Case Study
Death to Phishing
What happens after a phishing attack? Here's one midsize bank's phishing incident response plan.
By Sarah D. Scalet
Denouement
By whatever means, the phishing site eventually comes down. Then all that's left is the reporting.
Brandimensions burns a compact disc with information about the phish, including screen shots, and gives it to Bank XYZ. The bank then passes the information on to the FBI, which looks for patterns or anomalies in the attacks. (Through Miller, the FBI agent assigned to Bank XYZ declined to comment for this story.)
Technically, national banks are also supposed to report incidents involving spoofed websites to the Treasury Department's Office of the Comptroller of the Currency, in the form of a suspicious activity report, or SAR. Miller won't publicly comment on SARs at all, even anonymously. She'll only say that the bank reports phishing attacks to appropriate regulatory agencies.
Within the bank, Miller reports to business lines about monthly fraud losses. Meanwhile, a cross-departmental team helps educate customer-facing employees and works with public affairs on customer education. It's a many-fronted battle in a war that's far from won.
Now that the ATMs have been hardened, phishers are going after online banking log-ons instead, and using the account access to do fraudulent fund transfers. There are also mounting concerns that if customers stop giving up information voluntarily, the phishers will start taking it instead, with technical approaches such as pharming. Fraudsters are an opportunistic lot. Banks are just trying to stay no more than a few steps behind.
But for now, at least, when a new attack targets Bank XYZ, the CISO is surprised for entirely different reasons than on that first chaotic day. "Today I came in and had a voice mail that we had a phish," says Williams, 367 days after that first ugly scene. "I was like, Oh, we haven't had one of those in a while." There's not much he has to do about it, either. There are no tense conference calls where people are asking for basic definitions. Everyone knows his or her job.
"We have confidence in the incident response process," Williams says. "We defined how it should go, and it started working. And once you have a way to manage it, it no longer requires the CISO's involvement." The death of a phish doesn't need to be extraordinary. It's just in a day's work.
Other stories by Sarah D. Scalet
phishing
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Log Management in a Cyber World
- Implementing Best Practices for Web 2.0 Security
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
