- Home
- Articles
Federal Reserve Breach: What Happened?
Experts Say Attack Offers Lessons for Institutions
The Federal Reserve confirms it's been breached - an attack that experts say signals to banking institutions and their vendors a heightened urgency to implement security best practices, including the encryption of passwords.
The hacktivist group Anonymous, which is taking credit for the Feb. 3 attack, claims it breached systems connected to the Fed and subsequently exposed sensitive credentials, including logins and passwords, as well as other private details, such as mobile numbers, for more than 4,000 U.S. bankers.
Related Content
- FDIC Clarifies Third-Party Payments Risks
- Hackers Grab 800,000 Banking Credentials
- Spear Phishing: How Not to Get Hooked
- ATM Malware: Hackers' New Focus
- What Cyberthreat Does ISIS Pose?
Related Whitepapers
- Securing Cloud Workloads
- Combatting Digital Fraud: A CIO Report
- Secure Mobile Banking: Protecting Your Customers and Your Bottom Line
- How JPMorgan Chase Adopted DMARC to Stop Cyberattacks and Protect their Brand
- Protecting Customers and Safeguarding Brand Reputation in the Era of the Cybercriminal
The attack against the Fed is an eye-opening reminder that credentials should never be stored in an online-accessible database, says Edy Almer, vice president of hardware security and encryption provider Wave Systems Corp. Instead, those logins and passwords should be stored on hardware that's not linked to the Web and that can only be accessed through machine-level authentication, he contends.
Tech Challenges
One security executive with a global financial services company, who asked not to be named, says banking institutions are embracing the need for stronger security surrounding online and network credentials. The problem is database redundancies.
"Technology gets in the way," the executive says. "Unless an organization has made strong efforts to centralize credentials, they will be scattered across various systems. And there are no truly standardized ways of protecting and managing credentials. There's a lot of poor advice going around, especially when it comes to best practices for password management."
But it's impossible to keep all attackers out, the executive acknowledges. "My take is that there are ways into practically every system, either through technical flaws or simply by compromising people," the executive says. "Defenses against such attacks need to be much more holistic, understanding motivations, means and opportunities."
From a risk management point of view, organizations have to accept the fact that despite all of their security efforts, the risk of data compromise remains high, says Rodney Joffe, a senior technologist at cybersecurity provider Neustar Inc.
"It is impossible to defend against everything," Joffe says. Regarding the Feb. 3 attack, he adds: "I don't think it points out a weakness in the way the way the Federal Reserve secures its systems. There's not really anything they can do to stop these attacks in the modern world. And this is the reality that security officers are now embracing."
Temporary Vulnerability?
The Fed acknowledges the attack, but has not confirmed who was behind it. "The Federal Reserve System is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product," a Fed spokesman told BankInfoSecurity on Feb. 7. "The exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve System."
The weakness in the vendor product is likely a zero-day vulnerability, Joffe says. "It's a software design flaw, and until the manufacturer provides a fix, there's really nothing the Fed or any other organization can do. We have these types of issues in software all the time." And it takes time to identify the vulnerabilities and deploy patches in ways that don't create new vulnerabilities and risks, he adds.
Attackers often exploit those vulnerabilities before organizations have time to respond, Joffe says. For example, an organization might take several weeks to install a patch and implement it across systems.
"It's a really, really tough world," Joffe says. "Now the industry is not focused on stopping hacks, because that's not possible, but on trying to get early warning that an attack has occurred. So we are watching the bad guys to see what moves they are making. And that's the approach that's most effective."
Authentication and Encryption
But online security experts say organizations still must adhere to best practices and ensure that they and the vendors with which they work implement strong encryption and authentication to protect sensitive data.
If the Fed database that was attacked was storing passwords in the clear, the compromise could have been prevented with stronger encryption - a well-accepted best practice, Almer says.
- 1
- 2
Follow Tracy Kitten on Twitter: @FraudBlogger
British police have worked with an international consortium of law enforcement agencies and...
Latest Tweets and Mentions
British police have worked with an international consortium of law enforcement agencies and...
The ISMG Network
-
Webinar
Advanced Threats: How to Increase Visibility for a Stronger Security Posture
-
Article
Does India Need a New Cyber Policy?
Experts: It Must be Clear, Practical and Operational
-
Article
CMS: HealthCare.gov Security Bolstered
Agency 'Strengthening Defenses' as Open Enrollment Nears
-
Article
Sentencing in S.C. Medicaid Breach Case
Former Worker Inappropriately Accessed Data on 228,000
-