Rogue Actors Archives - Safe Systems

16 May 2019

Don’t be the Next Victim of a Data Breach: Evaluate Your Security Layers and Add the Extra Protection You Need

Banks, Credit Unions, Security Jamie Davis 0 comment

Major Antimalware Companies are Being Compromised: Now is the Time to Evaluate Your Security Layers

Antivirus and Antimalware solutions are designed to protect computer and servers from becoming victims of bad actors (aka hackers). The entire purpose of these solutions is to provide protection, security, and assurance that your machines are safe. Antimalware solutions are considered an essential or basic part of every person’s and business’s computer security. Other than security experts who have their own ideas on protecting their own machines, it is recommended by just about everyone to have antimalware solutions on computers as a rule.

Think about it, antimalware tools might be the ultimate applications. They are installed on a large percentage of computers across the world, they require access to all files to work, and they are trusted. But they can also be used as a backdoor into computers and workstations.

In the news this week, three major US players in the antimalware software game may have all fallen victim to being compromised. Symantec Antivirus, Trend Micro, and McAfee all have been rumored to have been compromised. As of the posting of this article, Symantec has denied any breach, McAfee has said they are investigating the situation, and Trend Micro admits some non-critical data has likely been compromised.

Whether these companies were breached, or critical data was taken, we may or may not find out in the near future. What we do know is no company nor data is safe. RSA which was and may still be considered one of the leaders in digital risk management and cybersecurity solutions including dual factor authentication tools was compromised a few years ago.

Is the answer to switch antimalware solutions? Or, stop using them anyway since they offer backdoors into your systems? No, not at all. These incidents simply reinforce the need for layers of security protection. Many businesses and people on personal computers say, “well I have antimalware software installed, what else can I do?” The reality is this comparable to asking, “I put a door on my house, what else can I do.?” On your house, you don’t stop at the door; you add door locks, deadbolts, security systems, cameras, etc. You must do the same with cybersecurity. There isn’t a buy one fits all option.

It’s time to look for solutions that augment your standard antimalware solution. This can include solutions that look at behavioral characteristics of your network above and beyond antimalware’s traditional signature method. Another great solution is to add honeypots to your infrastructure with appropriate alerting built in. In one of the articles sourced for this blog, the publication captured dialog between the bad actors in a chat log. Within that dialog, the few lines below reveal the bad actors are using products that are used by employees:

“their network defense does not see us b/c TeamViewer and AnyDesk are legit software, and admins also use it there. That is why no questions (about their remotely moving around the network).”

“no, you can only move laterally via credentialed net shares or RDP”

Please note, these logs are translated from Russian and the English translation might sound awkward. Basically, the bad actors will use things like RDP, which almost all institutions utilize, plus some other applications that may be more specific to each individual business. To make a long story short, these guys are smart and navigate your network with the same tools your employees use. This is known as living off the land.

On average, it takes organizations 200 days or more to learn that they have been breached. The longer a bad actor has access to a network, the more damage they can inflict.

However, what if there were folders, servers, and databases on your network that were accessible via RDP or other technologies, but they served no business purpose? These assets would serve as bait for the bad actors. Suddenly, you can identify the traffic as likely snooping and not normal activities. This is the beauty of honeypots. It helps isolate suspicious traffic from normal activity based on the interest in the material, not the method of accessing it.

It is always important to keep up with the latest news about cybersecurity. If you use one of these solutions, be sure to keep up with the latest news from the company. If you don’t use one of these companies, you could be next. Stay vigilant as every company is one nightmare away from having a breach, including yours. In the meantime, evaluate the layers you have in place. Heavily consider some type of honeypot solution, as it might be one of the few solutions that can catch true covert snooping. As always, Safe Systems is here to help evaluate the layers you have in place to help ensure you have the extra protection.

24 Jan 2019

Banks, Credit Unions, Technology Jamie Davis 0 comment

What Community Financial Institutions Should Look for in a Managed Services Provider

The majority of banks and credit unions rely on managed services providers to help them improve efficiencies in their organization, meet mounting regulatory compliance requirements, and provide the competitive products and services their customers and members expect.

