“Hey Josh, where’ve you been?”, I hear you all asking. Over the last several months, you might have noticed a suspicious absence of security folks from the wider blogging world. The reason for this is pretty much “Sorry, been busy”, which I know isn’t much of an excuse. So here’s the deal. Security is hard. Its always been technically complex, but recent events have combined to create something of a perfect storm. We like to divide the world into “good guys” and “bad guys”. In the past, it’s been a fairly even fight. However, with the global economic recession resulting in staff cuts, there are fewer good guys. Of course, with small budgets, there have been cuts on the technology side as well. At the same time, advances in malware technology have given the attackers some extremely impressive tools. These advances have been made possible due to unprecedented cooperation within multiple groups of organized crime.
So here we are, a reduced set of security practitioners trying to help businesses maximize security benefit for the dollar against a massive global network of highly skilled and highly paid criminals who are writing highly complex malware that goes far, far beyond your old school phishing attack with key logger. This post is going to focus on a specific type of financial attack. Odds are, if you’re reading this, you’re more interested in protection than the technical stuff, so we’ll break tradition and leap straight into that.
If you’re interested in hearing more about what this particular malware can do, there are technical links at the bottom of this post. For now, know that it’s a highly complex piece of financial malware which exists to steal money in any way it can. It runs on all versions of Windows and most common browsers. It’ll come in via email, web, PDF files, USB or any way that the attackers come up with. Small businesses and nonprofits are being targeted because they tend to have weak controls, but CEOs and CFOs are also being targeted as they tend to have to more to lose.
Within the industry, we often talk of security tradeoffs. Basically, there are costs to reducing risk… and these often go beyond mere dollars. My ultimate goal as a security consultant is to help a business make the appropriate decisions and balance security expenditure against the possible benefits. The following advice is what I believe to be true for most businesses, but please keep in mind that your particular business may have different requirements. To keep things simple, here are five technical and five financial recommendations.
T1) Use a dedicated system for financial transactions. Yes, it’s expensive, but a lot less expensive than having your money stolen. If you use the same computer to transfer money that you use to play Mafia Wars on Facebook, you’re just asking for trouble. If you’re using a shared system that’s not locked down, you might as well just cut the attacker a check… it’d save time.
T2) Use a dedicated firewall. Put a firewall between the dedicated financial workstation and both the Internet and internal network. Set it to use NAT and allow no traffic to flow from the Internet to the workstation. Allow the workstation to connect to your bank and the Microsoft and Adobe updates sites. Depending on your financial processing software, you may need more sites allowed… but keep it as minimal as possible. Only allow connections that it needs. The firewall should be a physical device as malware often disables local firewalls.
T3) Keep the workstation hardened and updated. Make it useless for anything other than financial processing. Don’t install Office. If you need to view docs or spreadsheets, install the free viewers from Microsoft. If you don’t need to view PDFs, keep Adobe as far away as possible. Update as soon as the updates are available. Forget about testing the MS patches, the vulnerability window is already negative, delaying patching is just stupid. Build your business processes to have a manual failover in case a patch breaks your financial transfer workstation. That’s a much better use of time than testing patches on a one-off system.
T4) Take away admin rights. I know it’s a pain to figure out what privileges you actually need to run that one app that is used every January to do taxes, but it’s a less than the pain to recovering half a million dollars because someone had admin access and didn’t need it. If you can use Linux and Firefox, by all means, do so… it’s a lesser target. If you cannot, go with Windows 7. The UAC security controls in Windows 7 are excellent.
T5) Use a real antimalware program. The one that comes loaded on your workstation when you buy it from Dell/Best Buy isn’t going to cut it. Freebies aren’t going to cut it. Real programs cost real money. For specific recommendations, I like Sophos because of the enterprise control features. Being able to use device-based controls and lock down applications is very important here. If you really want to go light and accept the risks that come from reduced control, Kaspersky is a good second runner. In any case, if you detect malware running on your dedicated system, notify your financial institution immediately.
F1) Set your account to use dual controls. This means that one person in your organization has the ability to initiate payments but a second person must approve them. This makes the attackers’ job much more complicated, as they have to control two systems and synchronize data in order to steal money. If your financial institution does not offer this ability, we strongly recommend finding another institution.
F2) Some institutions allow you to create a list of companies and individuals who are authorized to receive payments (called Positive Pay or Whitelisting). This list should be created outside of the Internet banking system so that an attacker cannot simply add and authorize a new account. If you have this available to you, by all means use it! This can go a long way towards preventing your money from being transferred to money mules.
F3) Almost all institutions allow you to sign up for alerts. With these systems, you get emails (or, in some cases, text messages) whenever a transaction occurs. The faster you can respond to a suspicious transfer the more likely you will be to reverse it. Bank-to-bank transfers are nearly immediate and require the cooperation of the receiving bank to get the money back. The longer you wait the more likely that the money has moved on and more institutions will need to be involved, which makes recovery much less likely.
