About Us | Contact Us
View Cart

Two New Statements, One Read!

By Dan Hadaway | Tuesday, March 31, 2015 - One Comment

Are they worth the read?

Yes, but you only have to read the first one!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

Note:  If you haven’t figured it out, on 03/30/15 the FFIEC posted two new “statements.”  While we do not announce new FFIEC Guidelines (as we believe most of our readership that WANTS this information is already getting it directly from their regulators) we will, from time-to-time, try to post a quick analysis, so that you can know what’s coming up, in our opinion!

Real quick summary:  Read the Credentials statement first.  If you aren’t implementing the controls at the bottom of this article, then read the Malware statement as well.

03/30/15 Statement #1:
Cyber Attacks Compromising Credentials

Is it worth the read? 

Heck yes!  It’s about four pages of reading material and though there’s not a lot new, it rephrases some important control information related to credentials.


Does it have any new requirements?  Well . . .   while it says, “No new regulatory expectations,” we have noticed a couple of items in the statement that we will be quoting as we try to sell our Managed Security Services.  For example, event log management will need to be used to do some of the stated log monitoring requirements, and establishing the baseline is what we do during the tuning period for our IPS/IDS systems!


One thing we found interesting:  In an attempt to delineate examples of attack vectors, the FFIEC defines Phishing, Spear-Phishing, Malvertising, Watering Holes, and Web-based Attacks

  • Phishing and Spear-Phishing:  Conducting attacks using social engineering by sending e-mails disguised as legitimate messages; tricking users into disclosing names and passwords, payment card information; or clicking on links or attachments that deliver malware to their computers.
  • Malvertising:  Injecting malware into legitimate online advertising and downloading the malware to the computer of any person who visits the Web site containing the advertisement.
  • Watering Holes:  Injecting malware into a vulnerable Web site frequented or commonly visited by targeted victims. The compromised site facilitates the downloading of malware to the computer of any person who visits the Web site.

infotex Notes about these definitions: 

  •  In infotex lore, Spear-phishing is phishing that targets specific groups, like “employees of First Bank Nowhere,” or “all email addresses in the xyz department” whereas phishing is more of a “generic” attack.   
  • Malvertising:  While some would argue this is a “watering hole tactic,” rather than a different vector altogether, who cares.  But it is also important to add that “bloatware” and other “unwanted applications” also carry associated risks.
  • Many organizations refer to Watering Holes as Drive-by Attack Sites. 

Later in the document, it lists the following additional attack vectors:

  •  It also cites weak passwords as an exacerbating risk factor.
  • System credentials may be targeted directly through vulnerabilities in authentication systems (e.g., OpenSSL “Heartbleed”)6 or indirectly by compromising the credentials of trusted third parties (e.g., fraudulent certificates).

We will be turning these into a “drill-down risk assessment” on Credentials soon!

Impact Factors:

The guidance also includes these impacts of stolen credentials, which we will be alluding to in our drill-down risk assessment:

  • Stolen customer credentials may give an attacker access to customers’ account information to commit fraud and identity theft.
  • Stolen employee and third-party credentials may provide initial access to trusted internal systems that may be used to leverage system administrator level access to obtain confidential business and customer information, modify and disrupt information systems, and destroy or corrupt data.
  • Stolen system credentials may also be used to gain access to internal systems and data to further distribute malware or impersonate the financial institution to facilitate fraud such as accessing payment processing systems for automated clearing house transactions.
  • Compromised credentials may expose financial institutions to a range of risks that include loss of the confidentiality and integrity of sensitive data, such as customer information and confidential business information.
  • Further, compromised credentials enable cyber attackers to disrupt and degrade systems or process fraudulent financial transactions that may not be recovered by the institutions

Mitigating Controls:

The statement articulates the following controls for credentials:

  •  [referring to the 2005 Guidance on Authentication, and the 2011 supplement] . . . The guidance requires, among other things, security measures to reliably authenticate customers accessing their financial institutions’ Internet-based services.
  • Conduct Ongoing Information Security Risk Assessments (you’ve read this a hundred different ways, we won’t rehash in this article)
  • Perform security monitoring, prevention, and risk mitigation.
  • Ensure protection and detection systems, such as intrusion detection systems and antivirus protection, are up-to-date and firewall rules are configured properly and reviewed periodically.
  • Establish a baseline environment to enable the ability to detect anomalous behavior.
  • Monitor system alerts to identify, prevent, and contain attack attempts from all sources. In addition,
    • Follow software assurance industry practices for internally-developed applications. o Conduct due diligence of third-party software and services.
    • Conduct penetration testing and vulnerability scans, as necessary.
    • Promptly manage vulnerabilities, based on risk, and track mitigation progress, including implementing patches for all applications, services, and systems. o Review reports generated from monitoring systems and third parties for unusual behavior.
  • Protect against unauthorized access (limit elevated privileges, access authorization reviews, expire unused credentials, monitor logs for use of old credentials, establish authentication rules . . . . . this section reads like an audit checklist, and if your auditors did not check for this stuff, they will now!  We confess, we did not check that you’re monitoring logs for use of old credentials.  Quite frankly, we are surprised that this is in the regulations, as we would have used it to point out how our ELM system is helping banks comply with the regulations.  So though this document claims no new expectations, this one will probably cost you money if you are not currently managing logs beyond “checking failed logins.”
  • Implement and test controls around critical systems regularly.  More audit checklist stuff.
  • Enhance information security awareness and training programs (thank you!)
  • Participate in Industry Sharing Form (and a thank you again from FS-ISAC) but also a nod to US-CERT.