However, selecting the right managed services provider can be challenging. We have highlighted some key qualities that community banks and credit unions should look for when choosing trusted partners.

A managed services provider should have a true understanding of the following areas:

The community banking and credit union industries

Automating Your Compliance Processes with Technology Get a Copy

A managed services provider must truly understand the “ins and outs” of operating a community bank or credit union. This includes recognizing the industry trends, realizing the importance of priorities, such as customer- and/or member-service related touch points, and understanding regulatory and compliance issues. Not knowing how a community financial institution operates is a hindrance that can prohibit the provider from effectively meeting the demands of the institution and makes it unlikely that it will be in a position to offer informed recommendations on improvements and solutions to existing issues.

Financial services technology

Technology is ever-changing and it is nearly impossible for any one person to successfully keep up with all of the advancements. To provide the technological solutions and services that a community bank or credit union requires, a managed services provider should understand the technical requirements of all banking technology solutions, starting with the core platform. Since many applications have to work with — and integrate into — the core platform, it is impossible to design an efficient and comprehensive network without first an understanding of core platforms and banking technology.

Regulatory compliance requirements

The evolving world of financial regulatory compliance governs every aspect of your IT network and that includes what hardware and software you choose to deploy. In today’s banking environment, vendors must be able to make recommendations on how to manage hardware and software to meet regulatory expectations, meet regulatory expectations such as, verifying all patches, ensuring security measures are up to date, and maintaining access to critical services during a disaster.

Working with the wrong managed services provider can be time-consuming, cumbersome, and even stressful. However, working with a provider who offers the desired services and who truly understands your industry can help guide the institution in today’s challenging financial environment. A good partnership is key to ensuring your organization remains competitive and profitable for years to come.

06 Jun 2018

How 4 Security Truths Can Improve Your Security Program

Banks, Credit Unions, Security Brian Brannon 0 comment

How 4 Security Truths Can Improve Your Institution’s Security Program

How 4 Security Truths Can Improve Your Security Program

Security has become increasingly complex. In addition to the ordinary computer, today’s world is full of tiny computers or smart devices that have complete, functional operating systems and are connected to the internet. These Internet of Things (IoT) devices include our phones, refrigerators, thermostats, TVs, light bulbs, and even cars. While this level of connectivity provides the benefit of greater convenience in our daily lives, it has also increased the number of ways we can be compromised by attackers.

“The denial-of-service attacks that forced popular websites like Reddit and Twitter off the internet last October were enabled by vulnerabilities in devices like webcams and digital video recorders. In August, two security researchers demonstrated a ransomware attack on a smart thermostat,” said Bruce Schneier.

As institutions continue to connect more devices to the internet, the number of potential security weaknesses on their network will increase. So how can banks and credit unions use this knowledge to improve their security programs?

According to Schneier, an internationally renowned security technologist and author, there are four truths related to the current world of computer security:

Ransomware and the Evolving Security Landscape Free White Paper

“Attack is Easier Than Defense”

According to Schneier, “Computer-security experts like to speak about the attack surface of a system: all the possible points an attacker might target and that must be secured. A complex system means a large attack surface. The defender has to secure the entire attack surface.”

Attackers work to find ways to use software and solutions in malicious ways that developers never intended. They can find the smallest security flaw or vulnerability in any system and use that to their advantage. This means financial institutions have to plug and patch each and every hole and vulnerability in all systems in order to be secure, whereas an attacker only has to find a single vulnerability in a device to be successful.

“There are New Vulnerabilities in the Interconnections”

“The more we network things together, the more vulnerabilities on one thing will affect other things,” said Schneier. For example, attackers can penetrate a network through a DVR system, bypassing the more robust level of security of a computer. The hard truth is that the more devices you connect to your environment, the more attack surface you have due to the growing number of vulnerabilities.

