Banks and financial institutions are increasingly the target of cyber attack and it is becoming more and more apparent that those out to stop such attacks have accepted that you can’t stop them getting in. You have to stop them getting out.
Dana Tamir, director of enterprise security at Trusteer, one of the largest IT security companies working with financial institutions, says: “Do whatever you like inside but with our service you won’t get out”. Is this a valid attitude for the security industry to have - that stopping the bad guys getting in to your network is impossible?
It is a viewpoint which we will be examining in the weeks to come. It is now becoming rather a trite saying that any system is only a secure as its weakest link and the weakest link is humans. Endless work over the years has gone into stopping malware attacks from entering the network but as devices and applications multiply and social media becomes the norm, controlling this has become increasingly hazardous.
“Blacklisting and detection have been by-passed” says Tamir, “…what you need now is application control”.
The malware is now exploiting the applications such as the web browser, Adobe Acrobat, Flash, Java and Microsoft Office among many others and, since they are difficult to remove they need to be controlled.
There are so many potential attack surfaces (the security industry likes to call them attack vectors) that the security industry says one piece of software alone will never stop all of them.
So how do the banks protect their and their customers, main attack vectors?
Trusteer’s approach is to monitor the actions at the endpoint, the way out of your network, and by applying its deep application knowledge it associates what the application is doing with why it is doing it. If approved then it white lists the application state. Anything which is not white listed gets blocked.
A recent attack on a UK bank is a classic example. The bank customer logged onto his online account using his two stage log-in security procedure and then found what appeared to be a message from the bank asking him to configure his one-time password service. He completed the secure sign-in and thought he was with his trusted banking provider and naturally assumed that the message was from the bank.
It wasn’t. The malware stays silent inside until the customer believes he is secure. By entering the one time password the customer enables the malware to complete the transfer of his money out of the system.
Stopping this at the endpoint is now deemed, by many, to be the key action rather than plumbing the labyrinthine data vaults and processes within a system. (We’ll look at the problems associated with this in subsequent articles).
A network manager for one of the UK’s leading banks told us: “Security vendors have no strategy any more - all they have are tactics to avoid the next attack. I am getting increasingly frustrated about the fragmentation and increasing retreat of many security vendors from protecting the enterprise. On the plus side it’s good that they have stopped exaggerating how much of our attack surfaces they can defend. We need more companies suggesting intelligent protection such as automation of security certificates to mention just one.”
“Build anything inside, open anything and exploit whatever attachment we don’t care, we will stop it coming out,” says Tamir. Her company has specialised in what are called endpoint applications and its new product Apex is being heavily targeted at financial institutions many of whom have long used Trusteer products.
Would such a process have stopped the recent exploitation of the US and UK stock exchanges when a fake Twitter feed on the Associated Press website told of explosions in the White House? The Dow Jones plunged, albeit briefly, 144 points and Treasury bonds and gold prices rose markedly.
There is more than a suspicion that the criminals will have bought at the bottom of that brief plunge and sold successfully when the prices returned to normal once it was realised that the stories were fake.
“Malware can hack into the users endpoint Twitter account, post malicious Tweets and see the benefits,” says Tamir. And, more recently, we have seen the Dutch financial market exploited in a similar way and The Guardian attacked via its Twitter account, allegedly by the Syrian army.
Clearly with social media being a growing commercial tool it is difficult enough to stop your own staff sending inappropriate messages never mind being exploited by malware. The endpoint control – stopping anything that has been delivered – is becoming a major security focus.
It seems that the banks need as much help as the rest of us.