On January 26, 2010, six employees of a regional community bank received an email purporting to be about a recent wire transfer. Three of the email’s recipients were suspicious of the message and reported it to their IT group. The bank’s IT group verified the email was a phishing attack and deleted it from the six employee email accounts; however, one of the employees had already forwarded it to the bank’s wire person.
The email included an attachment called "detailspdf.zip" containing a file called "detailspdf.scr." This file is a Trojan, malware used to download further files onto the attacked computer. The wire transfer employee tried to open the file (assuming it was legit since it was forwarded to her by a bank officer). Apparently, the trojan then downloaded the additional programs the attacker needed to steal the username/password to login to their wire transfer website. With the login information, the attacker attempted to transfer funds to accounts overseas. In this case, at least part of the attack was prevented by a requirement for different individuals to initiate and approve all wire transfers. The attack appears to have originated from England.
This story is enough to keep many of us up at night, but simply do an Internet search for "bank security breach" or "bank social engineering attack" and you can read many more – and for every one you read on the news, you can bet there are many more attacks or attempted attacks that go unreported. So, what can we do to protect ourselves from these types of attacks? The answer is a layered security approach. Let’s take a look at controls that could have helped block the spear-phishing attack mentioned above.
SPAM filtering, or email filtering, is the process of detecting unsolicited and unwanted emails and preventing those messages from getting to a user’s inbox. While not foolproof, effective filtering can remove many malicious emails before they ever reach your employees. In this case, the bank did have a SPAM filtering solutions, but it was not filtering out zip files, so the email made it through the first layer of protection.
Security Awareness Training
Community banks spend hundreds of thousands of dollars on security technology, but oftentimes the most valuable security control is still neglected: your employees. A well-trained eye and conscious mind can help us avoid most potential attacks. In the Social Engineering attack highlighted earlier, several employees did recognize the email as an attack; however, their response stopped short when they only had IT remove the email from the employee’s inbox. They should have notified all employees (or at least those that received the email) about the attack and used it as an opportunity to educate. In doing so, they may have headed-off or discovered the attack much sooner.
Antivirus Software and Patch Management
Antivirus software and patch management are the fundamentals of a secure defense system. They are common terms and we all know they are required, but somehow they still seem to get neglected. A later test revealed the antivirus software the bank was using should have detected and blocked the malicious software, so why did it get through? It appears the bank did not have the antivirus client configured correctly on the wire transfer system to scan files as they were accessed. This is commonly referred to as "real-time scanning."
Remove Local Administrator Privileges
By providing users with Local Administrator access, you are granting the users the ability to install software on bank systems and are, therefore, increasing the risk of successful spyware, malware, or other malicious attacks. In many cases, there is no business reason for giving users this level of access. In the case above, if the user had not had Local Administrator privilege, the attack would have been stopped.
Multi-Factor Authentication for High Risk Systems
It is no longer acceptable or wise for users to only use passwords for accessing high risk (web-based) systems. Best practices now require at least two factors for authentication: "something you know" (password); "something you have" (token); and "something you are" (fingerprint). In the case above, if the bank had used true two-factor authentication, the attack could not have been so easily conducted from overseas.
Intrusion Detection System / Egress Filtering
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are often used to help identify, and protect against attacks. Traditionally, IDS systems monitored traffic from the outside in. Egress Filtering is the practice of monitoring and/or restricting the flow of traffic from the inside out. Some IDS/IPS systems today include egress filtering. Both of these technologies can help detect and reduce cyber-attacks.