Malware and viruses are a huge threat to information and data owned by financial organizations, such as your trusted bank. Tens of billions of dollars are spent by these financial companies annually to protect their invaluable data from corruption and theft from cyber attackers (or simply to recover from them), but still, banks around the world are robbed of millions of dollars every day by hackers. There are also high administrative costs to implement policies that combat these issues. However, it is a tough decision for a financial companies that are monetarily challenged to invest in malware detection and prevention. This is truer when it comes to low information security budgets of financial institutions and banks that are located in the struggling economies of the third world. Even so, it is extremely ironic that banks and other financial institutions have very poorly maintained cyber security standards in such countries due to insufficient funds and lack of up to date technical knowledge and expertise in the top management of the corporate sector in these poor countries.
The background
A keen understanding of the importance of cyber security for such institutions was revealed to me when I found a unique opportunity to work for an IT consulting company on a project with a financially challenged South Asian bank, which was in the midst of being acquired by a bank from a rich foreign country. The poorer bank had a computer network based on a Microsoft workgroup that was a decentralized environment. The bank that was taking over required that this decentralized system be migrated to a centralized more scalable Microsoft Active Directory Domain infrastructure. This project was designated to a local IT consultancy firm where I was employed. When we initiated the project, a team of IT consultants were sent over to the bank sites to conduct a survey, establish a survey report, and submit it to the top management of the IT consulting firm.
Auditing the bank
The datacenter of the bank was situated at its head office. The situation inside the bank was nowhere close to ideal. After testing the computers, we started to detect anomalous behaviors in the client computers such the slow processing and lack of response of the operating systems on the machines. After further inspection and running anti-malware software, it became clear that most of the PCs were infected with malware.
What? Yes, you read that right. At a bank. (Fortunately, not your bank.)
At the bank’s network, the users were free to download anything from the Internet. They were also able to copy any type of information from different types of media such as flash drives, CDs, and DVDs in the hard disks of their office workstations. There was no system in place to guard the network against these morbid behaviors of the users in the bank. It was this freedom that was the reason behind the heavy malware infection of the banking network.
The lack of basic security practices led to the fact that the computer network was open to threats from internal and external malware. The technical support team had an insufficient number of workers and they were not properly trained or motivated due to the financial status of the bank–despite people entrusting the bank with their money. The network administration was also of poor quality, as there was no central control to address security issues.
There was anti-malware software already in place at the bank–it must have been a problem in the past for them to take slight measures–but it simply was not sufficient enough to fully protect the network. When the devices at the datacenter of the bank were examined, it was found that the network had a firewall but the devices that were considered extremely essential for the security of a financial institution like a bank were missing. Absence of these vital devices like Intrusion Detection Systems (IDS) and an Intrusion Prevention systems (IPS) exposed the banking network to internal and external security threats. Certainly, this bank had a very serious security situation and the complete severity of the threat still had to be properly assessed.
On the server side, a domain controller was running on Windows 2003 and was deployed specifically for Microsoft Exchange 2007 server. This email server was running on Windows 2003. The users of the bank’s network had two separate sets of credentials. The users used one set of credentials to login to their workgroup workstations and they used another set of credentials to log into Outlook to process their emails.
When we used specific updated anti-malware software, we found malware of the worst kind on the Microsoft Exchange 2007 server during our rigorous scans. It was obvious that the servers on the network was under an alarming level of malware threat. The Oracle database was also installed on Windows Server 2003 but was luckily free of infections.
The users in the bank were also complaining of spam emails hitting their mailboxes. The Microsoft ISA 2004 was found to be infected and spreading malware to the network.
There was no second guessing that the malware threats to Microsoft Exchange Server 2007 and Microsoft ISA 2004 had to be neutralized in order to cut the infection of viruses to the rest of the network. The security of servers had to be taken care of before the client machines.
As consultants, we prepared an audit report that was based on the security problems of the network at the bank and it was submitted to the upper management of our consulting firm. A meeting with the top IT officials of the bank and other stakeholders was arranged. The severity of the security threats to the computer network at the bank was on the front agenda. It was made clear by my consulting firm that before taking any step regarding the bank’s network migration from the workgroup to the centralized Microsoft Active Directory domain, the bank’s network had to be secured.
Security first
My consulting company proposed that the work at the bank should be split into two different projects.
The first project was to focus on enhancing the security of the bank’s network.
The second project was to migrate the distinct workgroup model to the Microsoft Active Directory Domain model and the client machines were to be joined to the new domain after resolving all the technical hurdles that were to be incurred.
It was the emphasis of my consulting company that the banking network should be stabilized by malware and virus removal and the security of the network should be hardened before starting any other project regarding the bank’s network. Therefore, the workgroup to Microsoft Active Directory Domain migration project had to be put aside for the time being.
Security enhancement
The consulting team was given clearance to start the first project to secure the banking network. This project was focused on the hardening of the network security, initialized from the servers at the bank. The main objective was to take the fresh backups of the servers and to run rigorous scans to detect and eliminate dangerous malware after the installation of more sophisticated anti-malware software to clean the bank servers and enhance their security. This process for the ISA server went smoothly, but the email server, Microsoft Exchange 2007, started to show errors with high severity that required stabilization through a multitude of software repairs along with the neutralization of the malware threat.
To resolve these Exchange errors, it was suggested that off-peak evening hours would be designated to avoid email delivery issues during work hours. The server was rebooted in safe mode and the Microsoft Exchange 2007 server software was repaired. After this, it was thoroughly scanned for malware with GFI MailEssentials, an anti-malware and anti-spam software specifically designed for Microsoft Exchange Server.
The bank had a huge network of approximately 400-500 computers on different sites. The security of these computers was also to be dealt with in this project. The hardening of the client computers accelerated after all the servers were secured. To carry out this phase, more manpower was needed as each individual machine needed to be cleaned manually, so the consulting company hired young IT professionals on a contract basis through an internship to help out with malware removal tasks at the client machines. After these interns were appropriately trained, more progress of malware eradication on client side of the bank’s network was made. We also deployed EMCO network malwareon the banking network to remotely address the security issues in the event that we were needed after our time on-site had passed. This way, the bank had gotten rid of its most lethal security threats. At the end of this project, recommendations were made to acquire resources such as trained manpower, security hardware, and software for the protection of the bank’s IT infrastructure to combat against future threats for the banking network.
It was an interesting experience that can be concluded in a nutshell that information security is extremely important, and ignoring its importance can lead organizations to formidable losses and even bankruptcy. This is even more true for financial institutions. I can personally speculate that the bank was acquired because much of what could be automated was handled manually, and humans will never be able to recognize all the vast variety of security threats. This in turn led the bank to a lag in productivity that resulted in loss of its market share in a highly competitive business environment. Apparently, that resulted in monetary losses that also contributed to the lack of proper information security of the computer network. All of these factors adversely resulted in a failure to the bank and its ultimate acquisition.
