Heartbleed Bug: FFIEC Pens Recommendations
Financial institutions should monitor their third party vendors to ensure they are progressing toward addressing any Heartbleed bug vulnerabilities, the Federal Financial Institutions Examination Council said Thursday.
The group of financial regulators, which includes the NCUA, released background on the bug, which puts websites protected by OpenSSL encryption at risk. OpenSSL is a popular open-source code library for implementing encryption in websites, e-mail servers, and applications and is used in common network services such as web servers, email servers, virtual private networks, instant messaging, and other applications, the FFIEC said.
Heartbleed could be used to access a server’s private cryptographic keys, compromising the security of the server and its users.
“An attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network communications that would otherwise be protected by encryption,” the FFIEC said in a release. “Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Potential attacks are made feasible by the public availability of exploitation tools.”
Although server software vendors are working to incorporate a patched version of OpenSSL into their systems, the FFIEC recommended that financial institutions take four steps, as appropriate.
First, institutions should ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps. Additionally, they should monitor the status of their vendors’ efforts.
Financial institutions should also identify and upgrade vulnerable internal systems and services, and follow appropriate patch management practices and test to ensure a secure configuration.
The regulatory group also said financial institutions should also consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses the OpenSSL library.
Financial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch, the FFIEC also said.