In August 2009, Israeli hacker Ehud Tenenbaum, aka "The Analyzer", plead guilty to a single count of bank card fraud for his role in a sophisticated computer-hacking scheme that scored over $10 million from U.S. banks, some reportedly from Texas. Attacks on U.S. banks, such as this example, seem to occur more and more frequently. This increase in attacks coupled with economic strains that cause many banks to cut security budgets have many skeptics predicting 2010 could be a worse year for security breaches. In this article, we will look at the top emerging information security threats banks will face in the next year.
1. Malware (steady threat)
Malware, short for malicious software, includes viruses, worms, spyware, Trojan horse programs, etc. Malware has been a steady contender as a top threat for the past several years, and makes our top list of threats for 2010. While it is not a new threat concept, many banks still do not have adequate controls to reduce the risk to a manageable level, and new types of malware are introduced daily.
- Install antivirus software – Ensure antivirus software is installed on all systems and set to look for updates hourly.
- Install antispyware – In many cases, antispyware is included in the antivirus product.
- Manage patches – Incorporate a process to ensure all software stays up-to-date. Besides installing Microsoft patches, also make sure to patch other software such as Adobe and Java.
- Limit local administrator access – Without local administrator access, many types of malware cannot install or run. Note, in some cases, critical software requires users to run as local administrators, but where possible it is best to remove this level of access.
- Restrict the use of removable media (e.g. USB drives) – When removable media, such as USB drives, are not controlled, employees may plug personal drives with infected files from other systems into your network.
- Filter email – SPAM filters help to keep emails that contain malware or links to websites with malware out of your employee’s inbox.
- Control Internet content – Since a vast majority of malware originates from the Internet, restricting and/or monitoring Internet access can reduce the number of vulnerable sites that are visited.
2. Social Engineering (rising threat)
We train our employees to provide excellent customer service. Most traditional social engineering attacks capitalize on this vulnerability. Below are a few types of social engineering attacks we see in banks today. Note many of these attacks are actually originating from foreign terrorist groups, some of which are funded by foreign governments. So, many of the people attacking us are in a sense just showing up for work each day.
- Phishing – The term "phishing" was originally used to refer to attacks via instant messaging; however, phishing attacks of today are usually done via email. For example, a perpetrator could send an email to bank customers. The email appears to come from the bank and asks them to visit a website and input confidential information (i.e. bank account, credit card, etc.). If a customer responds, then the perpetrator succeeds.
- Spear Phishing – Spear Phishing is a targeted phishing attack in which the perpetrator makes the message appear to come from your employer.
- Whaling – Whaling is similar to phishing, but uses company biographies and online profiles to specifically target executives or Board members. For example, if your bank has a bio of each of your executives, and in the bio of your President, it states he graduated from TTU and enjoys playing golf, then your President might get a fraudulent email asking him to play in a charity golf tournament for TTU and send him to a spoofed website to gather information (e.g. credit card, etc.).
- Vishing (voice phishing) – Vishing is similar to phishing, but solicits confidential information over the phone instead of email.
- SMiShing – SmiShing is similar to phishing, but uses SMS text messages.
- Pharming – Pharming is where the attacker redirects a website’s traffic to another, fraudulent website.
- Dumpster Diving – A perpetrator digs through trash in bank dumpsters to pull confidential or critical information.
- General technical controls such as a firewall, internet content filtering, antivirus software, anti-spam software, and patch management can help reduce or eliminate many phishing attacks.
- Security awareness training – Train employees on how to spot and avoid social engineering attacks.
- Do not trust any site you are not familiar with.
- Do not click on hyperlinks in emails. Instead, type in the address or copy it into your browser.
- Verify websites asking for confidential information are secure (the browser address for a secure website begins with "https://").
- Testing – Regularly conduct social engineering tests to see how your employees will react.
3. Mobile devices (rising threat)
Bank IT departments are feeling an increased pressure to support more mobile devices on the bank network. At first, many banks tried to standardize on one type of phone, typically the Blackberry due to the control they received from the Blackberry Server. However, with the craze of the iPhone and other such smart phones, we see a push (generally from upper management) to expand the types of supported mobile devices. Sometimes a smart phone can seem indispensable and we wonder how it was ever possible to work without it! However, high-risk companies must always maintain a balance between accessibility and security.
- Technical controls:
- Blackberry Server – Blackberry devices can be managed through a central Blackberry Server, and security controls can be pushed through IT policies. The Blackberry server currently provides the most security options, including password controls, remote wipe, and encryption.
- Microsoft Exchange Server via Microsoft Exchange ActiveSync (EAS) - iPhones and Windows Mobile devices can be centrally managed through Microsoft Exchange. Some security controls that can be configured through Security Policy include: remote wipe, enforce password, minimum password length, maximum failed password attempts (before local wipe), password complexity, and lock after inactivity. Note: beginning with Windows Mobile 6, you can control storage card encryption.
- Patch management – Vulnerabilities in smart phones continue to be found, and new patches are released; however, for most smart phones, there is currently not a good way to force patches to the devices. In many cases, updating the software on smart phones turns into a manual process.
- Training – Train employees to treat their smart phones (phones that receive email or store data) similar to a laptop. Keep it safe and secure, and report it immediately if it is lost or stolen.
4. Data Loss (steady threat)
It seems not a day goes by without some news clip about a company losing a laptop, backup tape, or USB drive with confidential customer information on it. The company must then notify their customers of the potential breach. Since most customers hold their bank to a higher standard of security than other companies to which they give their confidential information (like a TJ Maxx credit card), the reputation risk a community bank will sustain due to the notification can be substantial.
- Good incident response plan – Have a good plan in place to help reduce the impact of an incident.
- Encryption – Ensure laptops and appropriate mobile devices or media are encrypted to eliminate the "reasonable belief" that the data on the device is compromised. This will substantially reduces the likelihood of having to notify customers.
- Training – As with many security threats, training employees to use "common sense" when transporting confidential information (whether by laptop or paper report) is one of your biggest defenses.
5. Internet attacks (rising threat)
Banks continue to rely more and more on the Internet as a mechanism for promoting and delivering products and services. By moving to the Internet, we are expanding our threat landscape from local or regional threats to global threats. We must be diligent to take the care needed to protect ourselves and our customers from unwanted attacks.
- Technical controls – Firewall, Intrusion Detection System (IDS), patch management, antivirus software, etc.
- Multifactor authentication – Multifactor authentication is used to authenticate or verify the identity of a person. The three types of authentication that can be used include: something you know (i.e. password), something you have (i.e. debit card), and something you are (i.e. finger print).
- Two-way authentication (also called mutual authentication) – Two-way authentication refers to an end user authenticating themselves to a server, and the server authenticating itself to the user in such a way both parties are assured of the other’s identity. This authentication process is most commonly done by requesting a username from the customer, then displaying a known and preapproved image or statement to the customer (authenticating the server) prior to the customer entering his or her password.
- Secure forms - Use secure forms (rather than email links) for Internet communication with your customers, therefore eliminating the possibility of your customers sending confidential information in clear text over the Internet.
- Secure website – All customer sign-in pages and forms should be secure (encrypted via SSL); however, it is best to secure the entire bank’s information website.
- Training – Train your customers to look for the normal indications of a secure website (a lock at the bottom of an Internet Explorer window or https:// at the beginning of the website’s address).
- Testing – Conduct regular external security tests to see how visible and vulnerable you are from the outside.