By Robert Kluba, CISM, MCSE and Kevin Tsuei, CISA, CISSP, AuditOne LLC
According to a 2014 Verizon data breach investigation report, 17 percent of all data breach incidents against the financial services industry fall under either insider misuse, miscellaneous error, crimeware (malware) or cyber espionage. The remaining 83 percent includes web application attacks, denial of service, payment card skimmer, theft/loss, point of sales intrusion and everything else. While web app attacks, payment card skimmer and denial of service make up the top three data breach incident sources, these topics will not be our focus today since most community banks outsource their informational website and online banking platforms to third-party service providers. Our focus will be on the first four categories – the 17 percent – since they directly impact smaller banks’ internal IT infrastructure.
There are a number of steps community banks can take to limit the inherent risk of these incidents. A layered approach is one of the most effective ways to protect your institution. Such an approach includes not only malware protection on the end-point workstations, servers and web gateways but also, with user training, security measures and access controls.
Web Security Gateway
To block malware from reaching servers and workstations, the first layer should be a web security gateway. An effective gateway can scan for malicious URLs and malware before it reaches the internal network. According to a 2014 report published by Osterman Research, nearly three in four organizations have experienced malware infiltration through web surfing in the past year. A bank can configure a web security gateway to scan Internet requests and stop employees from downloading malware or accessing potentially dangerous websites. A proactive web security gateway provider can also scan web traffic to identify legitimate websites that may have been infected with malicious links.
The second most common type of malware infiltration is through email. According to Osterman Research, this is where 64 percent of malware infiltration occurs. Banks should ensure that mail is scanned for malware at the gateway level before reaching the mail server. The mail server should also have an antivirus client installed to scan for malicious attachments. In addition, management should consider restricting employees from accessing their personal webmail. Personal webmail is not scanned as rigorously as the bank’s inbound emails, so the chance of opening an infected attachment or an email with malicious links is greater.
Reduce the Attack Surface
In order to reduce the attack surface, or targets available for malware to exploit, management can take a number of steps. A bank should conduct a vulnerability assessment periodically in addition to its annual penetration test. This can help management identify the attack surface and reduce potential vulnerabilities. The IT department should also periodically review firewalls, security appliances, network devices and its server to ensure these devices are configured properly and updated periodically. We have conducted a number of penetration tests where we observed that unnecessary inbound firewall rules exposed critical server resources to the public Internet. In addition to reviewing device configurations, management should employ a hardening checklist to ensure all devices are configured with the same standards. The complexity of the checklist can be based on the institution’s risk profile. Lastly, a proper change management system can help detect unauthorized changes and misconfiguration done by IT personnel.
Ensure All OSs, Applications and Browsers are Patched
Banks should ensure they have a patch management program in place which is audited on a regular basis. Operating system and application vendors release hotfixes, service packs and security patches to correct known defects. These defects are known not only to the vendors but also to malicious hackers who design malware to exploit these vulnerabilities. Your managed service provider or internal IT personnel need to have a plan to test and apply patches when they are released. According to Trustwave’s 2013 Global Security Report, the top three client vulnerabilities are from Microsoft Internet Explorer, Adobe Flash and Oracle Java. Since many malware attacks occur with web browsing activities, it is critical that attackers are not able to exploit weaknesses with these web-based software programs. This can be done by keeping the browsers and plug-ins up-to-date or better yet by disabling unnecessary plug-ins when possible. In addition, application whitelisting can also help reduce the number of attack vectors. We observed from many of our clients that some of the vulnerabilities are a result of unapproved third-party browsers and software installations.
Restrict User Accounts
According to an article published by Avecto, a company specializing in Windows privilege management, removing local administrative rights on users’ workstations can mitigate 92 percent of critical Microsoft vulnerabilities. The research is based on Avecto’s analysis of all of the security bulletins issued by Microsoft in 2013. In fact, the most frequent online attack vector is Internet Explorer, and based on Avecto’s assessment, 100 percent of all vulnerabilities within Internet Explorer could have been stopped by removing access rights.
Data Loss Protection and Autorun
Another solution to stop common malware attacks is to disable autorun within Microsoft Directory Services and limit the use of portable storage devices. Disabling autorun stops malware from executing when a USB drive or CD/DVD media is accessed on the workstation. Malware can easily spread from these portable devices because they bypass the layered security that you have in place for Internet based malware. To limit the exposure of critical data, management should also enforce security group permissions and data classification so they can restrict who can access each type of data at the bank. In addition, periodic reviews of user accounts can help limit attack vectors. This includes reviewing for terminated users and vendor accounts; eliminating any generic, shared and default accounts; reviewing user and group access; and enacting unique and complex password policies across different applications.
Centralized Log Collection and Analysis
Management should also consider employing a SIEM device. A SIEM (Security Information Event Management) system can collect logs from firewalls, intrusion prevention systems, network devices, servers and workstations. The log collection is analyzed against a set of rules to help identify unusual activities and security events. In addition to implementing a SIEM system to monitor real-time security events, management should review the setting periodically to ensure data is being captured and the system is fine-tuned to eliminate noise and identify critical security events.
Many current malware attacks use social engineering. Management should provide information security training on a regular basis which explains the various social engineering threats and steps that can be taken to prevent a malware attack at the bank. Creating a security-aware culture at a bank requires time and involvement by senior management.
Often, a bank invests in door locks and security guards to deter the security threats it faces. Similarly, a bank can implement the methods highlighted above in order to deter malware security threats. Creating a multi-layered approach, reducing the number of attack vectors, maintaining your systems, restricting user access and administrative capabilities, blocking portable devices, and providing effective education are key steps to securing your bank from potential malware attacks.
Published in Western Independent Bankers Association’s Technology & Security Digest, Issue 22 – June 2014.