“The Internet Empowers Attackers”

“One of the most powerful properties of the internet is that it allows things to scale. This is true for our ability to access data or control systems or do any of the cool things we use the internet for, but it's also true for attacks,” according to Schneier. The internet is a powerful tool that improves efficiency for everyone, including attackers, which is why they use it to scale an attack. An attacker can connect to a network through any number of different connected devices, some as benign as a thermostat, refrigerator or light bulb. Attackers often function as a part of a community, readily sharing knowledge and experience with each other. It’s no surprise that the source code for the Mirai botnet, which was able to infect IoT devices such as DVRs, home routers, printers and IP cameras, is now available on the internet for anyone to use.

“The Economics Don’t Trickle Down”

“Our computers and smartphones are as secure as they are because companies like Microsoft, Apple, and Google spend a lot of time testing their code before it's released, and quickly patch vulnerabilities when they're discovered,” said Schneier. Whereas vendors of DVR’s, IP cameras, printers, and consumer devices do not allocate enough resources and money to effectively secure their devices. Additionally, these devices typically have less expensive and less secure components, as well as low-end operating systems with no focus on security or patching, all of which make it is easier for attackers to use them to penetrate a network. Financial institutions must keep this in mind when adding new devices to their environments and should implement additional security layers to guard against attacks.

Improving Your Security Program

The first step to having a truly secure network is to be aware of all devices that are connected to your network. A solid asset management program enables financial institutions to know what systems they have in place, what devices they have, where they are located, and what is connected. When connecting a new device to the network, make sure passwords are secure, the device is operating with up-to-date software, and it is protected by the security layers in place.

In addition, financial institutions should have controls in place to continually scan for vulnerabilities. Firewalls and anti-malware software alone are no longer enough to protect against cybercrime. Additional security layers enable financial institutions to identify when an intruder is present, identify curious internal employees, identify rogue internal employees, and uncover suspicious activity before any damage is done. Combined with Safe Systems’ V-Scan, a powerful network scanning tool that scans the entire network for vulnerabilities and produces an exhaustive list of all vulnerabilities that exist on each device, financial institutions can have greater visibility into their networks, giving them the confidence their organization is truly secure.

43% of cyber attacks target small community businesses Tweet
smallbiztrends.com

Financial institutions are 4 times more likely to be attacked than other industries Tweet
Websense Security Labs Report (now Forcepoint)

47% of the time, companies are unaware that they've been breached until a 3rd party tells them Tweet
Mandiant M-Trend Report

27 Apr 2018

2018 04 27 Former Employee at the Center of SunTrust Data Breach

Banks, Credit Unions, Security Brian Brannon 0 comment

Now-Former Employee at the Center of SunTrust Data Breach

Former Employee at the Center of SunTrust Data Breach

Atlanta-based regional bank SunTrust issued a formal statement on Friday, April 20th notifying 1.5 Million customers that their personal data may have been compromised in a data breach orchestrated by a now-former employee.

The announcement came during an earnings call when CEO William Rogers said the employee had worked with an outside third party to steal client contact lists. The data included customer names, addresses, phone numbers and account balances. The data did not include social security numbers, account numbers, user IDs, passwords or associated driver’s license information.

Initially, the bank became aware of an attempted data breach by the employee in late February when the employee attempted to download client information. This triggered an internal investigation, which eventually lead to last week’s public announcement. They believe the employee may have printed the information with the intention of sharing it outside the bank.

At this time, SunTrust is working with law enforcement and is declining to provide any additional detail or make any further comments about the ongoing investigation. The bank has begun to notify individual customers whose data may have been stolen; as well as, offering free identity protection service to all of their customers.

Mr. Rogers said in a statement, “Ensuring personal information security is fundamental to our purpose as a company of advancing financial well-being. We apologize to clients who may have been affected by this.”

If you are a SunTrust banking customer, SunTrust if offering Experian’s IDnotify service free of charge. Visit https://www.suntrust.com/identity-protection to sign up.

Cyber Crime Terms Every Financial Institution Should Know

Defending yourself and your bank against cybercrime requires a mutli-layered, proactive approach. Threats come in many forms and with many malicious intentions. Safe Systems provides community banks and credit unions with innovative security solutions and tactics to help you stay a step ahead of cybercriminals.

Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program

Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.

07 Mar 2018

Banks, Credit Unions, Security Brian Brannon 0 comment

Three Reasons Why Cybercriminals Attack Financial Institutions

Three Reasons Why Cybercriminals Attack

Cybercrime and threats continue to be at an all-time high. An attack on a financial institution resulting in the loss of data can have a devastating effect on the organization’s revenue and reputation. In addition, the amount of time and money needed to resolve these attacks can be significant.

While we hear about cybercriminals and the effects of cybercrime, we’re left wondering, why do these criminals attack? In years past people would say cybercriminals attacked for the fun of it. However, now people turn to hacking for a variety of financial, political, and ideological reasons.

Three of the top reasons cybercriminals attack include:

Bragging Rights or Power

Some attackers, be it individuals or members of a larger group, will target large, well known organizations with the hope that the resulting recognition or publicity will give them bragging rights within the hacker community. This was best illustrated by attacks perpetrated by a teenager named Michael Calce (aka MafiaBoy) in early 2000. These attacks brought down large websites such as Yahoo, eBay, and Dell. Calce was later arrested after bragging about his attacks on the internet via IRC.

Political or Personal Agendas

Some attackers target particular companies, websites or governments as a way of drawing attention to their own political beliefs or personal grudges. In many cases, the attackers are disgruntled employees (or former employees) of an organization looking for revenge. Other attacks in this category can be attributed to nation states who are acting on political agendas.

An example is Blue Security and its anti-spam product, Blue Frog. Attackers did not like that the organization was blocking spam so they launched a distributed denial of service (DDoS) attack on the company and the organization shut down.

One of the largest DDoS attacks was launched against KrebsOnSecurity.com in retaliation for a series the site produced on the takedown of the DDoS-for-hire service, which coincided with the arrests of two men.

Financial Gain

In today’s market, cybercriminals have found it lucrative to readily sell stolen data on the black market. Or, attackers will penetrate organizations as a form of extortion, demanding payment with a deadline with the threat of an ensuing DDoS attack. Recent FBI statistics indicate that hackers were able to successfully extort more than $209 million in ransomware payments from businesses and financial institutions in Q1 2016 alone. While we hear about attacks on larger well-known organizations, it can actually be more profitable for an attacker to target smaller, lesser known organizations since their security measures might not be as tight.

Community banks and credit unions cannot be complacent when it comes to protecting themselves and the sensitive information they hold. It is critical to defend your institution with a variety of security layers, not only firewalls and anti-malware, but additional security layers designed to guard against cybercrime.

28 Feb 2018

Banks, Credit Unions, Security Brian Brannon 0 comment

To Fight Cybercrime, Financial Institutions Must Identify Rogue Actors

To Fight Cybercrime, Financial Institutions Must Identify Rogue Actors Featured Blog Image

Cybercrime continues to be a growing problem for community banks and credit unions. Today’s criminals continue to develop increasingly sophisticated tactics to exploit systems. The goal of an attacker is to gain access to an organization, locate and extract valuables, and avoid being discovered. These intruders are referred to as rogue actors.

What is a Rogue Actor?

There are two types of rogue actors. The first type of rogue actor is an external individual or group who enters an organization’s systems without prior authorization. This unauthorized access could come from an external attack, or through a physical presence. This physical presence could be accomplished using social engineering techniques. In this scenario, the adversary poses as a printer repair tech, or any potential vendor, and gains unauthorized physical access to your systems. The second type of rogue actor is an adversarial insider attempting to obtain unauthorized access to valuable data for personal gain or malicious intent.

How to identify a Rogue Actor?

One effective strategy to identify a rogue actor is for organizations to place decoys throughout their environment. Since there are no legitimate reasons for the decoys to be accessed, an alert will notify the appropriate groups on the anomalous activity. If the organization’s other security layers are bypassed, these alerts enable the organization to quickly remediate the issue. There have been several major breaches over the last few years that likely would have benefitted from these types of decoys within their organization. It is important to be aware of any suspicious activity so you can successfully mitigate risks and prevent data loss.

