The Financial Services Information Sharing and Analysis Center has raised its
levels to "high" this week after several financial institutions -- including titans Bank of America and JP Morgan Chase -- fell victim to intermittent Web site outages.
"Issues of concern include the recent credible intelligence regarding the potential for [Distributed Denial of Service] and other cyber attacks against financial institutions," the group said on its Web site. "Additionally, is aware of targeted attacks via active exploitation of a zero-day remote code execution vulnerability in Internet Explorer."
Microsoft has issued a quick fix for the IE flaw and plans to issue a full patch on Friday. Meanwhile, Bank of America said its Web site was back up and running normally. Chase.com appeared to be up and running as of the time of this writing.
We turned to Bill Morrow, CEO of Quarri Technologies, to get his take on some of the fallout from the IE zero-day flaw. He told us the latest IE bug is an exploit that allows a Web site -- malicious or compromised -- to download and execute arbitrary code to the end user. He also pointed to the incident as evidence that endpoints today still remain afterthoughts in the landscape.
"While Microsoft works on a patch for this new bug, industry experts are suggesting that users install new and/or reconfigure browser settings," Morrow said. "While the right idea in theory, in reality there is a high probability that many end users wouldn't perform the necessary mitigation or configuration steps to stop the attack."
Beyond the immediate issue with IE, Morrow also noted that the incident is yet another example of Web applications being at the mercy of the end user's skills at being a security administrator.
"To minimize their exposure to malware, it is critical for organizations to provide and enforce the use of a secure, hardened browser session to protect their most sensitive information and prevent unauthorized use and replication of confidential data," Morrow said.
Aggressive Cyber Criminals Rising
We also asked Chris Petersen, CTO of LogRhythm, for his take on the incident. He told us the latest security headline is a reminder of the increasing aggressiveness of cyber criminals.
"This aggressiveness combined with browser-based vulnerabilities like the one recently announced by Microsoft IE pose a real challenge to banks," Petersen said. "Targeted spear-phishing campaigns have a very high success rate and help cyber criminals easily bypass bank firewalls."
From his research, zero-day attacks are increasingly bypassing point security solutions designed to protect online banking Web sites. To defend against these advanced threats coming from multiple vectors, he said, banks should adopt a posture of continuous and automated analysis across all internal network and system activity to recognize abnormal and concerning behavior.
"For banks and most organizations, the unfortunate reality is that if targeted, they will most likely be breached," Petersen said. "The question then becomes how capable and quickly can the breach be detected, contained, and eventually eradicated."