Ransomware Defense: A Discussion with the Regulators
by Ray Bolton, CSRB Examiner, Supervision and Regulation, Federal Reserve Bank of Chicago; Chad Siegrist, Assistant Vice President, Supervision and Regulation, and Cybersecurity Analytic Support Team, Federal Reserve Bank of Cleveland; and Jason Tarnowski, Vice President, Supervision and Regulation, and Cybersecurity Analytic Support Team, Federal Reserve Bank of Cleveland
Ransomware is a type of malicious software that encrypts data, making it difficult for the owner of the data to access or recover. Attackers demand a ransom to decrypt the data. Ransomware is one of the fastest-growing cyber risks faced by banks, and cyberattackers’ methods and tactics are constantly evolving. Community banks need to remain vigilant in understanding how their systems could be compromised and what controls and procedures are needed to effectively protect against and recover from an attack. Community banks should take steps to discuss and prepare for the eventuality of a ransomware attack that disrupts services as well as renders critical data unusable.
The following are common industry practices to help banks defend against ransomware attacks. These practices are consistent with Federal Financial Institutions Examination Council (FFIEC) Information Security guidance.1
- Risk Management — A bank’s board of directors and management should investigate and assess the bank’s risk exposure to ransomware attacks, regularly assess and test controls against ransomware attack scenarios, and support the prompt remediation of any control issues identified.
- Awareness — All bank personnel should be made aware of the risk that ransomware poses to the bank and be trained on how to identify and report potential ransomware attempts.
- Inventory and Vulnerability Management — A bank should have processes in place to maintain an accurate and timely inventory of hardware, software, connections, and data assets and have programs in place that identify vulnerabilities in its operating environment. Processes should also be in place to track patching of a bank’s various banking systems and applications to address any potential vulnerabilities and document risk acceptance of unremediated vulnerabilities.2,3
- Backup Architecture — Backup operations should be designed to protect backed-up data from threat actors. Air-gapped4 backups, utilizing write once, read many (WORM)5 technology, or other vendor-specific architectures are potential options to implement.
- Configuration Management — Information systems should have consistent baseline configurations, including “hardening”6 requirements, applied throughout their life cycles.7 Hardening requirements should incorporate vendor documentation and industry best practices for specific technologies. Organizations should consistently manage changes affecting baseline configuration, which involves a security impact analysis to determine whether any residual changes to the attack surface put the organization at risk.
- Network Segmentation — To limit threat actor movement in the event that an intruder has established a foothold in a bank’s system, a bank should segment networks by functionality, sensitivity, or another relevant attribute.8 A zero-trust system in which data and resources are inaccessible by default and require user identity verification for each connection is one option.
- Third-Party Risk Management — Banking organizations should identify risks associated with third-party relationships. A bank should dictate to a third party the bank’s expectations for preventing ransomware incidents and for reporting any potential ransomware attacks. Secure architecture should prevent ransomware from spreading into an environment from a third party.9
- Email-Based Protections — A bank’s email filtering process should identify and prevent malicious messages, especially those that may contain ransomware attack tools, from reaching end users.
While not exhaustive, these practices will help prepare for and reduce the impact of a ransomware event. However, no single practice or even set of practices can completely eliminate the risk and impact of a ransomware attack on a bank.
Information Technology (IT) Experts’ Perspectives
Several ransomware experts from the Federal Reserve Bank of Chicago were interviewed for this article — Colin Gavin, lead risk management specialist in System Cyber, Anthony Toins, senior CRSB examiner and IT risk specialist, and Ahmed Hussain, risk management specialist on the Service Provider Team. These experts provided their thoughts on industry practices and additional insight on ransomware from a regulatory perspective.
The industry practices that are outlined earlier are great ways for banks to reduce their risk and better prepare for a ransomware attack. What else can banks do?
Anthony: Despite the efforts of institutions to protect their networks, banks should assume that an attacker will penetrate their defenses. Threat actors are constantly changing their attack vectors and evolving their tactics and tools due to new vulnerabilities. Every institution should have a formal comprehensive incident plan, or a more specific ransomware playbook, to follow when an attacker is able to access its network. This includes steps bank management should follow with a managed security service provider (MSSP) and other third-party service providers (TSPs). Institutions should periodically test the plan and playbook with all relevant parties and share any lessons learned.
Colin: That’s a great point, Anthony, and as with any adverse situation that may negatively affect an organization, the ability to quickly return to normal is paramount. You have to be able to develop a path to normalcy that is proven and fits within the stated service-level agreements with your MSSP or TSP. If a bank does not have that type of mechanism in place, then I would recommend that it close this gap by developing backup or even isolation tactics if a particular endpoint starts transmitting known malicious signatures to other devices. You may adopt a proactive stance to block that system from the network until a proper investigation can be conducted.