F4) Set limits wherever you can. Many systems allow you to limit the amount of money a particular person may transfer, the amount that may be transferred per day/week/month and the times at which transfers can occur. Of course, you run the risk of being prevented from transferring money when you really need to, but in most cases you can work around this with a phone call to your institution. The protections you get from limiting transfers are usually worth the occasional irritation when you have to work outside the norms.
F5) Utilize emerging technologies. Not all banks have these options, but if your bank can provide you with a two-factor authentication token, security software to facilitate secure transfers, out of band approval systems (phone, fax, text message, etc.) or analysis of payment patterns, take advantage of them. They’re usually free to inexpensive and will give you a much deeper level of financial protection than you would get otherwise.
F6) Bonus suggestion! Some accounts have overdraft protection in place. This sounds good if you are worried about occasionally spending more than you have. However, the flipside is that it could allow an attacker to steal more money than exists in the account. If you can get by without overdrafts, turn this protection off or, if you have to, at least set the protection level as low as you can.
In the end, a combination of technical and financial controls will go a long way towards protecting you, but implementing them will require you to change your business processes. If you’re a CEO, CFO or owner you’re lucky. If you’re not, you may need to set up a meeting with your C-level people. They need to understand that they are being targeted personally because of their role. They need to know that the online systems are being manipulated. The balance reported on an infected system will be altered to hide the malware’s activities. They also need to understand that there is no 100% solution. What I recommend here is a good start, but they could still have problems if the attacker is persistent.
Microsoft recently released their Security Essentials product. This is a free anti-malware product, and analysts seem to think that it does a pretty good job at what it does.
However, I want to point out one thing that you probably already know: You get what you pay for.
Security Essentials is intended to be a lightweight anti-malware solution that competes against other free AV solutions. It does a decent job at protecting against the average threat and is certainly better than using nothing at all. However, it is a mistake to compare it to a professional anti-malware system. As SANS says, “Think of this as the AV as it used to be in 2000 or so.”
In short, if you are a home user and don’t care enough about your system to spent $50 a year to protect it, go ahead and use Security Essentials. However, if you are in a business environment, you need something that includes firewall, behavioral detection, network access control, data loss prevention and central management (and more). Security Essentials won’t cut it.
Lastly, if you do decide that you want to try it out, be sure you download the right thing. There are search engine optimization attempts going on to make malicious software (fake antivirus) appear on the search results instead of the link you really want. The right link is http://www.microsoft.com/security_essentials/.
I’ve posted about the current run of banking malware before. For a quick review, this is malware that sits on your computer and waits for you to access your online banking site. Once you’re logged in, it watches what you do and then surreptitiously transfers money out of your account to the attacker. I’m posting about it again because of the new wrinkle:
It will now alter what your browser shows to you, so that you don’t see the unauthorized transfers.
Essentially, the malware knows what you expect to see and shows you that, while it is simultaneously lurking under the radar of banks and avoiding their anti-fraud systems. For those that want more details, read this, this, this and this.
For everyone else, try the following:
1) Check your banking statements very carefully. Most home users have at least 30 days to challenge a transfer, but business users only get 2.
2) Work with your bank to implement a call-back mechanism so that you can approve transfers.
3) See if you can use a dedicated system for only doing banking. Leave it unplugged and turned off unless you’re using it or patching it.
4) Keep all of your other systems patched and run a decent anti-malware system.
This week, ComputerWorld released a review of free anti-malware systems. The conclusions were much as one would expect, mostly that the free stuff works OK but the pay stuff is probably better. The free systems are ranked here, if you are so inclined.
So, really, there’s nothing new here. However, I do want to point out a few things:
- Only one system has phone support, and that costs $50 per instance.
- Many of them fund themselves with advertisements.
- Heuristic detection was pretty poor across the board.
- None of them update very frequently.
- Most of these companies have a for-pay version available as well.
I know that most of us are always looking to cut costs, but the sheer number of times that I have removed expired or non-functional anti-malware systems indicates to me that this is very important. Do not scrimp when it comes to security software. The good stuff costs real money for a reason.
If there is a problem, a reliable company will take care of you. The goal of a business in this space should be to help you maximize your profits. Sure, they have to cover their costs and make a bit of profit themselves, but attitude is extremely important. If they approach the problem of “people don’t want to pay for anti-malware” with “let’s constantly distract the users with popup ads”, do you think that they have your interests at heart? If they charge as much for one support instance as it does to buy a license with unlimited support, do they really want to help you? (And, do you think that they have an incentive to have you not experience problems?) If they make no distinction between “I am unable to login to World of Warcraft” and “I am unable to make payroll”, do you really want to work with them?
I mean no disrespect to ComputerWorld here. I know that they serve both the consumer and business markets. I know that there is a place for free anti-malware systems in the consumer space (though I think it’s quite small). However, to answer the question “Can You Trust Free Antivirus Software?”, I’d have to answer unequivocally “no”. If you are in business, you should use a business-quality anti-malware suite. Even if you’re at home, if your business requires you to use your home system, it should also be protected by a business-class anti-malware suite.
