Banking Malware: End Users are 'Achilles Heel'
This is the warning from Rocco Grillo, managing director of Protiviti's technology risk practice. In an exclusive interview, Grillo discusses:
- The most prevalent malware threats today;
- What banking institutions are most overlooking;
- Solutions - which are most and least effective?
Protiviti is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. Grillo leads Protiviti's New York Metro / New England Security & Data Privacy Practice. He is a Certified Information Security Systems Professional and also is a co-founder of the IT Policy Compliance Group. He is a member (I-4) International Information Integrity Institute Research Steering Committee and has served on the Board of Directors of the NY Metro ISSA Chapter.
With over 20 years of technology and information security experience, Grillo has managed and delivered high quality security services to a variety of clients in financial services, healthcare & life sciences, media, and other industries. He provides clients with expertise in Security Assessment, IS Governance / ISO 27001 strategy development, IT Risk Management and data privacy compliance services.
Grillo led the development of Protiviti's Security Metrics and IS Governance methodology in partnership with the I-4 organization and Financial Services firms. He also assisted in the development of the Protiviti Payment Card Industry compliance service offering and manages Protiviti's relationship with the PCI Council enabling Protiviti to serve as a PCI Qualified Security Assessor.
TOM FIELD: Just to get us started, why don't you tell us a little bit about yourself, your role with Protiviti and for people that aren't familiar with the organization a little bit about Protiviti as well?
ROCCO GRILLO: I have been with the firm for roughly seven years. Prior to that I helped build a firm out of Carnegie Mellon University, a managed security services firm, and prior to that I was with Lucent Technologies.
Protiviti is a wholly owned subsidiary of Robert Half International, and we are an independent risk consultant firm focusing on business risk, technology risk, as well as internal audit services. Protiviti is a global firm of over 60 offices around the world with roughly 3,000 employees spread out throughout the world.
FIELD: So, Rocco, let's talk about malware. Answer the question we talked about up front - what are banking institutions most overlooking right now?
GRILLO: I think the biggest thing that the banks are overlooking is that malware is not easily understood. And when I say not easily understood, it's not so much that they don't know what it is, as much as how to combat it and moreso where is the achilles heel? Because while financial institution after financial institution implements controls, it's the end user, whether it's an employee or a banking customer, that really is not aware of the risks that are involved with malware.
The other piece that I think we have seen a lot is the expertise and detecting and mitigating a lot of the risks that are out there. We are in a time where the Internet has evolved to touch everybody in one shape or another, and not just from our business world but even spreading over onto our personal world, and I think what you are starting to see is both worlds are starting to converge.
In the past, we used to have scenarios where companies would try to put directives out there that you wouldn't go to certain sites, whether it was social networking or something along the lines of doing online banking during business hours, or things along those lines. But as the internet has continued to evolve, it is part of our everyday activities, and we work with some companies along the lines of whether or not to permit social networking -- and social networking is an incubator for social engineering, which is one of the tactics that are applied when malware comes into the space.
So in terms of what are they overlooking, I think it's the awareness of both their internal employees as well as customers, coupled with not trying to detect this with a single solution. I think banks need to have layered controls, defense in depth if you will.
Other things that we have seen a lot of: sophisticated attacks with encryption because while the controls are there in place to detect signature based malware, there are a lot of the anomalies that are out there that may be taking place. Encryption is a perfect example where you may think that it is legitimate traffic that is going back and forth, when in reality it is encrypted, and you really don't know what type of traffic is traveling along the Internet.
FIELD: Well, Rocco, we all know about the Zeus botnet. What are some of the prevalent examples of malware we are seeing today beyond Zeus?
GRILLO: I think the drive-by downloads, for example the Mariposa, or signature agnostic types of attacks along the lines of - I'll go back to the end user going out to a lot of these sites where a piece of malware or a link to malware will be on a third-party site. Now whether it's a social networking site or a company-owned site, you are going out to these sites with the intention of thinking you are going to a legitimate site, and a lot of the controls that are out there are able to detect sites that you shouldn't be going to or malware that may be out there, but when the links are embedded into the pages, a lot of times the controls that companies may be using don't detect this.
So I think it goes back to the end user again going to a lot of these sites that appear to be legitimate, but at the end of the day may have a link that takes it to a third party that will lead to some type of malware attack.
FIELD: Now, what do you see as differences between what a banking institution might see internally versus what a banking customer might see? I am thinking of all of the instances we have had of ACH and wire fraud where it has been an error on the customer's end that has lead to the malware coming in and doing its damage.
GRILLO: Well, that's a good question. I think on the banking side, especially the major financial institutions, they have continued to preach security awareness and trying to drive the points home, but to my earlier point that the end user is the achilles heel of any company for that matter or safeguarding any PC. The controls that are in place, whether it is someone in the IT organization or on just a general end user at a company, they are continually being advised of the different risks that are out there. But again, just advising someone of their risks is only one piece of the puzzle.
Being able to educate individuals or end users is one step, but having the controls to help them acknowledge or recognize that just because they are cautious doesn't mean they are 100 percent secure. You can have someone that is downloading something as simple as an Excel spreadsheet on payroll, for example. They can take a look at that, but there can be malware in that Excel download that they have, and while they think they are taking a look at the different salaries, numbers and figures, there is other malicious activity that has been launched that is going on in the background. So while there is all of this education going on and controls being put in place, I think it is staying ahead of the curve of emergent threats that are out there.
