Fighting Malware: A Team Effort

New BITS Report Stresses Collaboration
Fighting Malware: A Team Effort
For all the latest news and views, please visit the FFIEC Authentication Guidance Resource Center.

Malware is more prevalent than ever before, and if institutions plan on combating it, they'll need to join forces with other entities.

To enhance security and mitigate fraud risks, banking institutions need to collaborate with customers, says Greg Rattray, vice president of security at BITS.

In a recent report from BITS, part of The Financial Services Roundtable, entitled "Malware Risks and Mitigation Report," the agency stresses that malware is evolving and that it's a threat to both financial institutions and their customers.

And institutions on their own can work to mitigate the problem, but it'll take collaboration in order to bring better results, says Greg Rattray, vice president of security at BITS.

"The speed at which malware is evolving, the volume of malware and the increasing sophistication all point to the fact that institutions and individuals ... need to work together to mitigate it," Rattray says in an interview with's Tracy Kitten [transcript below].

The report offers steps institutions can take to mitigate risk. The purpose of the report, according to Rattray, is to characterize the nature of the risk, provide practical steps institutions can follow to manage those risks and ask institutions that are part of the Internet ecosystem to engage with one another to stop this problem.

During this interview, Rattray discusses:

  • Why it's critical that financial institutions keep up with evolving malware tools;
  • Why the financial-services industry must be careful about how it positions itself to fight and thwart malware attacks, since no one-size-fits-all solution exists;
  • The role collaboration across the Internet ecosystem is expected to play in the fight against malware.

As senior vice president of security, Rattray leads the BITS Security Program in developing sound practices and successful strategies to secure infrastructures, products and services. Prior to joining the Roundtable in September 2010, Greg was the chief internet security advisor for ICANN, the Internet Corporation for Assigned Names and Numbers, and a founding partner at Delta Risk LLC, a cyber defense, resiliency and risk management consulting firm. While at ICANN, Greg worked with BITS/Roundtable staff and members as the industry developed recommendations for the global domain expansion program. Previously, Rattray served 23 years in the Air Force, where he served as director for cyber security on the National Security Council and the President's Critical Infrastructure Protection Board.

He is a full member of the Council on Foreign Relations; a member of the Cyber Conflict Studies Association Board; and a member of the Armed Forces Communications and Electronics Association. He holds a master's degree in public policy from Harvard University and a post-graduate degree in international affairs from Tufts University, with distinction. He is the author of "Strategic Warfare in Cyberspace."

TRACY KITTEN: The new report from BITS, entitled "Malware Risks and Mitigation Report," aims to serve as a guide or a tutorial for financial institutions when it comes to identifying and fighting malware. Can you provide us with a summary of some of the information contained in the report?

GREG RATTRAY: Sure. As we look at the recent set of high-profile incidents, which certainly reached well beyond financial institutions, and the growing challenges, malware is a fundamental piece of the evolving risk in that area. Certainly prior to the recent set of incidents that have been reported, we think this is a challenge that has been with us that the institutions have responded well to. What we wanted to do is highlight that it was evolving and what institutions could do going forward.

The report has really three main components, which describes malware as a risk to both financial institutions and their customers, and focuses on its evolution. This is something that changes and therefore the response to it from the banks and their customers needs to change. We describe the nature of the risks and how banks can work on ensuring their integrity as institutions and assist their customers. And we suggest that we need to go farther than just the banks themselves and their customers, but work with others throughout the Internet ecosystem in order to remove the malware threat to the extent possible and mitigate these risks.

KITTEN: What entities or agencies did BITS work with to develop the report?

RATTRAY: This report was developed in the fashion that BITS does most of its work. The core of the group was BITS-member institutions, people in financial services institutions, working the problem day to day, knowledgeable of the best practices that the institutions have and how to effectively address these issues. But, as with other sorts of efforts within BITS, we do reach out to others. In this case, we worked with the Financial Services Information Sharing and Analysis Center [FS-ISAC] who also clearly has a role with the industry and understands threats like malware and the responses. We worked closely with them.

They'd also recently done a report in this area, and we wanted to make sure our work was well synchronized with theirs. Then the final partner we'd mentioned is Verisign's iDefense organization. They provided a lot of their research material. It's also probably worth noting that iDefense helps staff the FS-ISAC effort. It's a team effort within the key institutions in the financial services sector working on security risks.

Cybersecurity Challenges

KITTEN: And just the fact that all these different entities have come together to focus on this will probably answer my next question, which is, how serious is the cybersecurity threat facing today's marketplace? And that would include not only financial services, as you've rightly noted, but industries overall.

RATTRAY: I think we've seen a strong up-tick in the kind of concerns related to cybersecurity. It's the acknowledgment that as we become more dependent on IT - both within financial services and more broadly as a society - if not well addressed, we will take on substantial risk because the threat is challenging. The speed at which malware is evolving, the volume of malware and the increasing sophistication all point to the fact that institutions and individuals, having to deal with this growing threat on a technical level, need to work together to mitigate it.

