News & Commentary

11:46 AM
Tom Hinkel, Safe Systems
Tom Hinkel, Safe Systems

New Threats, New Solutions: Combating Cyber Attacks

Small to medium-sized financial institutions need to reevaluate their own security controls.

Financial institutions of all sizes have found themselves the victim of advanced cyber attacks, with the most recent threats targeting small to mid-sized financial institutions. The FBI, in conjunction with Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Internet Crime Complaint Center (IC3), has issued a fraud alert warning that criminals are using a multi-vector attack to compromise financial institution networks and initiate fraudulent wire transfers. What is striking about these attacks is that unlike the recent focus on strengthening merchant controls, in this case, the cyber attackers have targeted the financial institutions directly.

Institutions need to understand this attack, and use this opportunity to conduct “what if” training. This is also a good opportunity to reevaluate their own security controls, particularly employee security awareness training, and other emerging technical controls such as out-of-band authentication and secure DNS.

How Cyber Attacks Happen

Simply put, the attack uses a combination of SPAM and phishing emails, keystroke loggers, and remote access software to capture a financial institution employee’s authentication credentials. A successful attack results in an employee’s PC being taken control of by the criminal. The criminal then uses the employee’s authority to initiate and approve wires, potentially even overriding built-in transaction limits and other administrative controls.

It is important to understand these are not “proof-of-concept” attacks, but are actually occurring, and have resulted in attempted transfers ranging from $400,000 to $900,000.

How to Prevent Cyber Attacks

Preventing an attack in the first place is far better than having to detect and respond to one, and one of the best ways to prevent an attack is early recognition. A unique indicator of these cyber attacks is a denial of service assault just prior to or directly following the cyber attack itself. The financial institution’s website is targeted by a denial of service attack designed to slow or deny access to the institution’s website, distracting institution employees and preventing or delaying them from detecting fraudulent transactions. Financial institutions are advised to monitor for spikes in website traffic that may indicate the beginning of an attack.

Along with website traffic monitoring, the FBI alert lists 17 best practice recommendations for financial institutions to prevent and detect these and similar attacks. It is not surprising that the first five recommendations address the weakest link—the employee. Institutions have long known that the employee represents the single biggest threat to information security, and it is important to keep up the employee training effort even as emphasis has shifted recently to customer awareness training.

Many of the other recommendations should be familiar to financial institutions as well, including: restricting user access rights and login times, reviewing anti-malware and anti-virus defenses, implementing anomaly detection and utilizing IPS and “white-lists” to prevent connections to suspicious sites. Along with the best practice recommendations, the FBI alert also strongly recommends institutions implement out-of-band authentication for wire authorization. This is where the final authentication approval for an electronic transaction is sent back to the originator via a communication channel other than the one used to initiate the transaction.

For example, if a PC is used to originate the transaction, the final authentication code might be returned via a mobile phone or even a fax machine. Additionally, consider using a secure DNS service (at both the institution and the customer). This service only allows Internet traffic between trusted sites, greatly reducing new malware infections and shutting down channels of infected systems. These two controls can be implemented by financial institutions now, and will do more than any other layered controls to significantly reduce the incidence of fraudulent transactions.

Tom Hinkel is the director of compliance for Safe Systems

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.