End point security software misses malware, proof that defense-in-depth is a must

25. September 2009 · Comments Off on End point security software misses malware, proof that defense-in-depth is a must · Categories: Malware, Security Information and Event Management (SIEM), Web 2.0 Network Firewalls, Web Application Firewalls · Tags: , , , , , ,

NSS Labs the well-respected UK-based security product research and testing service, just published the results of its consumer anti-malware test. The most popular products, Symantec and McAfee, both came it at only 82%. Therefore you cannot rely on this single security control to protect you against malware. A layered, defense-in-depth strategy is a must.

While all organizations are different, complementary technologies include Secure Web Gateways, Intrusion Prevention, Data Leak Prevention, or an advanced firewall that performs all of these functions,  and possibly a Security Information and Event Management System. If you are running web applications, you will also need a Web Application Firewall. I wrote about this in my post about the 20 Top Security Controls.

The top vendor was Trend Micro with a 96% success rate when you combine the 91% caught at download time and the 5.5% caught at execution time. I also read about this report in an article at Dark Reading written by Tim Wilson. However, Tim said Trend Micro only blocked 70% of the malware. I am not sure where he got his number.

Funds transfer fraud against midsize U.S. businesses on the rise

25. August 2009 · Comments Off on Funds transfer fraud against midsize U.S. businesses on the rise · Categories: Breaches, Funds Transfer Fraud, Malware, Network Security, Risk Management, Security Management · Tags: , , , , , , , , ,

The Washington Post reported yesterday that there is an increase in "funds transfer fraud" being perpetrated by organized crime groups from Eastern Europe against small and medium U.S. businesses. 

It's hard to know the extent of this type of crime because there is no breach notification requirement since no customer information is disclosed. However, many companies are reporting these crimes to the FBI and of course to their banks.

The risk of funds transfer fraud to businesses is much higher than to consumers for the following reasons:

  • Dollar amounts are higher.
  • Under the Uniform Commercial Code, businesses only have two days to dispute charges they feel are unauthorized. Consumers have 60 days from the time they receive their statements.
  • Because banks are liable for the consumer losses and less so for the business losses, they invest more resources in protecting consumers.

The complete article in the Washington Post is well worth reading.

In a previous post, I highlighted one of the techniques used by cyber criminals where they surreptitiously install the Clampi trojan on a PC in order to get the login credentials needed for online banking.

Recommended actions:

  • Install anti-virus/anti-malware agents on all workstations and keep them up-to-date
  • Use an end-point configuration management system to discover all workstations, to assure the above mentioned agents are installed and up-to-date, and to assure that unauthorized software is not installed
  • Implement firewall policies to (1) assure that only authorized people (i.e. people in authorized roles) using only authorized workstations can connect to financial institutions to perform funds transfer transactions, (2) assure that people not authorized cannot connect to financial institutions, (3) generate alerts when there are attempts to violate these policies
  • Implement a process where funds transfer transactions are reviewed on a daily basis by someone other than the person or people who perform the transactions