3 Security Tips for Small Banks and Credit Unions
February 22, 2019
The financial sector is bombarded with malicious files designed to infiltrate networks at a rate far higher than the average across all industries, according to a report by the cybersecurity firm Lastline.
One in every 340 web or email transactions contained malicious files, higher than the average of one in 500, according to Lastline, citing their 2017 “Malscape Monitor Report.”
“While this may appear in relative terms like a very small number,” states the report, “when one considers the total volume of email attachments received and webpages visited in any given day by financial institutions and finance departments, the volume of malicious samples escaping detection can become quite large.”
In addition, one in 10 malware samples found in the financial sector displayed advanced behaviors, meaning that they were able to better stay hidden, steal credentials and avoid both static and dynamic analysis, the report states. This compares to one in 12 across all industries.
Malware's Benign Appearance Can Make User Protection Difficult
“These behaviors are able to appear benign to security scanning and avoid the submission checks in the security process,” the report states.
Frank Dickson, research vice president with IDC’s security products research practice, says that it’s clear that smaller banks as well as larger ones must have good messaging security, given the scope of the email threat.
“We have to stop blaming the user and saying that too many of them click on bad links,” Dickson says. “The bad guys are so crafty today that trained security people click on bad links. We have to provide users with the tools to eliminate the problem. It’s our job to make sure that a bad file never gets to their inboxes.”
Keyloggers, Trojans Create the Biggest Threats
Keyloggers are among the primary threats found in analysis of the top threats, according to the report. Keyloggers typically send victim credentials via Simple Message Transfer Protocol or FTP to a server under the keylogger operator’s control.
“As banks improve their security, the bad guys have to raise their game,” says Andy Norton, Lastline’s director of threat intelligence. “The keyloggers appear as valid system files that run in memory and look to steal credentials and sniff traffic in an internal network.”
Other threats include trojans attached to Microsoft Office files and the specific iSpy keylogger tool.
“It’s clear that the bad guys are looking to steal credentials to gain access to networks,” Dickson says. “Malware today has become stealthier. The bad guys are more apt to use legitimate applications to embed a macro in a Word document than spread a file with malware.”
Security Tips for Small Banks
Here’s a list of security tips from Norton and Dickson that small banks should consider:
1. Raise security awareness. Norton says small banks need to understand that breaking into financial institutions has become a prevailing strategy for nation-states, criminal groups and hacktivists. Small banks are under the same type of attacks, but typically have fewer resources to combat the threat. Dickson says small banks need to stop thinking that because they are small enterprises in less-populated areas that they are not targets for attack.
2. Deploy more targeted technology. Small banks can start by using filtering technology, says Norton; there’s no reason a document should reach a user if it hasn’t gone through a web filter first. While Norton also advocates that small banks consider artificial intelligence and behavioral analysis tools, Dickson says banks can solve a lot of issues by using two-factor authentication both internally and for consumers.
3. Get lawmakers, standards groups and think tanks more involved. Norton says the broader financial community needs to prevail upon lawmakers, standards groups and think tanks to offer better guidance on security. Dickson says that the National Institute of Standards and Technology had a tremendous impact with guidance that SMS-based texting was not good enough for two-factor authentication. Organizations are deploying “push-to-accept” authentication as well as thumbprints and other forms of biometrics.