Michigan Banking September/October 2016

"Everybody, hands in the air! This is a stick-up!"  This traditional well-worn cliché has just about run its course in the bank robbery world.  Now, the would-be robbers are using ones and zeroes to hold bank data hostage and take their money.  What about making this simple – "Ransomware is a hot topic because it works. Criminals are stealing millions of dollars."  Fortunately, there are some strategies institutions can use to mitigate the threats this attack vector poses and help prevent its spread if a machine becomes infected.

Normal Phishing Rules Apply:  While ransomware may have recently gained prominence, it is usually delivered through the tried and true attack method - phishing.  As a result, it is even more important to follow best practice phishing mitigation techniques.

·         Trust but verify every email

·         What are you being asked to do? Were you expecting the email?

·         Use extreme caution with links and attachments (disable macros)

Safe Surfing:  Another popular attack medium uses Trojan horse downloads in websites.  To mitigate this attack style, implement a strict web content filter to block websites or categories of websites that are not necessary to the institution's job functions.  One of the safest best practices is to block all websites by default and whitelist only the sites that are necessary for bank operations.

Restrict Administrator Rights:    One of the first actions of an instance of ransomware is it looks for a way to escalate its privileges.  If the local user has been granted admin rights, it will begin to encrypt the entire hard drive.  Therefore, it is important to limit local admin rights on a machine to the greatest extent possible.  Unfortunately, sometimes software manufacturers write software that requires local administrator privileges. It is important for the institution to work with their software vendor to limit the need for local administrator rights. 

Air Gap Backups:  Backup data is the most effective control for recovering from ransomware.  Once a hard drive has been infected it should be considered useless.  After the piece of ransomware has encrypted the local pc, its next step is to search the network and look for backups to infect.  Air gapping is the process of physically removing your backup data from the network.  Traditionally, this was achieved through the use of tape backups.  Today, institutions have decided to utilize network attached or cloud storage devices.  Air gapping is easiest if the backup is stored on some form of removable media.  If it is a network attached storage, just make sure to unplug the storage device from the network while it is dormant.

While any machine connected to the internet has some inherent risk, it is important to remember that ransomware is delivered by utilizing unsafe web browsing strategies and/or poor security awareness.  These issues can be corrected by user training and strong technical controls.  "Would be" digital robbers look for the easiest targets.  By following a few of these simple guidelines banks foil a robbery before it ever happens.




Dr. Jerrod Pickering, Security +, is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits, security testing, and Tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. To learn more about CoNetrix and their new Tandem Phishing tool, visit www.CoNetrix.com.