employee training – Compliance Guru

20 Sep 2012

Hot Topics Tom Hinkel 0 comment

New cyber attack targeting small to medium-sized financial institutions

The FBI, in association with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Internet Crime Complaint Center (IC3), recently issued a fraud alert warning that criminals are using a multi-vector attack to compromise financial institution networks and initiate fraudulent wire transfers. The first thing that struck me about this attack is that although all the recent focus has been on strengthening controls on the merchant side, this is targeted not at the merchant, but directly at the financial institution itself.

Simply put, the attack uses a combination of SPAM and phishing emails (#1 below), keystroke loggers, and remote access software (#2 below) to capture employee authentication credentials. A successful attack results in the employee’s PC being under the control of the criminal, who will then use the employee’s authority to initiate wires, approve them, and even override built-in transaction limits. The following graphic describes how the attack occurs, with the exception that in #5 the victim is the financial institution, not the on-line banking customer:

(Click here for original document)

It is important to understand that this is not a “proof-of-concept” attack, this is actually occurring, and has resulted in attempted transfers ranging from $400,000 and $900,000.

One of the unique indicators of the attack is that either just prior to or just after the attack, the institution’s website is targeted by a denial of service attack which is designed to slow or deny access to the FI’s website, distracting institution employees and preventing or delaying them from detecting the fraudulent transactions. They recommend that institutions monitor for spikes in website traffic that may indicate the beginning of the attack.

The alert also lists 17 best practice recommendations for financial institutions designed to prevent and detect this (and similar) attacks. It is not surprising that the first 5 recommendations address the weakest link; the employee. I previously identified the employee as the biggest single risk to information security, and employee training as a trend for 2012. Many of the other recommendations should be familiar to most FI’s; restrict user access rights and login times, review Anti-malware and Anti-virus defenses, implement anomaly detection, and utilize IPS and “white-lists” to prevent connections to suspicious sites. They also recommend that institutions strongly consider (their words, my emphasis) implementing out-of-band authentication for wire authorization. This is where the final authentication approval is send back to the originator via a communication channel other than the one used to initiate the transaction. This was also one of the recommendations from the FFIEC in their authentication supplement released last year.

In my opinion there are 2 controls financial institutions can implement now that will do more than any other to significantly reduce the incidence of fraudulent transactions. The first is out-of-band authentication, and the other is utilizing a secure DNS service, similar to this.

12 Mar 2012

Hot Topics Tom Hinkel 0 comment

Risk Managing BYOD (bring your own device)

Thanks in part to social media, users today often don’t differentiate between work and non-work activities, and they certainly don’t want to have to carry multiple work/non-work devices to keep them connected. As a result, new multi-function, multi-purpose mobile devices are constantly being added to your secure financial institution network…and often in violation of your policies.

Most institutions have an IT Acquisition Policy, or something similar, that defines exactly how (and why) new technology is requested, acquired, implemented and maintained. The scope of the policy extends to all personnel who are approved to use network resources within the institution, and the IT Committee (or equivalent) is usually tasked with making the final purchasing decision. And although older policies may use language like “microcomputers”, and “PC’s”, the policy effectively covers all network connected devices, including the new generation of devices like smartphones and iPads. And managing risk always begins with the acquisition policy…before the devices are acquired.

Your policy may differ in the specific language, but it should contain the following basic elements required of all requests for new technology:

Description of the specific hardware and software requested, along with an estimate of costs (note what type of vendor support is available).
Description of the intended use or need for the item(s).
Description of the cost vs. benefits of acquiring the requested item(s).
Analysis of information security ramifications of requested item(s).
Time frame required for purchase.

Most of these are pretty straightforward to answer, but what about bullet #4? Are you able to apply the same level of information security standards to these multifunctional devices as you are to your PC’s and laptops? Or does convenience trump security? This is where the provisions of your information security policy take over.

