In
late May, online security firm Trusteer, an IBM company, raised alarms about a
new online banking Trojan it calls Zberp. According to Trusteer, more than 450
global banking institutions in the U.S., the United Kingdom and Australia have
been targeted by this malware strain, which combines features from Zeus and
Carberp, two well-documented banking Trojans.
Just
days earlier, global
cyber-intelligence firm IntelCrawler warned of new point-of-sale malware
known as Nemanja, which had reportedly infected retailers in nearly 40
countries.
And
news about recent evolutions in the mobile malware strain known as Svpeng also
has caused concern. In May, Svpeng was found to have evolved from merely a
banking Trojan to a malware strain equipped with a dual ransomware feature (see
New Ransomware Targets Mobile).
But
with so many alerts about new and emerging malware strains and attacks, how
should banking institutions respond? It's a growing challenge for information
and security risk officers because one of the keys to mitigating cyber-risks is
differentiating new threats from older ones.
What's Real?
While
banking institutions have to take all emerging threats seriously, they should
take most alerts issued by security vendors in stride, says financial fraud
expert Tom Wills, director of Ontrack Advisory, a consulting firm focused on
payments innovations.
"It's
mostly hype," he says. "Every time a new threat shows up in the
media, this is the first filter I run. More often than not, there's a vendor or
two behind all the excitement."
The
influx of warnings from security firms about new malware strains has bred
unnecessary concern for some banking institutions, says Andreas Baumhof, chief
technology officer at malware research firm ThreatMetrix. In most cases,
existing detection systems will raise flags, even when new variants of malware
are detected on a network or believed to have infected an end-user's device, he
says.
Pointing
to the most recent announcement about Zberp, Baumhof says banks and credit
unions should not rush out to invest in new detection and defensive
technologies.
"There
is nothing new for this Trojan," he says. Most banks' and credit unions'
existing online defenses are equipped to detect Zberp and other Zeus variants,
he contends.
Advice for Banking Institutions
Analysts
recommend banking institutions maintain ongoing dialogues with their core
service providers and vendors about the latest threats, and ensure they adequately
vet new providers and vendors before signing on for service.
Among their other top recommendations:
Understand
how existing detection and threat-mitigation solutions are equipped to defend
the network. "There is no 100 percent solution, but banks need to
understand their exposure and current capabilities before they rush to
react," to alerts about new attacks, says Al Pascual, who heads up the
fraud and security practice for consultancy Javelin Strategy & Research.
Put
the onus on service providers and security vendors to send out notifications of
possible risks, says Shirley Inscoe, a financial fraud expert and analyst for
consultancy Aite.
Always
get second and third opinions before revamping a system or solution.
"Always get multiple bids, research the suppliers with independent
parties, such as industry analysts and vendor-neutral consultants, and check
with peers," Ontrack's Wills says.
Ensure
the IT and security teams have strategies in place for comprehensive risk
assessments. "Refresh it [the risk assessment] at least once or twice a
year to keep it current - the more often, the better," Wills says.
"That way, you can make sure that any solution you buy makes sense in the
context of your own company's unique threat and vulnerability landscape, and
not some generic landscape. It's quite easy to buy security products that you
don't really need."
No comments:
Post a Comment