A vulnerability known as Heartbleed has been making the rounds as one of the most deeply concerning threats to information security to occur in recent memory. This is because Heartbleed, an OpenSSL vulnerability, could give attackers the keys to bypass encryption in order to steal sensitive information, fake an identity or attack network communications.
Because of the potential severity of Heartbleed, the Federal Financial Institutions Examination Council (FFIEC) has issued an alert to financial institutions. The regulators expect banks and credit unions to take the necessary precautions to protect themselves from the vulnerability. This could include installing patches on systems, services, applications and appliances that use OpenSSL, and upgrading systems as soon as possible to protect against the vulnerability. It’s also a call for financial institutions to make sure their vendors are taking the appropriate steps. The FFIEC recommends banks:
- Ensure third party vendors that use OpenSSL are aware of the vulnerability and are taking the appropriate risk mitigation steps
- Monitor the status of their vendors’ efforts
- Identify and upgrade vulnerable internal systems and services
- Follow appropriate patch management practices and test to ensure a secure configuration
Read the FFIEC’s full alert here (PDF).
“For community banks this is really all about managing their outsourcers,” says Tom Hinkel, Safe Systems’ VP of compliance. “This includes E-banking and website providers, security service providers, technology providers, cloud providers, including email.”
After an in-depth analysis of every system relating to each of Safe Systems’ hosted and managed services (including but not limited to NetComply, SafeSysMail, and all of our websites), we have determined that no system was vulnerable to Heartbleed at any time. For financial institutions that use popular cloud-based providers, such as Dropbox, iCloud, OneDrive (formerly SkyDrive) or Google, it’s worth noting that some were affected and each has taken steps to fix the vulnerability.
Even though Safe Systems was never vulnerable to the bug, Hinkel suggests that those that share passwords among sites should change all passwords as a best practice. One of the most potentially dangerous aspects of the bug is that because it’s been in the wild for a while, it is impossible to know what data has already been leaked from vulnerable systems.
“This simply reinforces established best practices, such as complex passwords with regular password changes and classifying data in order to understand what data is being stored and where,” Hinkel adds.
Bankers are advised to contact other providers to make sure they know where those services are in terms of Heartbleed remediation. Financial institutions should also be prepared to answer questions from customers concerned about the Heartbleed vulnerability, as the bug has earned the attention of national news.