FFIEC Checklist – Destructive Malware and Cyber Attacks

The FFIEC (Federal Financial Institutions Examination Council) released two statements regarding two critical threats, destructive malware and cyber attacks to obtain compromised credentials. These statements do not serve as new guidance or regulatory expectations; however, they identify specific controls to mitigate the risks related to malware and cyber attacks.

The risk mitigation recommendations are identical in each document, with the exception of the destructive malware document, which includes two additional bullet points.

I highly recommend reading these risk mitigation recommendations, as the documents are a quick read and packed with important information. For purposes of this discussion, I will focus primarily on the recommendations provided by the FFIEC. I’ve converted the recommendations from the two statements into the following checklist.

 1. Securely configure systems and services

  1. ___ Segment your network logically (contain malware)
  2. ___ Segment your primary network physically from unsecured LANs and the public Internet
  3. ___ Back up data to a separate physical form of media
  4. ___ Maintain an inventory of hardware and software (you can’t manage what you don’t know)
  5. ___ Implement consistent system hardening procedures to all systems (remove unnecessary services, user accounts, applications, etc.)

2. Review, update and test incident response and business continuity plans

  1. ___ Conduct business continuity and incident response plan testing (e.g., cyber attack simulation)
  2. ___ Include your third-party processors in your testing
  3. ___ Train employees on their responsibilities

3. Conduct ongoing information security risk assessments

  1. ___ Perform regular risk assessments on systems that your customers can access and adjust authentication techniques and controls as needed
  2. ___ Perform regular risk assessments on your internal network, systems and applications
  3. ___ Verify that your third-party processors are conducting risk assessments, applying appropriate controls and testing those controls
  4. ___ Confirm that your third-party processors are contractually obligated to notify you of security incidents

4. Perform security monitoring, prevention and risk mitigation

  1. ___ Ensure that your firewall and IDS are configured properly and are monitored appropriately 24×7
  2. ___ Monitor your servers, workstations, devices and network activity and configure reporting systems to alert for anomalies
  3. ___ Review security controls for all applications developed internally
  4. ___ Perform thorough due diligence reviews of third-party processors
  5. ___ Conduct vulnerability scans and penetration tests on your internal and external network
  6. ___ Resolve any vulnerabilities identified during the scans in a timely manner
  7. ___ Regularly review all reports from monitoring systems

5. Protect against unauthorized access

  1. ___ Users with administrative access to your network and other systems and applications should only be employees specifically requiring that type of elevated access
  2. ___ User lists and access rights should be reviewed periodically to ensure all users require access and that access rights are appropriate for each user’s job function
  3. ___ Implement authentication controls, such as time-of-day, geolocation, multifactor authentication (especially on web-based applications)
  4. ___ Review access periodically for your vendors and contractors
  5. ___ Ensure users do not have local administrative rights on workstations
  6. ___ Change default passwords for system accounts
  7. ___ Reject systems that you do not control (personal computers and mobile devices) from connecting to your internal network
  8. ___ Implement monitoring controls to detect unauthorized devices on your internal network
  9. ___ Utilize secure connections when connecting to the internal network, systems or applications via remote access

6. Implement and test controls around critical systems regularly

  1. ___ Implement appropriate account lockout settings on all systems so that users are locked out after a certain number of invalid password attempts
  2. ___ Implement alerts to notify appropriate personnel of changes on critical systems
  3. ___ Test the effectiveness and adequacy of controls (e.g., access control, segregation of duties, audit, monitoring systems and fraud detection) periodically and report results to upper management
  4. ___ Encrypt data in transit and, where appropriate, at rest
  5. ___ Apply password parameters controls to all systems (e.g., maximum password age, complexity, password history and minimum length)
  6. ___ Assess the process of password recovery
  7. ___ Regularly test web application firewalls
  8. ___ Ensure appropriate destruction and disposal procedures exist for media containing sensitive information
  9. ___ Utilize web content filtering by restricting access to a list of predefined web sites (or categories) and, where appropriate, utilize whitelisting by only allowing access to a list of predefined web sites (or categories)
  10. ___ Ensure critical data is backed up and stored offline

7. Enhance information security awareness and training programs

  1. ___ Train your employees and board members
  2. ___ Training should be ongoing and NOT a one-time event

8. Participate in industry information-sharing forums

  1. ___ Share information with other FIs and third-party processors
  2. ___ Use the information received to improve current cybersecurity strategies
  3. ___ Consider information sharing resources such as FS-ISAC and US-CERT