What is the impact of a Rogue Actor?

The impact of having a rogue actor on a network can be devastating to a financial organization, with the main risk being theft or unauthorized access of data. Financial institutions are prime targets due to the amount of sensitive data they house. A data breach at a bank or credit union not only affects that organization but also all customers or members whose personal information may be compromised or stolen. Rogue actors can then hold the compromised data for ransom or sell it on the black market.

14 Feb 2018

Banks, Credit Unions, Security Brian Brannon 0 comment

Rogue Actor Detection: Monitoring for Internal Threats to Your Institution’s Network

Rogue Actor Detection Monitoring for Internal Threats

While financial institutions are aware of the importance of protecting their network from adversaries and possible outside attacks, many are not investing in protecting themselves against breaches coming from internal threats. These rogue actors could be an employee, an outside attacker, or another unauthorized user trying to access valuable data.

Within the last few years, several major breaches have been perpetrated by attackers exploiting a weak point within an organization and then scanning the network to gather information. While cybercriminals have certainly realized the benefits of targeting financial institutions, community banks and credit unions have been slower to realize the importance of monitoring for rogue actors and reacting to this danger.

Costly Invasions

As an example, a previously undetected hacker group, now known as the MoneyTaker group, has netted approximately $10 million in ATM network heists from at least 20 companies, including U.S. banks and credit unions, by targeting the networks banks use to transfer money. According to Group-IB, a global leader in preventing and investigating high-tech crimes and online fraud, the attackers used a form of malware that is stored in the memory of the computer, which makes them extremely hard to detect by traditional antivirus defenses. This also makes it very difficult for organizations to know they have even been hacked since all traces of the invasion are destroyed each time the machine is rebooted. On average, it can take an organization more than 200 days to discover that their network has been compromised.

Setting Out Bait

Security experts agree that a missing piece in many institutions’ security strategy is identifying unusual activity and having solid reconnaissance protection in place. One of the few ways to do this is to deploy what is known as decoy data and services onto the network. This technology serves as a trap for someone who is looking to gain illegal access to the network. Remediation processes can begin immediately once an attacker accesses the “bait” or “decoy.” Any unusual activity on these areas will trigger an alarm, since no there are no legitimate reasons to access the decoys.

Examples of decoy information placed on networks typically include items like port scan sensors, remote desktop protocols, SMB shares, FTP and/or SQL.

Protection for Community Financial Institutions

Many organizations that recently experienced breaches would have benefitted from implementing a solution to effectively monitor and detect unusual activity on its internal network. For community banks and credit unions, perimeter defenses can only do so much to protect their institution and customer information. Cybercriminals will continue to develop sophisticated forms of malware and carry out targeted attacks to compromise their networks. To be truly protected, it is important for financial organizations to monitor for internal threats and stop unauthorized network users before they strike.

2018 Community Bank IT Outlook

Primary Research and Analysis of Your IT Priorities in 2018

06 Dec 2017

Banks, Compliance, Credit Unions Jamie Davis 0 comment

What Community Banks and Credit Unions Should Budget for in 2018

2017 Dec What Community Banks and Credit Unions Should Budget for in 2018

Many financial institutions are entering (or are already within) their 2018 budget season. While creating a budget is essential in helping you execute your strategy and plan for the future, any shortcomings, such as the ability to respond to changes in regulation or things you didn’t adequately plan for, can quickly derail your plans and force you to make critical trade-offs. As community banks and credit unions dive into this process, it is important to evaluate all areas and think outside the box on key IT, security and compliance budget items that are often overlooked. Since we work with more than 600 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints and offer some points for consideration in your budgeting for 2018.

2017 started with several ransomware incidents and culminated mid-year with one of the largest breaches ever – directly impacting more than half of the adults in the United States– with the Equifax breach. Expect “Cybersecurity” and “Information Security” to be buzz words going forward for the next few years. No business wants to have a breach and no regulatory agency wants to sign off on a business’ processes only to have them be breached. Look for the regulatory agencies to start looking out for number one by putting pressure on you, the financial institution, to step up your cybersecurity efforts.