03/30/15 Statement #2:
Destructive Malware

Is it worth the read? 

Well . . . . for one, half of it duplicates what’s in the Credentials Statement.  But also, as we were reading it, we were thinking, “shouldn’t this already be in place?”  I mean, we don’t know many banks who have not already gone through a malware incident.

Still, it points out that business continuity plans should address response and recovery from malware incidents.  We have seen most of our banks include this as a separate procedure, and we are motivated to update our procedure in case anybody needs it after an examination.  So, if you can’t say “already addressing that” to the following suggested controls, then you might want to read the statement.  It’s only five pages!

New Regulatory Requirements?

Well again they say no, but we’re adding “test malware response plan” to our checklists.


It does define the following terms:

  • Air Gap:  a security measure that isolates a secure network from unsecure networks physically, electrically, and electromagnetically.
  • Data mirroring:  The replication of data to alternate processing sites or storage systems at regular intervals defined by recovery time periods of an organization.

Suggested Mitigating Controls:

  • Securely Configure Systems and Services:  a paragraph form audit checklist that you should have already undergone many times if you’re a financial institution or an organization who has been audited.
  • Review, update, and test incident response and business continuity plans (another example of acting like they always wanted incident response plans tested.)  But this now means they want to see Malware Response as an Attack Scenario if you are using these in your Incident Response Planning.  (Ask for our procedure if you’re a Client!)
  • Conduct ongoing risk assessments.  (duh)
  • Perform Security Monitoring, Prevention, and Risk Mitigation (if you’re reading the credentials statement you can skip this, it’s the same!)
  • Protect against unauthorized access.  (Same as credentials statement.)
  • Implement and test controls around critical systems regularly (Same.)
  • Enhance information security awareness programs (Same.)
  • Participate in information sharing forms (Same.)

So as you can see, this one is almost worth the read because the last four sections have already been read (assuming you read the Credentials Statement!)

Keep an eye out for our upcoming drill-down risk assessment on credentials!

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”



One Response to “Two New Statements, One Read!”

Comment from k
Time 03/31/2015 at 3:30 pm

Well done Dan! Your breakdown is much more entertaining to read than the ‘statements’ themselves. I feel I am now ready to read the statements. Maybe tomorrow….

As for internet/email threats, I take a very simple approach: Dangerous email, and malicious websites (whether or not they were born that way).

My users will not remember the definitions, in my opinion, but it is important for them to know
what to look for – especially the signs that maybe their favorite obits / weather / news or tech site has been hacked. ……So, when did you first notice this….. So you just went to the sites you always go to … which were……? With the under the radar malware out, we will be lucky if a user notices something amiss and calls. But, I digress.

Latest News
    Community Banking and their layers of security. . . Michael Hartke’s first post as Executive Vice President! Thinking back to my first talk to security professionals in community banking almost 10 years ago, the question continues to this day. First some background… infotex was moderating the Indiana Bankers Association Security Conference when one of the […]
    Reasons why we should be considered! infotex provides a number of services that can be checked out if you click over to offerings.infotex.com! We even made a movie with all the reasons why infotex should be your next MSOC!  
    infotex and GoTo To all infotex managed security service Clients: As recently reported by major news outlets there was a data breach affecting GoTo (formerly LogMeIn) wherein attackers stole encrypted backups containing customer information in November 2022.  Based on the advisory from GoTo the products they offer that are affected include LogMeIn Pro, LogMeIn Central, […]
    An option for increasing security for ALL organizations. . . The threat landscape is evolving daily, and it is becoming increasingly difficult for even large organizations providing cyber defense services to keep up. As Brandao (2021) notes, it is important for organizations to adapt holistic technologies that can correlate all attack events. Therefore, developing XDR […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A relic of the internet’s less secure past, many small firms struggle to secure their email systems… An article review. With a great deal of cybersecurity related news focused on new threats and similarly new techniques aimed at combating them, it can be easy to forget some of the older threats that have never gone […]
    Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of […]
    System Security and Cybersecurity are not the same thing. . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Regarding “information security,” the last thirty years have seen an evolution of frameworks, laws, and assessment approaches which intimidate the management team with their complexity.  […]
    The cryptographic algorithm is vulnerable to attack and is no longer considered secure… An article review. NIST has announced that it plans to retire the SHA-1 cryptographic algorithm by the end of 2030, citing multiple vulnerabilities in the standard, effectively ending its use after nearly 30 years.  Introduced in 1995, SHA-1 used a 160-bit hash […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]