L E A D I N G
A D V O C A T E
F O R
T H E
B A N K I N G
I N D U S T R Y
K A N S A S
By Mark Faske, CoNetrix
he news over the last several years has been filled with
data compromises at a number of high profile American
companies, including a few banks. A number of these
compromises were due to cyber attackers using malware
to gain a foothold on a machine on the internal network,
then using that machine as an observation point to further learn about
and exploit the systems housing sensitive data. And, as we’ve learned,
the malware we don’t know about is the most dangerous kind. This
trend puts signature based antivirus products at a disadvantage, since
they are primarily designed to detect known malware.
On March 30, 2015, the Federal Financial Institutions Examination
Council (FFIEC) released a joint statement titled Destructive Mal-
ware to help financial institutions understand the current threats posed
by malware, and they also provided a list of controls to help reduce
the likelihood of a malware infection. While the FFIEC guidance is
informative, it is rather broad in its control recommendations. Below
is a list of specific controls that can help reduce the threats posed by
Endpoint (Host) Controls
1. Deploy Microsoft’s Enhanced Mitigation Experience Toolkit
(EMET). EMET is designed to block exploit techniques common-
ly used by malware authors. It is considered a defense in depth
control that is complementary to antivirus software, but should
not be considered a replacement for such. EMET integrates
directly into Active Directory, providing central configuration and
management. The tool is freely available from Microsoft.
2. Use antivirus software that has heuristic detection capability.
Heuristic analysis techniques provides antivirus software the add-
ed capability to analyze the characteristics and operating behavior
of a flagged file to help determine if the file is indeed malware.
This process helps identify previously unidentified malware that
“acts” similar to known malware.
3. Implement an application control or whitelisting software product
that can enforce the running of only “whitelisted” applications
on specific systems. This process limits the running of programs
(including malware) that have not been previously authorized by
1. Implement a network intrusion prevention system (IPS) that em-
ploys not only signatures, but also anomaly or behavior analysis.
IPSs are commonly deployed in financial environments, but a
number of the systems currently on the market rely solely upon
signature based detection of attacks and malware. A better solu-
tion is to utilize a product that provides signature based detection
along with a form of anomaly or
behavior based detection. This additional
capability identifies network traffic that does
not meet the previously base lined profile. For
example, one or more workstations suddenly com-
municating to an unknown system on the Internet would
likely trigger an alert.
2. Prevent employees from visiting web-based email sites and
known malicious websites via web content filtering. Email is a
commonly used vector for malware, and these websites likely do
not apply the same level of controls on email storage as the com-
pany’s internal email system. It is also prudent to block inbound
email containing specific attachments, such as executables. Plus,
the evolution of smartphones has largely eliminated the need for
access to personal email sites. Web content filtering can also be
used to limit access to known malicious websites and can block
web advertisements, and such, that can harbor malicious code.
3. Limit inbound email from your own internal domain to help pre-
vent spoofed spear phishing. Spear phishing is proven to be very
effective, especially when an email looks to be originating from
an internal email address, but is really coming from an unknown
external sender. This is email spoofing. Technical controls are
available with most email systems or gateways that disallow ex-
ternal email from entering the network that is from the company’s
own domain. It would also be prudent to block inbound email
containing specific attachments, such as executables.
4. Implement egress filtering. By default firewalls allow internal
traffic to proceed outbound, unless an access control list is ap-
plied to allow only specific traffic. Therefore, it is recommended
to limit outgoing traffic to only that which is necessary to conduct
business. This process can help block communications with unau-
thorized external entities and potentially prevent data exfiltration.
And lastly, please, please, train your employees to recognize and
report social engineering attempts. We (humans) are the weak link
that is often taken advantage of by cyber-attackers. Recent attacks
have taught us that it only takes one person not doing the right thing to
allow cyber-attackers a foothold.
Mark Faske is a Security and Compliance Consultant for CoNetrix. CoNetrix is a
provider of information security consulting, IT/GLBA audits and security testing,
and tandem – a security and compliance software suite designed to help financial
institutions create and maintain their Information Security Program. Visit our