In terms of financial services institutions - because of these technological tools, malware can be used by criminals to conduct fraud and affect both the institutions themselves and their customers. We have to address it. As I mentioned toward the top, this isn't new within financial services. We've been doing a number of banking functions online, using the Internet and cyberspace for a long time as a broad metric. And institutions have been managing this risk for that period. Again, I think as a society we understand it better. As customers become more aware of it and ask questions of the institutions, we need to continue to evolve that risk management which involves being aware, the ability by the institutions to adapt with how they're doing business in order to protect themselves from this growing concern.

KITTEN: This report delves into malware generally, but what's the purpose of the report? Does it actually offer solutions or steps that financial institutions can take to help mitigate their risks?

RATTRAY: It does offer steps to mitigate risk, and I'm glad you kind of put it in those terms. I would be cautious about the notion of solutions. Yes, it's nice when a technological tool takes a certain technological threat off the table. But in general, this is a risk management challenge, and the purpose of the report is both to characterize the nature of the risk right now and provide practical steps in order to allow financial institutions to manage that risk. There's a strong section that describes how financial institutions need to set up their malware detection systems and their response programs in order to recognize and remove malware, if that becomes a problem for a given institution. Then, in a very interesting portion of the report, there's a call to engage with others in what we call the ecosystem - the full set of people that actually operate the Internet and connect customers and suppliers to institutions: Internet service providers, domain name system and web hosts. In collaboration with those operating organizations, we need to help remove the malware and mitigate these risks.

Customer Awareness

KITTEN: That's something we've talked about quite a bit in the industry over the course of the last several months, as we've seen a number of these incidents strike not only consumers but also financial institutions and other businesses. When it comes to customer and member education, how much can institutions really do to ensure that their customers and members are doing a better job of protecting themselves when it comes to ensuring that their accounts are safe and that their identities are safe?

RATTRAY: I think this is a major aspect of what financial institutions are focused on in terms of protecting themselves as they protect their customers. Most of the financial institutions work hard at providing information and even tools to their customers to protect their personal information and the transactions that occur when they're doing online banking. There are limits to this, in the sense that engaging to use the Internet to do transactions is complicated and the average user can be educated but is not perfect. Therefore we have to make sure that we've got more layers of defense than education for our customers. But the institutions work hard on that. It's a big aspect of the BITS program. Within the security program, we have a security, education, and awareness subgroup that brings together the people in the financial institutions responsible for education programs, both their own employees but also for their customers. We make sure that we disseminate lessons and best practices. Going forward, we're looking at the risks posed by social media use by banks and their customers, and trying to make sure that the education best practices are out there.

KITTEN: And does the report actually go into tips that financial institutions can use when it comes to consumer education?

RATTRAY: No, not as much as it focuses on other areas, largely because it's a BITS report and because we have a strong education and awareness program. This report wasn't really focused on that. It does address end user responsibilities related to maintaining and updating software and protecting key information like their PIN numbers. There are some recommendations that are focused on consumer education, but what I'd like to point out to people is we work with a number of organizations. The National Cyber Security Alliance, being the leader nationally, is very much focused on the right things. They have a stay safe online campaign, Stop. Think. Connect. We like that message. It works for the types of risks that we address with our institutions and the customers of those institutions. This is an area where I think partnership and getting the right message out to people in general is important, and we're working with NCSA and others to do so.

KITTEN: Going from the report to cybersecurity generally, can you tell us what you deem to be the top three to five takeaways all financial institutions and organizations generally should be considering when it comes to malware threats?

RATTRAY: Because this is a threat that's evolving quickly, effort needs to go into staying aware of how the threat is working, how different techniques and tools are evolving and making sure that you have the right information in order to protect yourself, your users and customers appropriately.

Secondly, I would focus on that this is a risk management issue. It's not an issue where a single solution is going to work easily. It's one that's probably on us for a considerable period of time, at least in the current Internet environment. So we need to make sure we are able to adapt the institution's information technology and security practices as the threat evolves. And it's going to mean constantly working with customers as new risks emerge and making sure that customers are provided the right information to help manage that risk.

And finally, I want to return to the theme of working with others and collaborating with the operators in the Internet ecosystem. Financial institutions can do a lot on their own and with their customers, but we need ISPs to keep infected machines off the network, domain name system operators to take offline domain names that are being used for phishing and web hosts to take malware off of hosted sites. It's a team effort and I think we want to work as a financial services sector with others to reduce the overall risk to cybersecurity, with certainly a strong benefit to the financial services sector.

KITTEN: And finally, can you tell our audience how they can obtain a copy of the report?

RATTRAY: That should be pretty easy, Tracy. You can simply go to, and in the upper left-hand portion of that initial web page is a link to publications. If you click on publications, on the top of the publications list right now is a link to the malware report.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.