Banks Take Action After Alert, AttacksInstitutions Say Layered Security Controls are Critical
It's been nearly three weeks since the Financial Services Information Sharing and Analysis Center issued its warning about new online threats facing U.S. banking institutions (see High Risk: What Alert Means to Banks).
See Also: A Guide to Passwordless Anywhere
In the wake of that alert, which came just days before the FS-ISAC for the first time raised its cyberthreat level to "high," and a series of denial of service attacks against five of the nation's leading banks, executives at financial institutions across the country say they are taking action, including:
- Upping technical investments in fraud detection and network and perimeter security;
- Reviewing disaster recovery plans and employee training strategies; and
- Embracing the need for ongoing discussions with vendors, service providers and law enforcement about emerging schemes and cyberthreats.
"The real way to have control over cyberthreats is for us to be prepared and be proactive," says one executive with a $2.5 billion institution, who asked not to be named. "Keep identifying the new threats and finding the right solution to mitigate the risks."
Executives at several institutions - all but one of whom requested anonymity - shared with BankInfoSecurity their actions in the wake of the alert and the attacks. Banks and credit unions, they say, must have layers of security that include technical and administrative components.
FS-ISAC on Sept. 19 raised its threat level from "elevated" to "high," telling institutions they should be on the look out for hacking schemes that rely on spam, phishing, keyloggers and remote-access Trojans to attack and compromise networks and intercept employee login credentials. Just one day before that status elevation, Bank of America's online-banking and website took a hit from a DDoS attack backed by an alleged hacktivist group based in the Middle East. The attack against BofA was the first in a series of attacks aimed at leading U.S. banks (see Alert: Banks at High Risk of Attack).
The FS-ISAC said it raised its threat level because of "credible intelligence" about the potential for DDoS and other attacks against U.S. institutions. In the alert, the FS-ISAC, along with the Federal Bureau of Investigation and the Crime Complaint Center, lists 17 tips banks and credit unions should follow to mitigate their risk of fraud linked to DDoS and other attacks.
Ongoing Risk Assessments
So, how have financial institutions responded to these incidents and the alert?
The executive at the $2.5 billion institution says the primary focus has been on technical solutions. "When we learned that other banks were under attack, we immediately looked at our own protection levels and what we might need to do to prevent it from happening to us."
Over the last several weeks, the emphasis has been on keeping up with evolving cyberthreats, the executive adds.
"We have circulated this alert [from FS-ISAC] internally and reviewed the issues and recommendations mentioned," the executive says. "We tried to identify any gaps between what the agencies recommended and what we have put in place to mitigate the risks related to the issues. I believe we are in good shape."
Pointing to security recommendations outlined in the FFIEC's Updated Authentication Guidance, the executive says, "We frequently review our existing layered defense mechanisms to make sure they are able to take on the new challenges."
A year ago, the executive's institution launched an intrusion protection system from security vendor Corero. After the recent wave of attacks, the institution determined the system had detected and stopped more than 418,000 DDoS attempts or rate-based attacks in the last two months.
"I believe the primary purpose of DDoS is to cripple the targeted Web services ... not to steal the information," the executive adds. "Regardless, the IPS certainly acts as an effective layer, which detects malware and any anomalies in network activities. Of course, we have put in many other layered protections, such as end-point protection and a Web security gateway."
Communication is playing an ever-increasing role in helping banks and credit unions prepare for attacks.
Another financial institution executive, who did not want to be identified, says working with law enforcement and security vendors to analyze fraud trends and attack vectors has become a priority for his institution in recent weeks.
The executive at the $2.5 billion institution agrees that more open communication is needed. "Internet service providers are security information resources for us. ... We are building partnerships with ISPs."
All institutions should have a backup ISP that is on a separate infrastructure, says an executive at a $3.75 billion institution, who also wanted to remain unnamed. This executive points out that ISPs are often targeted in DDoS attacks, so institutional websites could be taken down, even they aren't the target. By having a backup ISP, an institution reduces its risk of having its website knocked out of service.
"Internally, the financial institution should be running IPS software and monitoring and alerting on anomalous activity," the executive says. "Since cybercriminals are constantly finding and exploiting new vulnerabilities, monitoring and alerting [the ISP] is absolutely crucial."
BankWest Inc., a $754 million institution in South Dakota, is using the alert and the attacks as a springboard for more employee training and enhanced disaster-recovery and business-continuity planning, says Patti Broer, the bank's information security administrator and business continuity planning coordinator. Broer was the only bank executive willing to be identified for this story.
Addressing the potential for a DDoS attack - a threat also noted by the FS-ISAC in its fraud alert - is a priority, Broer stresses.
"We do everything we can to prepare ahead of time for disruptions in service - how we would communicate to customers and staff in a worst-case scenario, and how we'd continue to service our customers through other means until services are restored back to business as usual," she says.
BankWest is drafting a DDoS response plan - a fluid reaction strategy that can be modified based on the attack scenario.
Training is another key component in the wake of the FS-ISAC alert and the attacks, Broer says. The focal point of BankWest's training will be the bank's social-engineering and electronic-banking policies, she says.
"I want to make sure our employee awareness is heightened and that they understand what BankWest will do if targeted by such an attack," Broer says.