CoNetrix

Blog: FFIEC

Multifactor authentication (MFA) is considered a staple in the world of security. For many, the use of MFA may seem straightforward, but as with many things in life, complexities abound. In this article, we will discuss five current challenges associated with MFA and ways to mitigate those risks. 

Before you go any further, visit this article over What is Multifactor Authentication? This article provides an overview of MFA, financial institution regulatory guidance sources, and tips for how to incorporate it into your information security program. 

Challenge #1. Misapplication of MFA may negate your cyber insurance. 

It is not a secret that cyber insurance companies are facing an uphill battle. Some sources state that in 2020, cyber insurers had a loss ratio of 500%, which means that for every $1 they earned in premiums, they lost $5 in responding to incidents. 

Due to the rising costs associated with cyber incident response, many insurance companies are beefing up their coverage requirements and now expect MFA to be enabled for the following types of services: 

  • All admin access (both internal and remote) to directory services, network backup environments, network infrastructure, endpoints, and servers. 
  • All remote access to the network, including employees and third parties. 
  • All email systems which can be accessed through a cloud service (e.g., Office 365). 

While this may seem like a reasonable request up-front, it may also be used as a reason to deny coverage in the event MFA implementation is not up-to-par. 

Facing the Challenge: Review your cyber insurance policies. Determine if they require MFA and if your current MFA implementation would be satisfactory in the event of an incident. 

Challenge #2. Financial institution guidance about MFA is not very descriptive. 

Various financial institution regulatory agencies and industry leaders also now expect multifactor authentication to be implemented, as discussed in this article over What is Multifactor Authentication? For example: 

  • FFIEC Authentication Guidance (August 2021) 
    According to the guidance, MFA is encouraged for "high-risk users," which are defined as users who have "access to critical systems and data; privileged users, including security administrators; remote access to information systems; and key positions such as senior management" (page 5). For additional information, read the full guidance
     
  • FFIEC Cybersecurity Assessment Tool 
    The following maturity declarative statements from the tool's "Access and Data Management" component include reference to multifactor authentication.
     
    • Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. 
    • Multifactor authentication and/or layered controls have been implemented to secure all third-party access to the institution's network and/or systems and applications. 
    • Multifactor authentication (e.g., tokens, digital certificates) techniques are used for employee access to high-risk systems as identified in the risk assessment(s).
    • For additional information, download the PDF or sign up for Tandem's free automated version of the tool. 
  • CSBS Ransomware Self-Assessment Tool (R-SAT) 
    R-SAT Question 10 asks users to confirm that MFA is used for various circumstances, including access to cloud-based services, cloud email services, VPN remote access, and administrative access. For additional information, check out our R-SAT blog
     
  • NIST Cybersecurity Framework v1.1 
    While not specific to financial institutions, the framework references MFA in subcategory PR.AC-7, which states "users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction." For additional information, download the framework

While these guidance references are prescriptive, they are not overly descriptive as to how these recommendations are to be accomplished. 

Facing the Challenge: Implementing a control, such as MFA, needs to be focused on protecting likely entry points, in addition to those which could cause significant potential damage, if compromised. Start considering how MFA could most effectively be implemented to mitigate the risks facing your organization. 

Challenge #3. It is unfeasible to implement MFA everywhere. 

Perhaps the greatest challenge with MFA, especially in consideration of increasing requirements, is that it is currently unfeasible to implement everywhere. 

For example: 

  • It is not currently possible to enable MFA on Active Directory (AD) or SQL Servers. One can enable MFA on the systems which allow administrators to access these programs, but not the programs themselves, as they typically do not support integration with MFA applications. 
  • It is also not currently possible to enable MFA on service accounts. Service accounts often run with elevated privilege, but are not connected to any particular user, making it impossible to authenticate using MFA. 

  • To complicate matters further, there are multiple ways to authenticate as a Windows domain admin or to elevate privileges, once authenticated. Some examples could include running certain command lines, PowerShell scripts, windows management protocols, or User Account Control (UAC).  

While applying MFA everywhere may sound like a dream come true, technological limitations currently prevent that dream from becoming a reality. 

Facing the Challenge: Determine what you can secure with MFA and apply compensating controls for what you cannot. Based on your organization's long-term technology strategy, it may be beneficial to consider the possibility of moving certain systems to the cloud (e.g., Azure, AWS, etc.). That said, while many cloud solutions support MFA for access, they also present an entirely different set of risks and would not be a wholesale security solution in-and-of themselves. 

