Antivirus software has long been accepted as the cornerstone of any healthy security program. As online security threats continue to rise and pose a significant risk to the financial industry, you have, no doubt, implemented many technical controls. Perhaps, in the back of your mind, you've thought if these controls failed, well, at least you have antivirus. Now, however, the discovery of the Flame virus earlier this summer has everyone wondering if their trust was poorly placed.
Flame is a highly complex (arguably the most complex) piece of malware that has been recording audio, keystrokes, network traffic, screenshots, Skype conversations, and documents from infected computers for at least two years. That's two years of antivirus definition updates and two years of potentially weekly or daily virus scans that never detected this very large, very complex, very nosy virus. Flame's sophistication along with its targets supports the widely accepted notion that a government or group of governments is responsible for its creation and distribution. A large majority of the infected machines were discovered in Iran, but infected machines were also found in several other locations, including Europe and North America.
It would be naïve for us to trust that perhaps our own government or an ally was the creator of such a complexity, and thus, we are immune to its danger. A malware program designed for a particular purpose is still a program that is capable of spreading to unintended targets as well as landing in the hands of someone who is no ally of yours. Also, the most direct implication to you was what Flame did to blow the antivirus industry's cover. Until recently, antivirus leaders and malware creators were engaged in a cat-and-mouse game of sorts where malware creators introduced new viruses, and shortly thereafter, antivirus companies discovered these and updated their virus definitions, so that your computer would not fall victim. This routine has more or less worked for years until the late Flame discovery that has left the antivirus industry scratching their heads. Industry talk suggests simplistic signature-based antivirus software is not adequate and puts an emphasis on more expansion into behavior or anomaly-based products.
What does this mean for you as a consumer of antivirus products and as a highly targeted industry? Well, you have little (or no) control over the ability of the antivirus industry to catch all, especially targeted, attacks. The answer to this security issue, and the answer to most security issues, is that you have to implement a layered security program:
- Keep software (including Adobe and Java) and browsers patched.
- Remove local administrator privileges on workstations.
- Implement technical controls on the use of USB storage devices where possible.
- Implement and monitor an intrusion detection/prevention system.
- Expand Internet content filtering such that only sites needed for banking are allowed.
- Regularly review security logs, so that changes in the norm will stand out.
- Train, train, train – including teaching users not to click on email links, teaching them the difference between secured and unsecured websites, and teaching them to verify an unexpected call/email/visitor's authorization before giving them information or helping them with a project. Creating a culture of security-minded employees, where everyone in the bank sees security as their responsibility, will really provide some of the greatest protection you have available to you.
Unfortunately, security and convenience vary inversely. The more security measures you put in place at your institution, the less convenient things are for you and your employees, but that also makes things less convenient for any would-be attackers. Most of them will look for the low-hanging fruit. Implementing several security layers on your network and your institution will send most attackers on to an easier target.