Previous Page  29 / 32 Next Page
Information
Show Menu
Previous Page 29 / 32 Next Page
Page Background

April 2015

29

L E A D I N G

A D V O C A T E

F O R

T H E

B A N K I N G

I N D U S T R Y

I N

K A N S A S

PROGRESSIVE MALWARE

PROTECTION

By Mark Faske, CoNetrix

T

he news over the last several years has been filled with

data compromises at a number of high profile American

companies, including a few banks. A number of these

compromises were due to cyber attackers using malware

to gain a foothold on a machine on the internal network,

then using that machine as an observation point to further learn about

and exploit the systems housing sensitive data. And, as we’ve learned,

the malware we don’t know about is the most dangerous kind. This

trend puts signature based antivirus products at a disadvantage, since

they are primarily designed to detect known malware.

On March 30, 2015, the Federal Financial Institutions Examination

Council (FFIEC) released a joint statement titled Destructive Mal-

ware to help financial institutions understand the current threats posed

by malware, and they also provided a list of controls to help reduce

the likelihood of a malware infection. While the FFIEC guidance is

informative, it is rather broad in its control recommendations. Below

is a list of specific controls that can help reduce the threats posed by

malware infections.

Endpoint (Host) Controls

1. Deploy Microsoft’s Enhanced Mitigation Experience Toolkit

(EMET). EMET is designed to block exploit techniques common-

ly used by malware authors. It is considered a defense in depth

control that is complementary to antivirus software, but should

not be considered a replacement for such. EMET integrates

directly into Active Directory, providing central configuration and

management. The tool is freely available from Microsoft.

2. Use antivirus software that has heuristic detection capability.

Heuristic analysis techniques provides antivirus software the add-

ed capability to analyze the characteristics and operating behavior

of a flagged file to help determine if the file is indeed malware.

This process helps identify previously unidentified malware that

“acts” similar to known malware.

3. Implement an application control or whitelisting software product

that can enforce the running of only “whitelisted” applications

on specific systems. This process limits the running of programs

(including malware) that have not been previously authorized by

administrators.

Network Controls

1. Implement a network intrusion prevention system (IPS) that em-

ploys not only signatures, but also anomaly or behavior analysis.

IPSs are commonly deployed in financial environments, but a

number of the systems currently on the market rely solely upon

signature based detection of attacks and malware. A better solu-

tion is to utilize a product that provides signature based detection

along with a form of anomaly or

behavior based detection. This additional

capability identifies network traffic that does

not meet the previously base lined profile. For

example, one or more workstations suddenly com-

municating to an unknown system on the Internet would

likely trigger an alert.

2. Prevent employees from visiting web-based email sites and

known malicious websites via web content filtering. Email is a

commonly used vector for malware, and these websites likely do

not apply the same level of controls on email storage as the com-

pany’s internal email system. It is also prudent to block inbound

email containing specific attachments, such as executables. Plus,

the evolution of smartphones has largely eliminated the need for

access to personal email sites. Web content filtering can also be

used to limit access to known malicious websites and can block

web advertisements, and such, that can harbor malicious code.

3. Limit inbound email from your own internal domain to help pre-

vent spoofed spear phishing. Spear phishing is proven to be very

effective, especially when an email looks to be originating from

an internal email address, but is really coming from an unknown

external sender. This is email spoofing. Technical controls are

available with most email systems or gateways that disallow ex-

ternal email from entering the network that is from the company’s

own domain. It would also be prudent to block inbound email

containing specific attachments, such as executables.

4. Implement egress filtering. By default firewalls allow internal

traffic to proceed outbound, unless an access control list is ap-

plied to allow only specific traffic. Therefore, it is recommended

to limit outgoing traffic to only that which is necessary to conduct

business. This process can help block communications with unau-

thorized external entities and potentially prevent data exfiltration.

Human Controls

And lastly, please, please, train your employees to recognize and

report social engineering attempts. We (humans) are the weak link

that is often taken advantage of by cyber-attackers. Recent attacks

have taught us that it only takes one person not doing the right thing to

allow cyber-attackers a foothold.

Mark Faske is a Security and Compliance Consultant for CoNetrix. CoNetrix is a

provider of information security consulting, IT/GLBA audits and security testing,

and tandem – a security and compliance software suite designed to help financial

institutions create and maintain their Information Security Program. Visit our

website at

www.conetrix.com.