A release issued Thursday by the Federal Deposit Insurance (FDIC) urged financial institutions to "actively utilize available resources to identify and help mitigate potential cyber-related risks." The timing of the release is particularly germane, considering the recently discovered Heartbleed bug which affects almost two-thirds of the web, as well as recent cyber-attacks on industry giant Ellie Mae.
"Cyber threats have been widely covered in the national media, and we believe that financial institutions and their technology service providers have been managing system updates to mitigate potential vulnerabilities in an effective manner," said Doreen Eberley, Director of the FDIC Division of Risk Management Supervision.
The FDIC release would appear to reference the recently discovered Heartbleed bug. The bug, according to the appropriately named heartbleed.com, "is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet."
The site continues, "SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)."
SSL, or secure sockets layer, is a standard web protocol used for encrypting secure data. A computer using SSL sends a request to another computer, verifying the other computer is in fact the one it is attempting to reach. If successful, the second computer responds with data verifying itself, and a handshake occurs to exchange data securely.
Heartbleed exploits this connection.
"Web servers that use the affected versions of the code store some data unprotected in memory. Hackers can grab that data, and reconstruct information about users or keys that would allow them to monitor past or future encrypted traffic," according to a report by the Wall Street Journal.
The Wall Street Journal article commented on possible actions for consumers: "If you need strong anonymity or privacy," Roger Dingledine, president of the Tor Project, a web service used to obscure Internet users' identity, wrote in a blog post, "you might want to stay away from the Internet entirely for the next few days while things settle."
More recently, cyber security has been in the news with respect to attacks on large institutions. A recent attack against Ellie Mae resulted in slowdowns and overwhelmed servers.
The FDIC urges financial institutions to "ensure that their Information Security staff are aware of and subscribe to reliable and recognized resources that can help quickly identify cyber risks as they emerge."
Specifically, the FDIC recommends United States Computer Emergency Readiness Team (US-CERT), U.S. Secret Service Electronic Crimes Task Force (ECTF), FBI InfraGard, Regional Coalitions, and the Information Sharing and Analysis Centers (ISACs)
More detailed technical information about the Heartbleed bug can be found here.