The usefulness of these always-on mobile devices is undeniable, and they have really bent the cost/benefit curve, but they have also re-drawn the security profile in many cases. The old adage is that a chain is only as strong as its weakest link, and in today’s IT infrastructure environment these devices are often the weak links in the security chain. So while your users have their feet on the accelerator of new technology adoption, the ISO (and the committee managing information security) needs to have both feet firmly on the brake unless they are willing to declare these devices as an exception to their security policy…which is definitely not recommended.

So how can you effectively manage these devices within the provisions your existing information security program, without compromising your overall security profile? It might be worth reviewing what the FFIEC has to say about security strategy:

Security strategies include prevention, detection, and response, and all three are needed for a comprehensive and robust security framework. Typically, security strategies focus most resources on prevention. Prevention addresses the likelihood of harm. Detection and response are generally used to limit damage once a security breech has occurred. Weaknesses in prevention may be offset by strengths in detection and response.

Regulators expect you to treat all network devices the same, and clearly preventive risk management controls are preferred, but the fact is that many of the same well-established tools and techniques that are used for servers, PC’s and laptops are either not available, or not as mature in the smartphone/iPad world. Traditional tools such as patch management, anti-virus and remote access event log monitoring, and techniques such as multi-factor authentication and least permissions, are difficult if not impossible to apply to these devices. However there are still preventive controls you can, and should, implement.

First of all, only deploy remote devices to approved users (as required by your remote access policy), and require connectivity via approved, secure connections (i.e. 3G/4G, SSL, secure WiFi, etc.). Require both power-on and wake pass codes. Require approval for all applications and utilize some form of patch management (manual or automated) for the operating system and the applications. Encrypt all sensitive data in storage, and utilize anti-virus/ anti-spyware if available.

Because of the unavailability of preventive controls, maintaining your information security profile will likely rest on your compensating detective and corrective controls. Controls are somewhat limited in these areas as well, but include maintaining an up-to-date device inventory, and having tracking and remote wipe capabilities to limit damage if a security breach does occur.

But there is one more very important preventive control you can use, and this one is widely available, mature, and highly effective…employee training. Require your remote device users to undergo initial, and periodic, training on what your policies say they are (and aren’t) allowed to do with their devices. You should still conduct testing of the remote wipe capability, and spot check for unencrypted data and unauthorized applications, but most of all train (and retrain) your employees.

16 Feb 2012

From the Field Tom Hinkel 0 comment

FDIC changing annual IT report to Board?

Based on recent examination findings, it would appear that the FDIC is changing what they expect to see in the annual information security report to the Board of Directors. The requirement for the report is established in the FFIEC Information Security Handbook where it states that a written report to the board should describe the overall status of the information security program, and that at a minimum, the report should address:

The results of the risk assessment process
Risk management and control decisions
Service provider arrangements
Results of security monitoring and testing
Security breaches or violations, and management’s responses
Recommendations for changes to the information security program

However in a recent examination the institution was written up because the FDIC did not believe the report contained enough detail. They stated that “Board reporting should be expanded and include detail at a minimum for the following areas:

The information security risk assessment
Service provider agreements
Results of testing, audits, examinations or other reviews of the program
Any security breaches, violations, or other incidents since the previous report and management responses
A summary of information security training provided to employees since the last report
Status of the patch management program
Status of the Business Continuity Plan and testing results
Customer Awareness Program efforts and plans
Any recommendations for changes to the information security program”

I’ve highlighted the changes between the original guidance and the examination finding. I’m not surprised at the training findings, as I have previously identified both employee and customer training as likely 2012 trends. Nor am I particularly surprised by the inclusion of the status of the BCP and testing results. This has been a requirement and an area of increased regulatory focus for a couple of years. However it would appear that examiners may now prefer the BCP status update to be a part of the information security update report to the Board.

The inclusion of a patch management status report was a bit surprising though, as in the past this was not reported separately but simply included as one of your many risk management controls. Perhaps they are looking for more control detail now? (I plan to address patch management in a future post.)