Ahmed: Very true. Another growing ransomware risk area has been the proliferation of bank-owned mobile devices. Community bank executives are often provided with bank-owned mobile devices for various work-related activities and communications in which text-messaging features are employed. Now that users are more educated about email phishing, threat actors are using text-messaging to route ransomware into devices, as people tend to be less cognizant of the dangers on their mobile phones than on their computers. With the sudden rise of the remote work environment, threat actors are targeting mobile devices of bank employees, as these devices are often separated from the corporate network. I suggest managers at community banks employ strict security controls on these bank-issued mobile devices, for example, lists of banned applications, download blocking, and feature controls including remote device lock, erasure, port control, and camera and video access.
How would you say preparing for or mitigating ransomware risk is different for community banks compared with larger institutions?
Colin: I think it really depends on the bank’s strategy. A proactive approach for training and preparing staff for when an attack hits — and not if an attack will take place — will always be the preferential option. The goal remains the same if you are a community banking organization versus a large or foreign banking organization. How quickly can you return to normal? Everyone in the organization should be trained on what to do before and after an attack takes place. Tabletop exercises should be conducted to identify and close any gaps in the incident response plan of a ransomware attack.
Anthony: I agree with Colin. No amount of resources can keep a determined attacker out of your network. Community banks do have the benefit of having a smaller inventory of assets to manage, which reduces attack surfaces; however, the more banks allow employees to use personal devices for business, the more attack surfaces are introduced into the environment. Besides having an effective cyber awareness program, organizations should test and update their response plan. This includes periodically testing the movement of backup data into the production environment. Don’t forget to back up and air-gap the network, hardware, and application configurations. They also should be periodically updated and tested.
Ahmed: Compared with larger banks, community banks are also more reliant on vendor-provided services to run critical functions. Management should consider the cyber hygiene10 practices of MSSPs and TSPs, as they are certainly an attack vector. Community banks should also proactively review and audit access privileges given to the employees at MSSPs and TSPs and should even consider fourth-party risk management practices when reasonable.
Has any new guidance been issued recently that community banks should know?
Ahmed: As far as guidance, earlier in 2022, the Federal Reserve and the federal banking agencies issued a joint final rule on computer-security incident notification requirements for banking organizations and their bank service providers.11 This rule is intended to improve the sharing of information about cyber incidents to help promote early awareness of emerging threats and help agencies react to them. Be sure to read through Supervision and Regulation (SR) letter 22-4/Consumer Affairs (CA) letter 22-3 to familiarize yourself with the timing requirements for reporting a security incident to your regulator, as well as the appropriate communication channels.12 SR letter 21-14 is another recent guidance issuance that reinforces the need for banks to effectively authenticate users and customers to protect information systems, accounts, and data.13 If you’ve ever wondered about the regulatory view on multifactor authentication (MFA), this is a good place to start. The FFIEC also recently published an updated Architecture, Infrastructure, and Operations (AIO) booklet of its Information Technology Examination Handbook.14 This new booklet replaces the previous Operations booklet, and, while it does not impose any requirements on banks, it’s a good way for bank management to become familiar with prudent AIO functions.
Colin: While they’re not new nor guidance for that matter, the Ransomware Self-Assessment Tool (RSAT) and the FFIEC Cybersecurity Assessment Tool (CAT) could be a good place for banks to start.15,16 I would also suggest that a bank set up a process for receiving notifications from organizations such as the Cybersecurity and Infrastructure Security Agency (CISA) or the Financial Services Information Sharing and Analysis Center (FS-ISAC). These organizations can provide banks with information on new and emerging threats and implications for bank security programs. There are multiple organizations, such as the SysAdmin, Audit, Network, and Security (SANS) Institute, that send notifications pertaining to recent threats. Information captured within these missives might help a bank bolster its internal control environment.
Anthony: As Colin mentioned, CISA has many resources available to organizations to help them assess themselves and better prepare for a cyberattack. The New York Department of Financial Services (NYDFS) also recently provided ransomware guidance that lists a number of good practices that a bank can take to prevent and prepare for an incident.17 Many other third parties also have resources, guidance, and tactics to help organizations better defend against and prepare for a cyberattack. Managers should select the proven tactic or practice that works best for their organization. What’s important is that organizations need to stay informed. They need to track their data and system assets and identify their vulnerabilities, be aware of new cyber threats, and enforce good cyber hygiene practices. Threat actors are always looking for weaknesses in perimeter defenses and new tactics to deploy their attacks.
Do you have any words of warning or some common practices you may have seen that banks should avoid?
Colin: Years ago, I would hear management proclaim that they did not think the bad actors would come after them due to their size. Over the years we now see the flaw in that type of thought process. Everyone is a target. In fact, some bad actors specifically come after smaller institutions based on the belief that their internal controls will not be as robust as those of a larger institution. You have to assume that cyberattackers are knocking on your front door.
Anthony: Absolutely, banks are only as strong as their weakest link, and everyone is a target. There are plenty of improper practices management should avoid to better prepare. Among banks with weak security culture and awareness, I see:
- inadequate patching of vulnerabilities or mitigating risks from technology in a timely manner;
- inconsistent reviews of vulnerabilities and the risks posed to the bank; and
- a lack of resources dedicated to the development and implementation of a strong cyber awareness program.
