I’m pleased to see some professionals with clout advocating a security practice I have often recommended to my clients. Brian Krebs of The Washington Post and SANS Institute are both pushing the use of Linux live CDs for online banking. Krebs’ latest article, “Avoid Windows Malware: Bank on a Live CD,” starts off by recommending people NOT use Microsoft Windows for online banking:
An investigative series I’ve been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.
The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online.
Krebs has reported frequently about some of the more prominent online banking fraud incidents, including the hack against Bullitt County, Ky. and two California firms that lost a combined total of more than half a million dollars, both of which were using two-factor authentication requiring the use of a security token.
The credential-stealing Trojans used in these attacks were designed to avoid detection by normal anti-malware software, so the victims had no clues that they had been infected. With the huge amounts of money involved, it’s likely the cybercriminals have evolved their programming skills to the point where it will be difficult for security firms to keep up.
It’s not surprising, then, that SANS, as a direct result of Krebs’ reporting, issued a challenge to its students to create a white paper to determine the most effective methods for small and mid-sized businesses to mitigate the threat from these types of attacks. The report, “Protecting Your Business from Online Banking Fraud,” addresses the issue. Here’s that report’s Abstract:
Recently, small and medium businesses have lost millions of dollars from fraudulent electronic financial transactions. This paper reviews the threat and provides guidance for mitigating the threat. These crimes typically begin with a phishing email targeted at the comptroller or other staff in the finance department. After the comptroller’s computer is compromised, sophisticated malware is used to eavesdrop on the comptroller’s activity and account credentials for financial systems. Once the attackers have the required information, they begin to steal money with fraudulent transactions in amounts below $10,000. These smaller amounts fly under the laundering detection mechanisms in the US Bank Secrecy Act. In many cases, repeated transactions have added up to hundreds of thousands of dollars lost by individual organizations. The paper provides a number of possible ways to mitigate these types of attacks. A defense in depth approach is used to provide multiple mitigation recommendations. The number one recommended mitigation is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions. [emphasis added] The mitigation steps also include protecting the email address of the comptroller, network protection, endpoint protection, virtual machines, awareness training, policy changes and monitoring financial transactions.
I highly recommend that everyone responsible for security in their organization read this paper.