High Risk: What Alert Means to BanksCyberattacks Demand Increased Monitoring, Layered Controls
The Financial Services Information Sharing and Analysis Center's decision this week to increase the U.S. banking industry's cyberthreat level from "elevated" to "high" is overdue, experts say.
In light of increasing cyber risks, banking institutions should up their investments in anomaly detection, be mindful of nefarious fraud schemes that could be veiled by distributed denial of service attacks and regularly scan their systems for zero-day exploits.
DDoS attacks and increasing concerns about zero-day exploits likely spurred the FS-ISAC's action this week. But Doug Johnson, vice president of risk management policy for the American Bankers Association and a member of FS-ISAC, says the FS-ISAC's decision to up the threat level was appropriate, given recent changes to the current environment.
This week's action marks the first time FS-ISAC has categorized the threat level for cyber risks as "high," Johnson says.
Julie McNelley, a financial fraud analyst at the consulting firm Aite, says the cyberthreat level, now at the second-highest ranking, shouldn't drop back to "elevated" anytime soon.
"We've seen the threats against the financial system do nothing but escalate over the last few years, and there is every reason to believe that they will continue to do so," she says. "When you have 111,111 unique new strains of malware being deployed per day, 50 percent of which are Trojans designed to capture online [banking] credentials, and 10,000 malicious new domains being deployed per day, I'd say the threat level has been 'high' for quite some time."
Addressing the Threats
Security experts say banking institutions should take several steps to address emerging risks. Among their recommendations:
- Ensure appropriate layers of security are in place to detect zero-day vulnerabilities;
- When a DDoS attack strikes, look for attempted fraud , such as account takeover schemes, that could be lurking behind-the-scenes. "Institutions need to know that DDoS attacks may be used simply as a redirection tool - to take an institution's eye off the big fraud," Johnson says.
- Increase anomaly detection, to pick up on suspicious site traffic and transaction activity;
- Educate branch staff about emerging threats, such as those posed by phishing;
- Ensure all software and anti-virus updates are occurring on a regular basis;
- Communicate with other banking institutions and industry associations to stay abreast of emerging fraud trends and schemes.
Bank Employees Targeted
The threat-level change came just two days after the Federal Bureau of Investigation, FS-ISAC and the Internet Crime Complaint Center issued a fraud alert about cyberschemes, including DDoS, being used by cyberfraudsters to initiate fraudulent funds transfers and hijack sensitive information (see Alert: Banks at High Risk of Attack).
Among the concerns noted in the alert were increases in the number of phishing schemes targeting branch staff. The goal: to hijack administrative credentials for access to sensitive financial data and online bank accounts. In recent fraud incidents investigated by the FBI, bank and credit union employee credentials were used to schedule fraudulent funds transfers from customer and member accounts. Rather than targeting end-users, fraudsters have found more reward by aiming their attacks directly at branch employees who have access to numerous accounts, federal investigators noted.
Now, the threat level update the FS-ISAC pushed out to U.S. institutions Sept. 19 adds heightened concerns about DDoS attacks and hacks that exploit zero-day vulnerabilities in Internet Explorer. "Members should maintain a heightened level of awareness, apply all appropriate updates and update AV [anti-virus] and IDS/IPS [intrusion detection/intrusion prevention] signatures, and ensure constant diligence in monitoring and quick response to any malicious events," the threat-level update states.
Online banking outages this week may have played a role in the FS-ISAC's decision to increase the threat level to "high." Outages at Bank of America and Chase Bank raised red flags about DDoS concerns. Although neither institution would confirm what caused the outage each suffered, industry sources suggest the two are likely linked, and hackers are probably behind the glitches.
Avivah Litan, fraud analyst at Gartner, says DDoS attacks aimed at U.S. banks have been rumored in underground hacking forums for quite some time. "This, combined with the actual attacks [on BofA and Chase] led to this unusual high alert issued by FS-ISAC, in my opinion," she says.
McNelley says BofA's site outage was probably linked to the hacktivist group known as Izz ad-din Al qassam. The group took credit for the BofA outage, claiming displeasure over an American film perceived to cast Islam in a negative light as the catalyst for the attack.
And Chase's outage, following shortly after BofA's, is not likely a coincidence, she adds.
"Unfortunately, this is now the reality for prominent U.S. brands," McNelley says. "They are now at risk of being targeted as a political statement, for activities wholly unrelated to their own business. ... The fact that Chase's site had problems the following day may mean that the hackers re-directed their attempt at another prominent banking brand instead."
But the true purpose behind these attacks is more concerning to the FS-ISAC, Johnson says. "A DDoS attack is not the only thing to look for when they're experiencing unusual site traffic."
Layers of Protection
The FBI's alert and recent releases and posts from Symantec and Microsoft about new IE vulnerabilities and zero-day exploits call attention to the need for banks and credit unions to enhance anomaly detection and continually update anti-virus software.
Joe Rogalski, principal security strategist at Symantec, says the zero-day exploits, which rely on vulnerabilities in IE 7,8 and 9, are one of the industry's biggest worries, especially because Microsoft has not issued a patch to seal the identified security gaps.
"The zero day is a big deal, given the number of machines running IE," he says. Despite that no patch has yet been issued, Rogalski says institutions should regularly scan their systems to detect an exploit.
Johnson says zero-day exploits are common to most attacks these days. "Institutions need to know that it's not just about anti-viral software and signatures with those sites," he says. "This is why they have to have layers of security."
For Johnson, the greater worry is DDoS. When a DDoS attack is waged against one institution, subsequent attacks against others likely follow, he says.
"It's important for all institutions to realize, regardless of size, that they could be subject to a threat," he says. "So they always need to review their levels of security and be ready for the high risk of a cyberattack."