Register For Our New Online Classes!

FFIEC warns banks to address Heartbleed Bug

The Heartbleed Bug has made sensitive information vulnerable since December 2011.

As another testament to the need for prevention, response and notification measures related to information security and cyberattacks, the Federal Financial Institutions Examination Council released an alert to financial institutions to respond to vulnerabilities caused by the Heartbleed Bug.

Information security is currently a hot-button issue, as the breaches of customer information at Target Corp., Neiman Marcus Group and other retailers have sparked discussion about how these breaches should be handled. The Heartbleed Bug appears as the newest concern, with website administrators for services across many industries working to respond to the vulnerability.

What is the Heartbleed Bug?
According to the FFIEC alert, Heartbleed is "a security vulnerability in the OpenSSL cryptographic library that may put systems that use this encryption method at risk."

"OpenSSL is a popular open-source code library for implementing encryption in websites, e-mail servers, and applications and is used in common network services such as web servers, email servers, virtual private networks (VPN), instant messaging, and other applications," the alert said. "Financial institutions may use OpenSSL to cryptographically authenticate their servers to customers, and to protect passwords and other sensitive data from eavesdropping."

Many websites utilize OpenSSL for encryption, including social networking sites like Facebook and Twitter as well as email service providers such as Google and Yahoo. Via this vulnerability, hackers are able to gain access to a wide array of information. Customer account information such as passwords, login information and credit card numbers may have all been accessed by unauthorized users.

A report from Mashable noted that many sites that use OpenSSL have already begun to patch the vulnerability, although significant breaches may have already occurred, as Heartbleed has existed since December 31, 2011. The British news website even included a list of popular sites to update consumers on whether their information may have been compromised. Numerous major financial institutions were listed, though Mashable reported that none issued alerts for customers to change their account information.

The extensive risks of Heartbleed
The FFIEC detailed the risk associated with Heartbleed in depth.

"The vulnerability could allow an attacker to potentially access a server's private cryptographic keys compromising the security of the server and its users," the alert said. "An attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network communications that would otherwise be protected by encryption."

As a result, cyber criminals have the means to commit fraud by impersonating users and bank services. The FFIEC noted that exploiting the vulnerability would not be complicated due to "the public availability of exploitation tools."

Responding to the threat
Given the length of time that Heartbleed has been unchecked - having only been discovered April 7 - financial institutions have been warned to address the vulnerability immediately. The FFIEC said that server software vendors are currently working to patch the OpenSSL encryption. However, financial institutions should take recommended steps to ensure their information as well as their customers' data is secure.

If a third party vendor uses OpenSSL, it should be contacted to ascertain whether the vulnerability has become a known issue and what steps the vendor is taking to patch Heartbleed. Additionally, financial institutions should check often to note the progress of those patch efforts and upgrade their own internal systems and services to safeguard against cyberattacks. The latter includes appropriate patch management practices, as outlined in the FFIEC IT Examination Handbooks, such as Development and Acquisition; Information Security; and Operations.

The regulatory council also suggested that financial institutions replace private keys and X.509 encryption certificates after patching the OpenSSL vulnerability. These keys may no longer be sufficient for protecting sensitive information. For this reason, both users and administrators should change their passwords after the patch is applied.