Financial institutions should monitor their third party vendors to ensure they are progressing toward addressing any Heartbleed bug vulnerabilities, the Federal Financial Institutions Examination Council said Thursday.
The group of financial regulators, which includes the NCUA, released background on the bug, which puts websites protected by OpenSSL encryption at risk. OpenSSL is a popular open-source code library for implementing encryption in websites, e-mail servers, and applications and is used in common network services such as web servers, email servers, virtual private networks, instant messaging, and other applications, the FFIEC said.
Heartbleed could be used to access a server's private cryptographic keys, compromising the security of the server and its users.
“An attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network communications that would otherwise be protected by encryption,” the FFIEC said in a release. “Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Potential attacks are made feasible by the public availability of exploitation tools.”
Although server software vendors are working to incorporate a patched version of OpenSSL into their systems, the FFIEC recommended that financial institutions take four steps, as appropriate.
First, institutions should ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps. Additionally, they should monitor the status of their vendors' efforts.
Financial institutions should also identify and upgrade vulnerable internal systems and services, and follow appropriate patch management practices and test to ensure a secure configuration.
The regulatory group also said financial institutions should also consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses the OpenSSL library.
Financial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch, the FFIEC also said.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
