systems, such as intrusion detection systems and antivirus protection, are up-to-date and firewall rules are configured properly and reviewed periodically.
  • Establish a baseline environment to enable the ability to detect anomalous behavior.
  • Monitor system alerts to identify, prevent, and contain attack attempts from all sources. In addition,
    • Follow software assurance industry practices for internally-developed applications. o Conduct due diligence of third-party software and services.
    • Conduct penetration testing and vulnerability scans, as necessary.
    • Promptly manage vulnerabilities, based on risk, and track mitigation progress, including implementing patches for all applications, services, and systems. o Review reports generated from monitoring systems and third parties for unusual behavior.
  • Protect against unauthorized access (limit elevated privileges, access authorization reviews, expire unused credentials, monitor logs for use of old credentials, establish authentication rules . . . . . this section reads like an audit checklist, and if your auditors did not check for this stuff, they will now!  We confess, we did not check that you’re monitoring logs for use of old credentials.  Quite frankly, we are surprised that this is in the regulations, as we would have used it to point out how our ELM system is helping banks comply with the regulations.  So though this document claims no new expectations, this one will probably cost you money if you are not currently managing logs beyond “checking failed logins.”
  • Implement and test controls around critical systems regularly.  More audit checklist stuff.
  • Enhance information security awareness and training programs (thank you!)
  • Participate in Industry Sharing Form (and a thank you again from FS-ISAC) but also a nod to US-CERT.

03/30/15 Statement #2:
Destructive Malware

Is it worth the read? 

Well . . . . for one, half of it duplicates what’s in the Credentials Statement.  But also, as we were reading it, we were thinking, “shouldn’t this already be in place?”  I mean, we don’t know many banks who have not already gone through a malware incident.

Still, it points out that business continuity plans should address response and recovery from malware incidents.  We have seen most of our banks include this as a separate procedure, and we are motivated to update our procedure in case anybody needs it after an examination.  So, if you can’t say “already addressing that” to the following suggested controls, then you might want to read the statement.  It’s only five pages!

New Regulatory Requirements?

Well again they say no, but we’re adding “test malware response plan” to our checklists.


It does define the following terms:

  • Air Gap:  a security measure that isolates a secure network from unsecure networks physically, electrically, and electromagnetically.
  • Data mirroring:  The replication of data to alternate processing sites or storage systems at regular intervals defined by recovery time periods of an organization.

Suggested Mitigating Controls:

  • Securely Configure Systems and Services:  a paragraph form audit checklist that you should have already undergone many times if you’re a financial institution or an organization who has been audited.
  • Review, update, and test incident response and business continuity plans (another example of acting like they always wanted incident response plans tested.)  But this now means they want to see Malware Response as an Attack Scenario if you are using these in your Incident Response Planning.  (Ask for our procedure if you’re a Client!)
  • Conduct ongoing risk assessments.  (duh)
  • Perform Security Monitoring, Prevention, and Risk Mitigation (if you’re reading the credentials statement you can skip this, it’s the same!)
  • Protect against unauthorized access.  (Same as credentials statement.)
  • Implement and test controls around critical systems regularly (Same.)
  • Enhance information security awareness programs (Same.)
  • Participate in information sharing forms (Same.)

So as you can see, this one is almost worth the read because the last four sections have already been read (assuming you read the Credentials Statement!)

Keep an eye out for our upcoming drill-down risk assessment on credentials!

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”



One Response to “Two New Statements, One Read!”

Comment from k
Time 03/31/2015 at 3:30 pm

Well done Dan! Your breakdown is much more entertaining to read than the ‘statements’ themselves. I feel I am now ready to read the statements. Maybe tomorrow….

As for internet/email threats, I take a very simple approach: Dangerous email, and malicious websites (whether or not they were born that way).

My users will not remember the definitions, in my opinion, but it is important for them to know
what to look for – especially the signs that maybe their favorite obits / weather / news or tech site has been hacked. ……So, when did you first notice this….. So you just went to the sites you always go to … which were……? With the under the radar malware out, we will be lucky if a user notices something amiss and calls. But, I digress.

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    You think you’ve finally found stability in your to-do list. Your goals are set, and you’re even making great progress on them all. Audit findings: all addressed. Management requests: Under control. Heck, you might even be able to leave the office five minutes early at least once this year. Then BAM! A press release from […]
    Software Bill of Materials (SBOMs) are becoming more and more important. . . We are all very familiar with one aspect of the software supply chain – updates.  New features, bug fixes, and performance upgrades are a regular occurrence to any device’s lifecycle, however what if these kinds of updates also include deliberately malicious code? […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    According to a new survey, more organizations than ever are reporting problems with cybersecurity staffing… An article review. While pandemic related mandates and restrictions are gradually being lifted across the country, many organizations are still feeling the effects in one important area: staffing.  That’s according to ISACA’s annual State of Cybersecurity survey, which asked over […]
    Understanding Banking Trojans… Another Technical Article by Tanvee Dhir! What are Banking Trojans? A trojan is a malicious program that masquerades as a genuine one. They are often designed to steal sensitive information from users (login passwords, account numbers, financial information, credit card information, etc.). A banking trojan is a malicious computer program designed to […]