Challenge #4. MFA is not infallible. 

While MFA is an appealing control to consider, it is certainly not infallible and should not be implemented lightly. For example: 

  1. It is important to recognize that anybody who has administrator access also has the ability to turn MFA off. If you are depending on MFA as a security control for administrators, there must be validation implemented to ensure it is not disabled. 

  2. MFA is a preventive control. Unfortunately, this can mean that when MFA methods are incorrectly configured or fail to work, it can result in administrators being locked out of their systems, which could cause significant damage to the organization. 

  3. When controls, like MFA, cannot be implemented universally, it leaves the entire environment vulnerable by proxy. While applying MFA in certain areas or to certain users can limit exposure, the more security gaps you can close, the better. 

Facing the Challenge: Implementation of MFA is not only a technical decision. It is an enterprise-wide strategy. Start the conversation by including relevant personnel in the decision-making process. Assess the impact of MFA on operations and make sure plans are in place to limit negative consequences. 

Challenge #5. MFA can be expensive to implement. 

While MFA is becoming more widely available, implementing it can still require a significant investment of time and money, as "one MFA to rule them all" does not exist. Every system has its own form of MFA. For example, some systems support: 

  • Proprietary MFA solutions, such as Duo MFA, Palo Alto GlobalProtect, RSA SecurID, Symantec VIP, etc. 
  • Solutions built on the Time-Based One-Time Password (TOTP) standard, such as Google Authenticator, Microsoft Authenticator, Twilio Authy, etc. 
  • Native MFA solutions, built into the application, such as how the Tandem Mobile App can be used as an MFA option for Tandem access. 

Since systems use a variety of MFA options, it is up to each organization to ensure they select the right solution for them and ensure adequate coverage. 

Facing the Challenge: If you do not currently have MFA implemented, begin planning for it now. If you need assistance, there are managed security service providers (MSSPs) with expertise in this area, such as CoNetrix Technology. If you would like assistance with selecting and implementing the right MFA solution, contact us

Conclusion 

MFA is a highly effective control when it comes to reducing the risk of various threats, but it comes with its own set of challenges and risks. As you consider your current and future MFA plans, take a step back and answer the question: Are you trying to check a box or are you trying to mitigate a risk? 

A layered security program is always going to be the most effective way to face the cyber challenges of our time. While MFA is a helpful component of this program and should be used when feasible, it is not the only control you need. You have to use many controls to create a layered security program. For additional information about how you can secure your systems or to learn more about IT managed services, visit CoNetrix.com/Technology

Multi-Factor Authentication, Cybersecurity, FFIEC, Incident Response, Security,
 

This article was updated on August 28, 2019. See below for the updates.

What is the FSSCC Cybersecurity Profile?

The FSSCC Cybersecurity Profile was published on October 25, 2018 by the Financial Services Sector Coordinating Council (FSSCC). The FSSCC is a private entity comprised of 70 members from financial services organizations. Their cybersecurity profile has multiple tiers, which allow users to answer a scalable set of questions. This scaling is designed to provide an expedited assessment of the user's organization's cybersecurity preparedness.

In addition to the tool's claims of efficiency, the tool's development is largely credited to organizations familiar to the financial services industry. The Press Release includes names such as the American Bankers Association, Bank Policy Institute, the Institute of International Bankers, and more.

Beyond this, the FSSCC has made multiple appeals to the Cybersecurity Profile's usefulness in regulatory examinations, going so far as to claim, "The numerous and substantial benefits [of using the FSSCC Cybersecurity Profile] to the financial services sector are: […] Supports tailored supervision, examinations, and collaboration among state, federal, and international supervisors," per the FSSCC Overview and Users Guide.

What is the FFIEC Cybersecurity Assessment Tool?

The FFIEC Cybersecurity Assessment Tool (CAT) was initially published on June 30, 2015, and updated May 31, 2017. The CAT was designed by the Federal Financial Institutions Examination Council (FFIEC), a formal interagency body, comprised of members from the FRB, FDIC, NCUA, OCC, CFPB, and SLC. The CAT is standardized, which allows users to answer a specific set of questions, designed to provide a thorough assessment of their organization's cybersecurity preparedness.

The FFIEC CAT includes 494 cybersecurity maturity statements, which has resulted in some complaints. However, it is not only designed to provide a detailed assessment of a financial institution's current state of cybersecurity preparedness, it also enables targeted and long-term planning for growth and improvement.

