Pub. 7 2012-2013 Issue 4

www.nebankers.org 22 Extraordinary Service for Extraordinary Members. Protecting Against Cyber Attacks Russ Horn , CISA, CISSP, CRISC, President, CoNetrix O N SEPT. 17, THE FEDERAL BUREAU of Investigation (FBI), the Fi- nancial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3) released a joint fraud alert titled, “Cyber Crimi- nals Targeting Financial Institution Employees Credentials to Conduct Wire Transfer Fraud.” In the alert, they suggest that recent reporting indicates a new trend in cyber attacks to compromise financial institution networks and obtain employee login credentials. In many cases, these at- tacks used spam and phishing emails to install keyloggers and Remote Ac- cess Trojans (RAT) to gain access to the employee’s computer and subse- quently to the bank network. The ma- jority of victims targeted were small to medium-sized banks or credit unions; however, the report adds a few larger banks also have been affected. On Oct. 5, researchers at EMC-RSA warned, based on “underground chat- ter,” that a sophisticated, large-scale cyber attack was being planned to raid the bank accounts of customers at a number of banks in the U.S. In a blog post by Mor Ahuvia, the cyber crime communications specialist at RSA’s FraudAction Research Labs, Ahuvia wrote, “If the gang’s plans do material- ize, this campaign could be the larg- est coordinated attack on American financial institutions to date.” With this increase in actual and predicted cyber criminal activity directed at financial institutions, we must be diligent and prudent to pro- tect ourselves. But what can we do to protect our employees and customers from these types of attacks? Below are some suggestions you can review to be proactive in reducing the risk of a cyber attack against your institution. Some of these suggestions are taken directly from the fraud alert issued by the FBI, FS-ISAC, and IC3, while oth- ers are included from further guidance or industry best practice. • Conduct and/or review your informa- tion security and Internet banking risk assessments. • Conduct security awareness training for all employees, including educating employees on the dangers of social en- gineering (e.g., opening email attach- ments, clicking on links in unsolicited emails or messages, etc.). • Educate commercial and retail online banking customers on security aware- ness and online security best practices. • Provide enhanced security awareness training to all employees or high risk customers with access to payment systems. • Ensure reputable and up-to-date anti- virus and anti-malware defenses are in place and functioning properly. • Ensure operating systemand applica- tion security patches are up-to-date and a process is in place to update them regularly. • Restrict Internet access and/or imple- ment Internet content filtering. • Restrict and/or limit administrative access to computer systems as much as possible. TECH TALK Q Cyber Attacks — continued on page 24