Odds are that you know the cost of your time, and if you are unable to work because you get sick, you know what it’s worth to protect against that, that’s why we have health insurance (however it winds up being paid for in the U.S.). Similarly, if your computer gets sick, how will that impact you? Does your computer need health insurance too?
First of all, you are more likely to get hit with a virus if you don’t have antivirus than if you do, so it’s not exactly useless. Second, you can get antivirus systems for free (Windows version here) so there’s no economic reason not to run one. However, if you go into the process thinking that if you install an antivirus system, you’re done, then you’re making a mistake. Antivirus may not be dead, but your system will be.
See, the way that antivirus works is by maintaining a set of signatures, or unique identifiers for a piece of malware. This worked well enough twenty years ago, but these days, the people that write malware are pretty good at making each one have a unique signature. So, these things can change and morph faster than you can keep up. However, you’ve got to do something, right? What are your options?
Ignore The Problem
My mother used to tell me that if I ignored the mean kids, they’d stop teasing me. She was wrong. In the same way, ignoring this problem will not make it go away. Instead, it will likely create a situation where your systems get infected and then spread that infection to your customers and partners. I hope that we can agree that this is no solution.
Host-Based Intrusion Prevention
Many of the traditional antivirus vendors have started rolling host-based intrusion prevention systems (HIPS) into their products. These systems shift the problem from scanning the entire system to looking at what actually runs. These systems can detect common security flaws and prevent malware from accessing them. With some vendors, they are combined with application blacklisting, so you can use the same system to prevent employees from running games or installing browser plugins.
In the past, we’ve used a firewall to prevent access to internal systems. Some people are trying to extend this idea and pushing extra capabilities onto these network devices. The logic is that if you control where your people can go (web filtering) and what can come to them (email filtering), you can block malware at the edge of your network. It’s a nice theory, but given that you also would have to deal with USB drives, MP3 players, CD/DVDs, wireless networks, etc etc, I have my doubts that this technique will be effective.
As many people do, once they’re told that something’s not working, they go to the opposite extreme. In this case, instead of building a blacklist of “bad” applications, they try to identify some known “good” applications and only allow those to run. While I’m not a fan of extremism, it seems to be working in this case. Bit9 seems to be the current leader in this space, but it’s only a matter of time before there are others. The one caution here is in relying on only this technique, as if anyone uncovers a flaw in the technology that prevents the non-whitelisted applications from launching, they can then launch anything they want. Also note that, depending on your organization, it might take a long time to define the “good” applications.
One thing I recommend is to recognize that your system will probably get compromised eventually, no matter what you do. If you implement a system that can identify your important data and let you know when it detects it somewhere where it’s not supposed to be, you can at least know that there’s a problem. Small comfort, I know, but it’s better than not knowing, right?
Every organization will have a different set of needs and will need a different solution. However, there are a large number of businesses out there that would likely benefit from the following type of solution:
- Application Identification – Take the time to identify which applications are required for business.
- System Imaging – Build a standard “image” of all applications that a system should have and deploy to all computers.
- Application Whitelisting – Install a product like Bit9 (there are others) to prevent anything non-approved from running.
- Antivirus – Install a product like ClamAV (free) or Sophos (pay) to serve as an additional layer of defense… especially if you have laptops.
- Document Repository – Use a centralized document repository to keep all of your documents and log who accesses them when.
- Operations: Applications – On a regular basis (monthly is good) patch all applications in your image, update the application whitelist and push the changes out to all systems.
- Operations: Data – On a regular basis (monthly is good, quarterly is acceptable, yearly is not), review the access logs on your repository and make sure that things are reasonable.
There is a lot more that you can do, and if you have servers, a lot more that you should do, but as you’re likely not doing the above yet, hopefully this gives you a good place to start.
It’s interesting how business awareness lags actual security threats. I was having a conversation recently with someone who said something like “yeah, we get by a virus about once a month, but we clean it up and keep going”. This took me aback as I realized that there are a significant number of people out there that don’t view malware seriously.
This is our fault. For years, we’ve been classifying threats and discussing their differences instead of focusing on their similarities. If you’ve touched any IT in the last decade, you’ll recognize the following list of words: virus, worm, trojan, spyware, adware, malware. You’ve probably been told that your antivirus application will take care of it, so you run it and get on with your life. Well, I’m sorry to break it to you, but you’ve been lied to.
We’re at the end of what antivirus can do. We’ve also reached the point where malware (malicious programs) have moved from being annoying to being evil.
Back in the day, malware would spread from system to system and slow things down. Sometimes, they’d delete files. That was then.
Today, people are using these systems to create what are known as bot armies. Once they take over your computer and add it to their armies, they can do anything they like to your computer. Like what?
- Conduct attacks on other networks
- Store illegal materials (often child pornography) on your computer
- Crack passwords
- Banking data
- Harvest all proprietary data (trade secrets, tax information, business plans, source code) from your network
- Harvest client data (credit card numbers, social security numbers) from your network
Basically, if you get infected with malware, the attackers can get anything they want from you. Any file you have, any site you browse to, any email you send or receive. It’s all theirs.
It’s more than a nuisance. What are you doing about it?