With regard to examinations:

• The FDIC continues to heavily rely on the InTREx Work Program. While InTREx does state financial institutions are not required to use the FFIEC CAT to assess cybersecurity preparedness, the program also states FDIC examiners will reference the CAT's Appendix A when performing examinations.

• The NCUA is currently implementing the Automated Cybersecurity Examination Tool (ACET). The ACET is based on the FFIEC CAT, with a document request list to help credit unions understand, gather, and organize the documents needed for the examination. Read our blog on FAQs about the ACET

• In their Spring 2018 Semiannual Risk Perspective, the OCC announced they had "implemented the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) into its examination process." In addition, an OCC representative at the 2019 CoNetrix KEYS Conference Examiner Panel indicated the OCC is piloting their own segmented version of the FFIEC CAT, to be fully completed on a three-year cycle.

August 2019 Update: In July 2019, the OCC replied to a comment from the FSSCC in the Federal Register. The FSSCC asked the agencies to "make a clear statement that other methodologies, such as NIST Cybersecurity Framework and the FSSCC Cybersecurity Profile, are acceptable inputs into the examination process." The OCC replied that financial institutions "may choose to use the [FFIEC CAT], the NIST Cybersecurity Framework, or any other risk assessment process or tool to assess cybersecurity risk."

• The FRB's supervisory letter about the tool, SR 15-9, indicated the CAT's planned use in examinations, and the FRB was a contributor in the May 2017 update of the tool, per their 2017 Annual Report. Additionally, a list of Information Technology Guidance was published, including the FFIEC CAT as a "Policy Letter."

Will the FSSCC Cybersecurity Profile Replace the FFIEC Cybersecurity Assessment Tool?

While the FSSCC Cybersecurity profile has fewer questions, and the FSSCC has expressed interest in seeing the tool used during regulatory examinations, the federal banking agencies have not yet expressed the same interest.

In addition, while completing the FFIEC CAT is not required, four years into the CAT's implementation, examiners are now familiar with the tool and the agencies continue to supplement and reference the CAT in their own examination programs. In light of this, using the CAT to assess cybersecurity preparedness could help expedite the examination process, as the tool may be used during an exam.

At this point in time, it is not clear what the future holds for the FSSCC Cybersecurity Profile. Due to the thorough nature and widespread adoption of the FFIEC CAT, it is difficult to imagine the CAT will be replaced by any tool in the foreseeable future.

August 2019 Update: In August 2019, the FFIEC published a press release encouraging a standardized approach to assessing cybersecurity preparedness. While the press release lists the FFIEC CAT, NIST Cybersecurity Profile, Center for Internet Security Controls, and FSSCC Cybersecurity Profile as references to "support institutions in their self-assessment activities," the press release reiterates that "the FFIEC does not endorse any particular tool" and the "tools are not examination programs."

Does CoNetrix have anything that can help with assessing cybersecurity preparedness?

Yes. The Tandem Cybersecurity module took the FFIEC CAT PDF content and streamlined it into an easy-to-use web-based application. With email reminders, charts and graphs, presentation documents, optional peer comparison, and tools for the NCUA's ACET, you can put the FFIEC CAT to work for you. Get started for free with Tandem Cybersecurity.

Financial Institutions, Security and Compliance, Cybersecurity Assessment Tool, FFIEC, FSSCC, FSSCC Cybersecurity Profile,
 

On September 9th, 2016, the Federal Financial Institutions Examination Council (FFIEC) released a revised Information Security booklet.  This booklet is one of eleven booklets that make up the FFIEC Information Technology Examination Handbook (FFIEC IT Handbook). The IT Handbook is designed to provide information and reference to financial institutions and examiners.  The Information Security booklet specifically “provides guidance to examiners and addresses factors necessary to assess the level of security risks to a financial institution’s information systems.”

To learn more about the new FFIEC Information Security Booklet, join us for a webinar on October 11th at 2:00pm CDT. Register now

To see other webinars offered by CoNetrix, visit our webinars page.

About the FFIEC: The FFIEC was established in 1979 per Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978.  The FFIEC is comprised of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administrator (NCUA), the Office of the Comptroller of the Currency (OCC), the State Liaison Committee (SLC), and the Consumer Financial Protection Bureau (CFPB).

