Federal Reserve Breach: What Happened?Experts Say Attack Offers Lessons for Institutions
The Federal Reserve confirms it's been breached - an attack that experts say signals to banking institutions and their vendors a heightened urgency to implement security best practices, including the encryption of passwords.
The hacktivist group Anonymous, which is taking credit for the Feb. 3 attack, claims it breached systems connected to the Fed and subsequently exposed sensitive credentials, including logins and passwords, as well as other private details, such as mobile numbers, for more than 4,000 U.S. bankers.
The attack against the Fed is an eye-opening reminder that credentials should never be stored in an online-accessible database, says Edy Almer, vice president of hardware security and encryption provider Wave Systems Corp. Instead, those logins and passwords should be stored on hardware that's not linked to the Web and that can only be accessed through machine-level authentication, he contends.
One security executive with a global financial services company, who asked not to be named, says banking institutions are embracing the need for stronger security surrounding online and network credentials. The problem is database redundancies.
"Technology gets in the way," the executive says. "Unless an organization has made strong efforts to centralize credentials, they will be scattered across various systems. And there are no truly standardized ways of protecting and managing credentials. There's a lot of poor advice going around, especially when it comes to best practices for password management."
But it's impossible to keep all attackers out, the executive acknowledges. "My take is that there are ways into practically every system, either through technical flaws or simply by compromising people," the executive says. "Defenses against such attacks need to be much more holistic, understanding motivations, means and opportunities."
From a risk management point of view, organizations have to accept the fact that despite all of their security efforts, the risk of data compromise remains high, says Rodney Joffe, a senior technologist at cybersecurity provider Neustar Inc.
"It is impossible to defend against everything," Joffe says. Regarding the Feb. 3 attack, he adds: "I don't think it points out a weakness in the way the way the Federal Reserve secures its systems. There's not really anything they can do to stop these attacks in the modern world. And this is the reality that security officers are now embracing."
The Fed acknowledges the attack, but has not confirmed who was behind it. "The Federal Reserve System is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product," a Fed spokesman told BankInfoSecurity on Feb. 7. "The exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve System."
The weakness in the vendor product is likely a zero-day vulnerability, Joffe says. "It's a software design flaw, and until the manufacturer provides a fix, there's really nothing the Fed or any other organization can do. We have these types of issues in software all the time." And it takes time to identify the vulnerabilities and deploy patches in ways that don't create new vulnerabilities and risks, he adds.
Attackers often exploit those vulnerabilities before organizations have time to respond, Joffe says. For example, an organization might take several weeks to install a patch and implement it across systems.
"It's a really, really tough world," Joffe says. "Now the industry is not focused on stopping hacks, because that's not possible, but on trying to get early warning that an attack has occurred. So we are watching the bad guys to see what moves they are making. And that's the approach that's most effective."
Authentication and Encryption
But online security experts say organizations still must adhere to best practices and ensure that they and the vendors with which they work implement strong encryption and authentication to protect sensitive data.
If the Fed database that was attacked was storing passwords in the clear, the compromise could have been prevented with stronger encryption - a well-accepted best practice, Almer says.
"User/password pairs, if indeed stolen, should never be stored in the clear," he explains. "They should be salted and hashed. An identity scheme that cannot be phished, and does not depend on the user remembering and guarding the password, is a much better option."
As a best practice, credentials and contact lists should be protected by hardware security modules and layers of user authentication, Almer says.
"Conversely, the server or cloud service should recognize platform authentication requests for releasing user credentials as well, closing the proverbial loop and preventing the global hack of the database of identities and contacts," he says.
Lesson for Banks
The compromise of credentials housed at the Fed highlights the reality that organizations, out of necessity, have to prioritize which systems and data require the most protection, says Al Pascual, a financial fraud analyst at Javelin Strategy & Research. They can't seal every gap, so they focus on securing the most sensitive information, he says.
"Given the type of information that was hacked, securing the system on which the data was stored was a relatively low priority," Pascual says. "This is the Federal Reserve, after all, and protecting sensitive policy communications and financial data will garner the greatest effort. The Fed is a high-profile target, and attacking it gives Anonymous street cred and wide media coverage."
Anonymous claims its attacks against federal entities were spurred by the suicide of Aaron Swartz, an Internet activist who co-created the Web-content feed RSS format and helped develop the social media site Reddit. Anonymous blames his suicide on the federal charges he faced for using computers at the Massachusetts Institute of Technology to pilfer more than 4 million journal articles from an online archive and distribution service.
Pascual says the attack on the Fed, and recent distributed-denial-of-service attacks against U.S. banks and credit unions, could help boost support for national cybersecurity legislation.
And support for more cross-border information-sharing is already evident, Joffe says.
"What has gotten better in recent years is international collaboration," he says.
Recent attacks against banks have called for heightened communication, Joffe adds.
"The banking industry is really doing a good job of sharing information, through the [Financial Services] Information Sharing and Analysis Center," he says. "In the security arena, there are groups that are sharing information that weren't sharing before. We are involving law enforcement, and law enforcement has always been really good at understanding who's behind these attacks."