I was also a bit baffled by the exclusion of “Risk management and control decisions” from the list of findings. I had also identified the “Management” element as a probable area of increased regulatory scrutiny in 2012, so I’ll keep an eye on future examination findings to see if this actually represents a shift in focus or simply an oversight by the examiners this time. (Of course a third possibility is that the examiner felt that the “risk management and control decisions” were present and properly documented, but given the other findings I doubt that was the case.)

15 Nov 2011

Hot Topics Tom Hinkel 0 comment

2012 Compliance Trends, Part 1 – Training

This post will begin a series of 5 topics that I consider to be good candidates for increased regulatory scrutiny in the coming year. For each topic, I will make the case for increased scrutiny based on 3 criteria:

Recent audit and examination experience,
Regulatory changes, and
Recent events.

In keeping with my policy of trying to provide clear actionable solutions to each challenge, I will also provide suggestions to keep you ahead of the trend.

The first topic is actually making its debut appearance this year, and although training has always been important for financial institutions, it only recently crept into the top 5. And this is really a two-part trend;

Employee training and Customer training.

First, the case for employee training. I have always placed the importance of this in the top 10, but a recent event and examination experience have moved this into my top 5. The recent event is the RSA breach, which I first wrote about here right after the news broke in March, and again here a couple of months ago. This turned out to be a rather standard social engineering attack conducted over a long period of time exploiting the trust of a single employee. The FFIEC defines social engineering this way:

Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset or as a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.

Additionally we continue to see employee security policy and awareness training questions in every pre-examination questionnaire, regardless of whether the examiners are Federal or State. With the increased use of social media by financial institutions, and the understanding that the employee is still the weak link in the security chain*, I predict increased need for, and emphasis on, employee training.

Customer training has always been a best practice, but it’s now a requirement. Also referred to as customer awareness and education, the case for customer training as a trend is two-fold. The first is the recent updated FFIEC guidance on Internet authentication. Customer training is listed as one of the effective controls that may be included in a layered security program for both retail and commercial account holders with Internet access capability (in other words, almost all account holders), and compliance starts in January. According to the FFIEC, customer training should contain, at a minimum:

An explanation of what is, and what isn’t, covered under Reg E.
Under what circumstances the institution may contact the customer and request log on credentials. This one is the most important, and even though the answer is probably “never”, it can’t be repeated enough.
A strong suggestion that the customer perform their own risk assessment. (The verbiage in the guidance actually leaves out the word “strong”…I added it.)
To go with the previous risk assessment, a list of possible controls that the customer may consider, including where they may get additional assistance. (Institutions may be tempted to offer their own assistance, but I recommend against it. Not only may this prove to be a resource drain, it may also inadvertently set you up for a liability claim if a customer does experience a breach.)
A list of institution names and contact numbers for the customer to use in the event they notice suspicious account activity. Make sure to include off-hour contact information if applicable, as most recent exploits have occurred on weekends and other non-business hours.

The second reason for the importance of customer training is the realization by the fraudsters that customers are an easy target. As one recent example of this trend, Trusteer just issued a warning that fraudsters are actually setting up call centers to facilitate ID theft by targeting merchants. This goes way beyond simply installing malware and grabbing login credentials, this attacks the most secure elements in the transaction chain; controls such as the one-time passwords, IP blocks (black lists) and positive pay (white lists). Although the actual details of the attack are fascinating…and frightening…at its core this is really nothing more than an extremely sophisticated social engineering attack, and as such the standard social engineering controls apply.

In summary, re-examine your employee AND customer training and awareness programs, and plan on increasing your training in both areas in 2012. Make sure your customer training contains at least the minimum elements, and that you periodically repeat the training. Finally, conduct testing on both groups to validate comprehension where you can (easier for employees than customers), and document everything!

