Compliance Blog

Blog Home
Apr 14, 2014
Categories: Cybersecurity and Data Security Examination & Enforcement Operations

FFIEC Implores Financial Institutions to Stop the Bleeding; Free Kick

Written by Ricardo Piñeres, Regulatory Compliance Counsel

On Thursday, April 10, the Federal Financial Institutions Examination Council (FFIEC) released an alert regarding the “Heartbleed” vulnerability.  The alert is intended to make credit unions, and other financial institutions, aware of the seriousness of the “Heartbleed” vulnerability and how it can create a situation where attackers could access private information that would normally be encrypted.

“Heartbleed” is a vulnerability in the OpenSSL cryptographic library that may put systems that use this encryption method at risk.  OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols commonly used to protect data in transit.  OpenSSL, popular for implementing encryption in websites, e-mail servers, and applications, is used in common network services such as web servers, email servers, virtual private networks (VPN), instant messaging, and other applications.  Financial institutions may be using OpenSSL to cryptographically authenticate their servers to customers, and to protect passwords and other sensitive data from eavesdropping.

The vulnerability has existed in OpenSSL versions 1.0.1 through 1.0.11 since December 31, 2011, but it was not discovered until April 7 of this year.  Because of the vulnerability, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network communications that would otherwise be protected by encryption.  Furthermore, attackers could potentially impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks.

FFIEC’s alert urges financial institutions to:

  • Ensure third-party vendors using OpenSSL on their systems are aware of the vulnerability and take appropriate mitigation steps;
  • Monitor the status of their vendors’ efforts;
  • Identity and upgrade vulnerable internal systems and services; and
  • Follow appropriate patch management practices and test to ensure a secure configuration.

FFIEC also suggests replacing private keys and X.509 encryption certificates after applying patches.  Furthermore, the alert says financial institutions should assume current encryption keys for vulnerable servers are no longer viable and that institutions should also strongly consider having users and administrators change passwords after applying the OpenSSL patch.

For more information on the “Heartbleed” vulnerability and how it works, visit Codenomicon’s webpage devoted to the vulnerability.  Three security engineers from Codenomicon, along with an individual from Google Security, were the discoverers of the vulnerability.  There is also a simplistic, yet fun, comic strip that explains the basics of “Heartbleed.”  Lastly, the FDIC put out a useful press release last week that lists several helpful resources for improving financial institutions' cyber security.

***

Free Kick.  With under two months left until the start of the World Cup, I thought that I would start my group previews.  Today, I’ll give a brief preview of Groups A and B, and future posts will preview the rest of the groups.

Group A: As the host country, Brasil was placed in Group A, and they received a pretty favorable draw.  Without a doubt, the host nation is the class of the group and I would be shocked if they don’t win all three of their group games.  Luiz Felipe Scolari’s greatest challenge will be keeping a very talented squad loose and ensuring that the pressure does not derail Neymar and Company.

After a bizarrely sluggish final qualifying phase, Miguel Herrera appears to have Mexico going in the right direction.  Croatia have a strong squad, but I think that the one-match suspension to Mario Mandzukic and the ten-game suspension (currently being appealed) to Josip Simunic may be just a little too much for them to overcome.  Cameroon will struggle in this group because of their lack of quality goal scorers beyond Samuel Eto’o.

Key Match: Mexico v. Croatia, June 23 (4:00 pm EDT).  The final group match for both teams will likely decide which team joins Brasil in the knock-out rounds.

Projected Finish: (1) Brasil; (2) Mexico; (3) Croatia; and (4) Cameroon.

 

Group B: The first of the three “Groups of Death” features both finalists from South Africa (Spain and the Netherlands), Chile, and Australia.  Let’s dispense with the obvious, Australia will struggle to get even a point out of this group.  Even though they are a bit more vulnerable than back in 2010, I still think that Spain is the favorite to top this group.  There is just too much depth and familiarity amongst the players for Spain to not have a positive showing at this tournament.

On paper, the Netherlands has more attacking options and more solid core in the midfield than Chile, but they may have the same problems that plagued them in Euro 2012 – a lack of chemistry amongst their younger players.  As Alexis Sanchez goes, so will Chile.  If he is on, they will be a threat to make a run in this tournament.  While Chile caught fire at the end of qualifying, their occasional defensive lapses may end up costing them against the deadly attacking options possessed by Spain and the Netherlands.

Key Matches: Spain v. the Netherlands, June 13 (3:00 pm EDT); and Chile v. the Netherlands, June 23 (12:00 pm EDT)

Projected Finish: (1) Spain; (2) the Netherlands; (3) Chile; and (4) Australia

Categories