Finally, you should never assume your cyber insurance will cover your losses. A bank should be aware of insurance policy provisions that require a bank to adopt certain cyber hygiene practices and to implement adequate controls. Controls such as MFA18 may be required.
Ahmed: I’ll also add that it’s important to avoid taking a lax approach that allows employees to use their own devices to conduct bank business. The use of personal devices is common among community banks and introduces various risks to the organization, particularly when these practices are not properly managed. Ransomware can easily pass into a bank’s network when an employee logs in to the network with a personal device that is carrying hidden ransomware code. Therefore, I’d suggest management consider restricting personally owned devices on the bank network to reduce this risk. I also encounter many instances in which web access management is taken lightly or not properly configured. Weak management of employees’ web access can allow ransomware to spread by employees unknowingly visiting an infected website. A proper web filtering program can provide protection against this type of ransomware risk, and I’d recommend that community bank IT teams use appropriate security products to block access to known ransomware sites.
Ransomware attacks are growing at an alarming pace. Ransomware attacks can jeopardize the safety and soundness of banks and can place extreme emotional stress on the employees of a compromised bank. However, the practices and approaches discussed in this article can help bank management prepare against an attack and regain some peace of mind. For more information on this topic and additional helpful guidance, reference the articles and online resources provided throughout this issue of Community Banking Connections.
- 1 FFIEC IT Handbook InfoBase, available at https://ithandbook.ffiec.gov/.
- 2 FFIEC Information Technology Examination Handbook, Information Security, “II.A.2 Vulnerabilities,” September 2016, available at https://ithandbook.ffiec.gov/it-booklets/information-security/ii-information-security-program-management/iia-risk-identification/iia2-vulnerabilities.aspx.
- 3 FFIEC Information Technology Examination Handbook, Information Security, “IV.A.2(c) Vulnerability Assessments,” September 2016, available at https://ithandbook.ffiec.gov/it-booklets/information-security/iv-information-security-program-effectiveness/iva-assurance-and-testing/iva2-types-of-tests-and-evaluations/iva2(c)-vulnerability-assessments.aspx.
- 4 An air gap is a security measure in which a copy of the backup is stored off the network in a completely separate physical location in order to allow the bank to restore data quickly in the event the network backups are compromised.
- 5 WORM is a data storage technology that allows data to be written to a storage medium only once but read many times. This prevents the data from being erased or modified.
- 6 In computer security, hardening refers to the process of reducing the available ways of attack, or surface of vulnerability. Common examples are changing default passwords and removing unnecessary software.
- 7 FFIEC Information Technology Examination Handbook, Information Security, “II.C.10 Change Management Within the IT Environment,” September 2016, available at https://ithandbook.ffiec.gov/it-booklets/information-security/ii-information-security-program-management/iic-risk-mitigation/iic10-change-management-within-the-it-environment.aspx.
- 8 FFIEC Information Technology Examination Handbook, Information Security, “II.C.9 Network Controls,” September 2016, available at https://ithandbook.ffiec.gov/it-booklets/information-security/ii-information-security-program-management/iic-risk-mitigation/iic9-network-controls.aspx.
- 9 FFIEC Information Technology Examination Handbook, Information Security, “II.C.20 – Oversight of Third-Party Service Providers,” September 2016, available at https://ithandbook.ffiec.gov/it-booklets/information-security/ii-information-security-program-management/iic-risk-mitigation/iic20-oversight-of-third-party-service-providers.aspx.
- 10 Cyber hygiene refers to the practices and steps taken to maintain the health and security of computer users, devices, networks, and data.
- 11 The joint final rule, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers,” is available at www.federalreserve.gov/newsevents/pressreleases/files/bcreg20211118a1.pdf.
- 12 SR letter 22-4/CA letter 22-3, “Contact Information in Relation to Computer-Security Incident Notification Requirements,” is available at www.federalreserve.gov/supervisionreg/srletters/SR2204.htm.
- 13 SR letter 21-14, “Authentication and Access to Financial Institution Services and Systems” is available at www.federalreserve.gov/supervisionreg/srletters/sr2114.htm.
- 14 The AIO booklet of the FFIEC Information Technology Examination Handbook is available at https://ithandbook.ffiec.gov/media/402799/ffiec_itbooklet_aio.pdf.
- 15 Access the RSAT at www.csbs.org/ransomware-self-assessment-tool.
- 16 The CAT is available at www.ffiec.gov/cyberassessmenttool.htm.
- 17 The NYDFS industry letter on ransomware guidance is available at www.dfs.ny.gov/industry_guidance/industry_letters/il20210630_ransomware_guidance.
- 18 MFA requires the user to present two or more forms of evidence before being granted access. These include something the user knows (such as a password), something the user has (such as a physical token), and something the user is (such as a fingerprint).