 

Financial Institutions, Security and Compliance, FFIEC, info sec, Information Security,
 

Today the Federal Financial Institutions Examination Council (FFIEC) issued an update to the FFIEC IT Handbook, BCP Booklet.  The update included a new appendix entitled Strengthening the Resilience of Outsourced Technology Services.  The appendix highlights and expands on the BCP Booklet in four specific areas: third-party management, third-party capacity, testing with third-party technology service providers, and cyber resilience.  To learn more, visit https://www.ffiec.gov/press/pr020615.htm  
Security and Compliance, Vendor Management, FFIEC, BCP,
 

The Federal Financial Institutions Examination Council (FFIEC) today launched a web page dedicated to cybersecurity (http://www.ffiec.gov/cybersecurity.htm). The website is designed to be "a central repository for current and future FFIEC-related materials on cybersecurity." [more]

As a part of the Press Release announcing the launch of the cybersecurity web page, the FFIEC also noted the launch of the website "coincides with a pilot program at more than 500 community institutions, to be conducted by state and federal regulators, which will be completed during regularly scheduled examinations."  According to the press release, the focus of the pilot program will be on:

  1. Risk Management and Oversight
  2. Threat Intelligence and Collaboration
  3. Cybersecurity Controls
  4. Service Provider and Vendor Risk Management
  5. Cyber Incident Management and Resilience
The pilot program is expected to last about 4 weeks and include regulators from the FDIC, OCC, Federal Reserve, NCUA, and the States.
Financial Institutions, Security and Compliance, Cybersecurity, FFIEC,
 

This month, the New York State Department of Financial Services ("the Department") released results from a survey conducted in 2013 on cyber security.  154 institutions completed the survey, representing 60 community and regional banks, 12 credit unions, and 82 foreign branches and agencies.  The survey asked questions regarding information security framework; corporate governance around cyber security; use and frequency of penetration testing and results; budget and costs associated with cyber security; the frequency, nature, cost of, and response to cyber security breaches; and future plans on cyber security. [more]

In conclusion, the Department states:

"As part of its continuing efforts in this area, the Department plans to expand its IT examination procedures to focus more fully on cyber security.  The revised examination procedures will include additional questions in the areas of IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery.  The revised procedures are intended to take a holistic view of an institution's cyber readiness and will be tailored to reflect each institution's unique risk profile.  The Department believes this approach will foster smarter, stronger cyber security programs that reflect the diversity of New York's financial services industry."

This report comes on the hills of the FFIEC webinar, Executive Leadership of Cybersecurity: What Today's CEO Needs to Know About the Threats They Don't See in which the FFIEC introduced expectations of new examination procedures.

To read the full Report on Cyber Security in the Banking Sector by the New York State Department of Financial Services can be found here - http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf

Security and Compliance, New York, Bank, Credit Union, Cybersecurity, FFIEC,
 

The Federal Financial Institutions Examination Council (FFIEC) issued statements today notifying financial institutions of the risks associated with cyber-attacks on Automated Teller Machines (ATM) and car authorization systems and the continued distributed denial of service (DDoS) attacks. [more]

To read the Press Release, visit http://www.ffiec.gov/press/pr040214.htm

To view the Joint Statement, Cyber-attacks on Financial Institutions' ATM and Card Authorization Systems, visit http://www.ffiec.gov/press/PDF/FFIEC%20ATM%20Cash-Out%20Statement.pdf

To view the Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, visit http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf

IT Security Alerts, Financial Institutions, Security and Compliance, ATM, FFIEC, Security, DDoS,
 
 

The Federal Financial Institutions Examination Council (FFIEC) issued an updated Retail Payment Systems Booklet.  The booklet is part of the IT Examination Handbook series and provides guidance to examiners, financial institutions, and technology service providers (TSPs) on identifying and controlling risks associated with retail payment systems and related banking activities.  To download the booklet and associated workprogram, visit http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

Financial Institutions, Security and Compliance, Bank, FFIEC, Retail Payment Systems, Exam, audit, Security,
 

The FFIEC released the new Business Continuity Planning (BCP) IT Examination Handbook this month.  The prior BCP IT Examination Handbook was released in March, 2003.  A few new key areas include:

  • Pandemic Planning
  • More emphasis on:
    • Business Impact Analysis (BIA)
    • Risk Assessment
    • Testing

The new BCP IT Examination Handbook has been greatly expanded - to give you an idea, the old BCP booklet (March 2003) was only 57 pages, and the new booklet (March 2008) is 132 pages - more than twice the size - this should also give us an indication of the new importance & emphasis placed on Business Continuity.  

To view the new BCP IT Examination Handbook, go to http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning.aspx.  You can also check out our BCP Software offering.

Financial Institutions, Security and Compliance, Bank, FFIEC, BCP,