*Additional reading:

http://www.csoonline.com/article/print/691910

14 Sep 2011

Hot Topics Tom Hinkel 0 comment

The current single biggest security threat to financial institutions – UPDATE

(UPDATE – Hord Tipton, executive director of (ISC)2, posted recently on the biggest data breaches of the past year. His analysis confirms that ” …humans are still at the heart of great security successes – and, unfortunately, great security breaches…The lesson we learn from this year’s breaches is that most of them were avoidable – even preventable – if humans had exercised best practices at the proper times.”)

What was the nature of the attack on the security company RSA that they described as “extremely sophisticated” and an “advanced persistent threat”? Simply put, it was a fairly ordinary phishing email that was sent to RSA employees that contained an Excel spreadsheet with an embedded Adobe Flash exploit. At least one employee opened the attachment. The exploit allowed the attacker to install a backdoor and subsequently gain access to the information they were after.

I wrote about this here, discussing how password tokens (like RSA) were just one factor in one layer of a multi-factor, multi-layered security process. At the time the post was written (shortly after the attack became public) we weren’t sure about either the nature of the attack, or exactly what was taken, but at this point it is pretty clear that the real weakness that was exploited at RSA is still out there, and it can’t be fixed by a patch or an update. In fact according to recent IT audits this particular vulnerability is still present at most financial institutions…the employee. Or more specifically, the under-trained-and-tested employee.

How do you address this threat? Sure, regular critical patch updates and Anti-virus/Anti-malware software are important, but the only way to mitigate the employee risk is through repeated testing and training. As far back as 2004 the FFIEC recognized social engineering as a threat, stating in their Operations booklet:

Social engineering is a growing concern for all personnel, and in some organizations personnel may be easy targets for hackers trying to obtain information through trickery or deception.

And as recently as this year social engineering is mentioned again in the recent FFIEC Internet Authentication guidance:

Most financial institutions already include some form of social engineering testing in their IT controls audits, typically as part of a penetration, or PEN test. Auditors assessing social engineering control effectiveness will use various techniques to entice an employee to enter their network authentication credentials. Posing as a customer, an employee, a trusted vendor, or even going to the extreme of constructing a website with the same look and feel of the institutions actual website, auditors have been extremely effective in getting employees to disclose information. In fact in all of the social engineering tests I’ve seen, the vast majority resulted in at least one employee disclosing confidential information, and in many cases 50% or more employees handed over information. Although I believe this number is slowly declining, if the RSA breach taught us anything it was that all it takes is one set of disclosed credentials from one employee to compromise the organization.

So if both social engineering and the need for training and testing is not a new concept to financial institutions, then why is this such a persistent problem? After all, most institutions have been conducting information security training for years. In fact as part of their IT examinations, examiners have been required to “…review security guidance and training provided to ensure awareness among employees and contractors, including annual certification that personnel understand their responsibilities.”

I think a big part of the challenge is that financial institution employees are specifically hired for their customer service skills; their willingness to want to help each other and the customer. These are exactly the personality traits that you want in a customer-facing employee. But this helpful attitude is exactly why financial institution employees are notoriously difficult to train on information security. (An excellent summary of this is found in a technical overview paper published by Predictive Index). The same personality traits that make employees want to help are also correlated with a general lack of suspicion. And a little suspicion can be more useful in preventing social engineering attacks than all the formal training in the world.

Suspicion can’t be taught, but adherence to polices and procedures can. And fortunately one personality trait that is correlated with a helpful attitude is a willingness and ability to follow the rules. Perhaps the answer is to spend more training time making sure your employees know what is expected of them (as defined in your policies) and how they are expected to respond to requests for information, and spend less time discussing why (i.e. the current threat environment). Make sure you include social engineering testing as part of your annual IT audits because this is the only way to measure the success of your training efforts. And if the testing results indicate that more training is necessary, repeat training and testing not just annually but as frequently as you have to until the test response rate is zero. Also, use the news of recent cyber-incidents as an opportunity to stage “what would you do in this circumstance” training exercises with your employees. In the end this is one risk you’ll never completely eliminate…the best you can hope is that you don’t become a training exercise for someone else!