On the individual, the banking customer, the banks are really struggling with trying to educate customers. Again, whether you are an employee and you know what the policies are and you have been told or educated on the risks that are out there, as an individual, banks and other financial institutions are trying to educate the end user, but ultimately that end user that is doing their online banking is the same person that is doing eBay transactions or just going out to some of the social networking sites.
I don't want to harp on the social networking aspect of it, but it's moreso those are areas of the unknown where the identity of the sites or the individuals that you are communicating with are not validated, and it is readily available for a cyber criminal to exploit someone's vulnerabilities or identity for that matter.
I think some of the areas that grow concerns when you start mixing the Main Street user with the corporate user are a lot of these PDF exploits that are out there, or a lot of the Java script attacks that are out there, anything with a flash reader, any of these sites that you can go out to whether to download a video, music or whatever the case may be, there are all breeding grounds for malware. End users that are exposed to those types of areas can very easily bring it into their online transactions with the financial institutions.
FIELD: Well let's talk about solutions, and when I say "solutions" I would like to include education in that as well. What do you find to be effective and what do you find to be ineffective?
GRILLO: Well, I think education is one of the biggest pieces, but again, while you can have all of the education in the world, if you don't have your standard people/process/technologies approach to it, education is only going to get you so far.
A lot of times we hear from companies that have been either compromised, exploited or whatever the case may be and they will come back with, "Well, we have antivirus software or we have firewalls in place." The biggest piece is that one of those is not going to solve this. The way to take this on is with layered controls, and not necessarily just from one specific vendor, or software manufacturer. You can go out to any of the analysts that have ratings on all of these different solutions, and it is not to implement the same solution, but it is moreso a layered approach, having multiple types of controls in place that address different pieces.
We talked about third parties. A lot of times employees will reach out to third party sites and things along those lines, and it doesn't necessarily need to be social networking; it could be just part of their business, having multiple controls along different parts of the network, whether it is the network side, the server side, firewalls and so forth, as well as anti-malware software and so forth for applications.
Realistically, having that defense in-depth approach is the way to take this on. Monitoring and logging is another big one that companies should be implementing. All too often we are putting controls in place to capture signature attacks. In reality, you should be looking for anomaly detection as well. There are a lot of technologies out there that do a pretty good job at addressing that.
I think one of the other pieces, and easier said than done, but limiting access to the Internet. If you are a company, there are a handful of reasons why an individual user needs to get out to the Internet. Again, I am not saying shut it down by any means altogether, but allow it where appropriate, whether it is external web mail, social networking is one that we continue to struggle with as an industry, downloads, email monitoring and so forth, secure remote access, VPN work from home type scenarios, the telecommuter and into a virtual desktop environment rather than the internal network.
FIELD: So from your perspective Rocco, what do we need to do to prepare for the next generation of malware? What's coming down the pike?
GRILLO: I think the biggest piece is not so much what's the next vulnerability coming down the site -- because attacks are happening as we speak -- but it is moreso on an individual corporate basis and communicating those types of exploits from an organization.
As a standalone organization, you need to take a look at your current environment, assess your vulnerabilities, review all of the ingress and egress points, what's coming in and what's coming out, include vendor connections, assess how much visibility you have and to what users are doing on the network and what kind of traffic is in on the wire.
We talked about the end user; one of the biggest things from a corporate standpoint that is out there is not just focusing on the infrastructure, but also really focusing on your patch level for both OS level as well as the network level. All too often we are focused on the perimeter and the infrastructure itself, but having controls in place for desktops as well as servers is key to making this happen.
Log monitoring -- more and more companies have been implementing solutions. A lot of companies have come to us asking for guidance and advice on the right solution. I don't want to say that one solution fits all, but at the same time there are a lot of industry leading solutions. The key though is to make sure you have some type of log monitoring going on. Things like how are things being monitored from the web, from email, internal traffic as well as external traffic?
Ultimately, I think companies need to take a step back and take a look at the state of affairs. Don't assume that "We haven't been exposed to an attack in a while, so we must be secure." Always try to stay one step ahead of the exploits, and the way to do that is with the layered approach, but again, continuing to educate the end user.
FIELD: Rocco one last question for you: If you could boil it down to just a couple of points, what do banking institutions need to be doing now to, one, access their current vulnerability and two, and most importantly, to protect their customers, their consumers, and the business customers both?
GRILLO: Be aware of emerging threats. I think we go back to the point that I said earlier: multiple layers, as well as identifying particular anomalies that may be in place. I think one of the things that are really critical is that most financial institutions have state of the art incident response programs. A lot of that, from a regulatory standpoint and so forth, you should be able to respond to an attack and not just a sophisticated attack, but also pretty much any type of attack that comes your way.
When you get into malware, we get into real sophisticated attacks, and a lot of the attacks that are out there we are not that familiar with. So, from a malware standpoint we know that they are prevalent, they are effective and most of all they are damaging, so realistically companies need to define their response strategies should they identify vulnerability, and it should be core to the objectives of the overall response plan.
The plan should address malware incidents based on a proven framework and methodology. It should be flexible enough as well to address the IT as well as business operations, but at the same time flexible in the sense that as these new exploits come out, the organization is ready to respond to it rather than being caught in a reactive mode.
I think on the banking side I am going to drill the point home one more time: education. There is the control internally; externally continue to educate the online banking customer. There are some banks and financial institutions out there that have been offering free antivirus software to ensure that not only to educate their customers, but at the same time drive the point home that "We are serious about security ... we want to make sure you are secure as well and serious about it," and they are providing courtesy antivirus software.