Federal Reserve Breach: What Happened?

Experts Say Attack Offers Lessons for Institutions

By Tracy Kitten, February 7, 2013. Follow Tracy @FraudBlogger

Credit Eligible

• 
• 
• 
• 

The Federal Reserve confirms it's been breached - an attack that experts say signals to banking institutions and their vendors a heightened urgency to implement security best practices, including the encryption of passwords.

The hacktivist group Anonymous, which is taking credit for the Feb. 3 attack, claims it breached systems connected to the Fed and subsequently exposed sensitive credentials, including logins and passwords, as well as other private details, such as mobile numbers, for more than 4,000 U.S. bankers.

The attack against the Fed is an eye-opening reminder that credentials should never be stored in an online-accessible database, says Edy Almer, vice president of hardware security and encryption provider Wave Systems Corp. Instead, those logins and passwords should be stored on hardware that's not linked to the Web and that can only be accessed through machine-level authentication, he contends.

Tech Challenges

One security executive with a global financial services company, who asked not to be named, says banking institutions are embracing the need for stronger security surrounding online and network credentials. The problem is database redundancies.

"Technology gets in the way," the executive says. "Unless an organization has made strong efforts to centralize credentials, they will be scattered across various systems. And there are no truly standardized ways of protecting and managing credentials. There's a lot of poor advice going around, especially when it comes to best practices for password management."

But it's impossible to keep all attackers out, the executive acknowledges. "My take is that there are ways into practically every system, either through technical flaws or simply by compromising people," the executive says. "Defenses against such attacks need to be much more holistic, understanding motivations, means and opportunities."

From a risk management point of view, organizations have to accept the fact that despite all of their security efforts, the risk of data compromise remains high, says Rodney Joffe, a senior technologist at cybersecurity provider Neustar Inc.

"It is impossible to defend against everything," Joffe says. Regarding the Feb. 3 attack, he adds: "I don't think it points out a weakness in the way the way the Federal Reserve secures its systems. There's not really anything they can do to stop these attacks in the modern world. And this is the reality that security officers are now embracing."

Temporary Vulnerability?

The Fed acknowledges the attack, but has not confirmed who was behind it. "The Federal Reserve System is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product," a Fed spokesman told BankInfoSecurity on Feb. 7. "The exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve System."

The weakness in the vendor product is likely a zero-day vulnerability, Joffe says. "It's a software design flaw, and until the manufacturer provides a fix, there's really nothing the Fed or any other organization can do. We have these types of issues in software all the time." And it takes time to identify the vulnerabilities and deploy patches in ways that don't create new vulnerabilities and risks, he adds.

Attackers often exploit those vulnerabilities before organizations have time to respond, Joffe says. For example, an organization might take several weeks to install a patch and implement it across systems.

"It's a really, really tough world," Joffe says. "Now the industry is not focused on stopping hacks, because that's not possible, but on trying to get early warning that an attack has occurred. So we are watching the bad guys to see what moves they are making. And that's the approach that's most effective."

Authentication and Encryption

But online security experts say organizations still must adhere to best practices and ensure that they and the vendors with which they work implement strong encryption and authentication to protect sensitive data.

If the Fed database that was attacked was storing passwords in the clear, the compromise could have been prevented with stronger encryption - a well-accepted best practice, Almer says.

• 1
• 2

Follow Tracy Kitten on Twitter: @FraudBlogger