Per some studies, up to 90% of cybersecurity spending is directed towards securing the network, yet 72% of all breaches happen from the application level. This disconnect indicates that, while the money spent may prove effective on stopping perimeter exposure, it has likely left an unexpected weakness in overall protection.

Expect cybersecurity and added layers to be a focus over the next few years. The layers are often moving from the perimeter to the device level. Considering most breaches go unnoticed for 100-200 days, expect an emphasis on forensics and monitoring in the coming year(s) as well.

As you are setting budgets for 2018, here are some key line items for consideration:

Malware/Ransomware Layers: $1,500 – $5,000

Remember that 2016 and early 2017 were very heavy in malware, especially ransomware. While this seemed to cool off toward the end of 2017, experts expect this to be a major issue for the foreseeable future. The price will depend on the layers you select and how many you choose to add. You should really consider taking a more aggressive step in your fight against malware this year. If 2016 and 2017 taught us anything, it is that malware, and specifically ransomware, is back with a vengeance. More legitimate websites are unknowingly infected with malware and more emails are getting through with malware than in years past.

Malware has also evolved into a more aggressive threat. It’s no longer characterized by simple aggravating popups and sluggish computers, but is now encrypting all of the data on your machine, rendering it unusable. It’s gathering credentials of users, or even sometimes gathering documents and information on the machines themselves. Safe Systems has had more calls from both customers and non-customers about aggressive malware in 2016 than in years past and that trend looks to continue.

Financial institutions should evaluate their current layers, their effectiveness, and what they can do to enhance their cybersecurity posture. This may mean more/different end user training, DNS Filtering, or actual implementation of anti-ransomware toolsets. Whatever course you choose, know that the battle to protect your data is real, and it is as important as ever.

Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500

Cybersecurity preparedness does not start or end with the Cybersecurity Assessment Tool (CAT), but it does play a role. Examiners will be looking at this for at least acknowledgement that you understand cybersecurity is a real issue and you are working on addressing it. We still speak with institutions who have done little to nothing with the CAT. With the current risk environment constantly escalating, regulators are unlikely to continue to let this slide.

Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program

Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.

Honey Pots: $2,500+

A security professional at a major security conference earlier this year referenced baiting and monitoring for criminal activity as one of the most effective measures to know if you have been compromised. Often referred to as “honey pots,” this refers to decoys set up to look interesting to anyone “snooping” around. With a solid solution in place, your institution could know of an intruder within minutes instead of the estimated 100-200 days noted above. If Target or Equifax had used similar solutions, they would likely have not been compromised or damaged to the extent that they were.

Robust Vendor Management Solution: $2,500 – $5,000

With financial institutions delivering more products via third-party vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become too cumbersome. An automated solution provides a more efficient, cost effective way to address this. This also ties into the cybersecurity preparedness. As data has moved outside the institution, it’s more important than ever to make sure your vendors are keeping your data safe.

New and Replacement Technology: $500 – $10,000

Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:

Expired in 2017 and should be replaced or upgraded

Windows Vista
Symantec Endpoint 10.x
Microsoft Office and Exchange 2007
Backup Exec 2015
Adobe Acrobat XI

Expires in 2018 and should be replaced or upgraded

ESXi/vCenter 5.5 expires 9/19/2018

Training: $500 – $1,500

Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. This is an area where many institutions could make a lot of improvement for the fewest dollars. Employees, via intent or mistake, are often the starting points for the breaches many institutions face. A single employee has been blamed for much of what happened in the Equifax breach. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee.

Vendor and User Conferences: $1,000 – $1,800

It is important to stay up to date with the latest features and industry changes. An effective way to achieve this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.

Some careful forethought in the budgeting process today can prevent you from having to make difficult decisions and trade-offs next year. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We encourage you to leverage our expertise as you develop your strategic plans and budgets for the coming year.