Risk
11/9/2010
11:45 PM
50%
50%

Taking Cybersecurity Lessons To The Bank

Lessons learned from frequent attacks make banks good role models in defending against bad guys

Banks are under attack -- not so much from gun-toting bank robbers, but from sophisticated cybercriminals.

Using programs such as Zeus to compromise customers' PCs and siphon money from their bank accounts, cybercriminals stole or attempted to steal nearly $100 million in the first three quarters of 2009, according to the Internet Crime Complaint Center. Traditional bank robbers on average stole $4,029, and all the U.S. bank robberies in 2009 totalled about $35 million, according to the FBI's Uniform Crime Reporting (UCR) project.

"Criminals are out there right now harming both the commercial account holders and financial institutions," Sari Stern Greene, president of Sage Data Security, told attendees last week at the Cybercrime Symposium 2010 in Portsmouth, N.H. "And every time this happens, it harms the whole community."

Banks have the money, so they are today's targets. But they aren't the only ones. Zeus and other malicious programs can easily be used to provide access to corporate PCs in other industries as well. For that reason, security managers should look to what's working -- and what's not working -- for the banking industry, say security experts.

Even the most educated customer may not have a defense against a targeted Zeus attack. For that reason, James Woodhill, founder of Authentify and a cybercrime policy expert, argues that education is not the answer.

In his presentation, Woodhill pointed out that it took a noncontroversial medical practice -- the use of penicillin -- nearly 30 years to spread out to general medical practitioners. Innovative defenses against cybercrime could take just as long, he says.

"Education won't help a bit -- not at this scale," Woodhill says. "It takes a long time to get information through to a large group of people."

But being aware of the problem can at least help consumers know their options, argues Sage's Greene. "The challenge is how to inform customers without scaring them away," she says.

Any company that allows users to access corporate data from laptops or home computers is importing risk, says Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham.

"Work from home equals risk at home," Warner says. "If one of your employees has Zeus on their computer and they work from home, then so do their friends in the Ukraine."

Companies should have quarantine zones for home computers and laptops that have left the company premises until their security can be verified, Warner advises.

In the online world, attributing attacks is difficult, which makes online theft an attractive crime.

In the physical world, bank robberies are a low-percentage crime. They account for only about 2 percent of all robberies -- and arrests are made in 60 percent of the cases, according to the FBI's Uniform Crime Reporting (UCR) program. In the virtual world, criminals conduct attacks from safe havens where laws are vague or law enforcement agencies don't often pursue online criminals.

To prosecute cybercriminals, there must be attribution, experts say. But many companies want to clean up the crime scene -- their computers -- and sweep the incidents under a virtual rug. Companies should stop hiding these incidents and pursue investigations of attacks that use Zeus and other malware, experts say.

"If you go in and delete malware off a computer, you don't know why they got the malware, you don't know where the malware came from, you don't know what it might have stolen while it was there, you don't know what data left your company because of the infection, and you don't know if the user understands how he got infected so he won't go do it again," UAB's Warner says.

The current attacks on banks also show the limitations of both application whitelisting and intrusion detection that depends on blacklists, such as antivirus tools, observers say. Blacklisting cannot keep up with the changing threat, and whitelists are too hard to maintain in general-use computing environments, says James Lyne, a senior technologist for Sophos.

"Any one control fails to deal with the threat," Lyne says.

Rather than make binary decisions, organizations should use blacklists and whitelists -- plus reputation and other information -- to help decide whether to allow access to a user, Lyne says. In addition, companies and banks need to use policies and controls to make security a foundation of their corporate culture, he says.

Banks are good at building process controls that help protect them against fraud, says Rick Simonds, CTO of Sage Data Security. "You need controls," he says. "You have a lot of controls on bank employees, and that helps them with security."

But while some banks have a lot of controls to detect fraud committed by insiders, they don't always monitor outside transactions in as much detail, Lyne says. A good defense should account for both the external threat and the internal threat.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4467
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attackers to spoof the UI via a crafted web site.

CVE-2014-4476
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4477
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4479
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4480
Published: 2015-01-30
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.