The Five Layers of Fraud Prevention and Using Them to Beat Malware

Transcription

1 Research Publication Date: 21 April 2011 ID Number: G The Five Layers of Fraud Prevention and Using Them to Beat Malware Avivah Litan This research proposes five layers for fraud prevention and sets priorities for managing immediate threats, such as malware-based cyberattacks, within a framework of fraud management. Key Findings No single layer of fraud prevention or authentication is enough to keep determined fraudsters out of enterprise systems. Multiple layers must be employed to defend against today's attacks and those that have yet to appear. Banks consider malware their biggest immediate threat, according to a new Gartner survey, and malware-based attacks are spreading to multiple sectors and enterprises. No authentication measure on its own, especially when communicating through a browser, is sufficient to counter today's threats. Additional fraud prevention layers must be utilized. Recommendations Establish an overarching fraud management framework for your organization that includes multiple layers. The layers can be introduced over time, based on priorities and the complexity inherent to various implementations. Deploy both secure browsing and out-of-band or dedicated hardware transaction verification for high-risk transactions as complementary measures to existing authentication methods. These can be implemented relatively quickly and provide a good first layer of defense against malware-based attacks. Recognize that the threat landscape can quickly change, pointing to the need for a layered approach and comprehensive framework. Make sure your business processes and organization are properly structured to effectively manage fraud prevention systems; otherwise, important alarms and alerts will be ignored Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity" on its website,

2 TABLE OF CONTENTS Strategic Planning Assumption... 3! Analysis... 3! Five Layers of Fraud Prevention... 3! Layer ! Layer ! Layer ! Layer ! Layer ! Where to Begin When Defending Against Malware-Based Attacks... 5! Layer 1: Endpoint-Centric Solutions for Malware Defense... 7! Layer 2: Navigation-Centric Solutions for Malware Defense... 7! Technology Is Not the Sole Solution... 8! Conclusion... 8! Recommended Reading... 8! LIST OF FIGURES Figure 1. No. 1 Security Threat Concern of U.S. Banks... 5! Figure 2. Top Three Security Threat Concerns of U.S. Banks... 6! Publication Date: 21 April 2011/ID Number: G Page 2 of 10

3 STRATEGIC PLANNING ASSUMPTION By 2014, 15% of enterprises will adopt layered fraud prevention techniques for their internal systems to compensate for weaknesses inherent in using authentication methods only. ANALYSIS Malware-based attacks against bank customers and company employees are levying severe reputational and financial damage on their victims. They are fast becoming a prevalent tool for attacking customer and corporate accounts, and stealing sensitive information or funds. Fighting these and future types of attacks requires a layered fraud prevention approach (see Note 1 for a description of fraud prevention). This approach tries to keep the attackers from getting inside in the first place, but also assumes that they will make it in, and that multiple fraud prevention layers are needed to stop the damage once they do. Progressive and successive layers will significantly increase the likelihood of catching the bad actors before it's too late. Gartner analyzes these fraud management layers and techniques in MarketScopes, Magic Quadrants, Case Studies, and vendor and solution research referenced in the Recommended Reading section. This research describes each discrete layer and then recommends measures that can be taken relatively quickly to defend against today's malware-based and increasingly targeted attacks. These measures complement user authentication measures already in place, which are also being compromised by modern attacks. Five Layers of Fraud Prevention Gartner breaks down fraud prevention into five layers, which are summarized in this section. We then elaborate on Layers 1 and 2 because these can typically be deployed fairly quickly to help beat many of today's malware-based attacks. (For more information on Layers 3, 4 and 5, see "Magic Quadrant for Web Fraud Detection" and "MarketScope for Enterprise Fraud and Misuse Management.") Layer 1 Layer 1 is endpoint-centric, and it involves technologies deployed in the context of users and the endpoints they use. Layer 1 technologies include secure browsing applications or hardware, as well as transaction-signing devices. Transaction-signing devices can be dedicated tokens, telephones, PCs and more. Out-of-band or dedicated hardware-based transaction verification affords stronger security and a higher level of assurance than in-band processes do. The technologies in this layer (which are described more fully later in this report) can be typically deployed faster than those in subsequent layers and go a long way toward defeating malwarebased attacks. Sample vendors include (this partial list is for illustration only): Software-based secure browsing Crealogix, Trusteer and TrustDefender Hardware-based(USB flash drive) secure browsing Crealogix and IronKey Out-of-band authentication and transaction verification Authentify, PhoneFactor and ValidSoft Endpoint (client device) identification 41st Parameter, iovation and ThreatMetrix (see "Magic Quadrant for Web Fraud Detection") Publication Date: 21 April 2011/ID Number: G Page 3 of 10

4 For a comprehensive listing and analysis of authentication and transaction verification vendors, see "MarketScope for Enterprise Broad-Portfolio Authentication Vendors." Layer 2 Layer 2 is navigation-centric; this monitors and analyzes session navigation behavior and compares it with navigation patterns that are expected on that site, or uses rules that identify abnormal and suspect navigation patterns. It's useful for spotting individual suspect transactions as well as fraud rings. This layer (which is described more fully later in this report) can also generally be deployed faster than those in Layers 3, 4 and 5, and it can be effective in identifying and defeating malware-based attacks. Sample vendors include (this partial list for the Web channel is for illustration only): Layer 3 Silver Tail Systems and Entrust (see "Magic Quadrant for Web Fraud Detection") Layer 3 is user- and account-centric for a specific channel (for example, online sales); it monitors and analyzes user or account behavior and associated transactions and identifies anomalous behavior, using rules or statistical models. It may also (optimally) use continuously updated profiles of users and accounts, as well as peer groups for comparing transactions and identifying the suspect ones. Sample vendors include (this partial list for the Web channel is for illustration only): Layer 4 Guardian Analytics; RSA, the Security Division of EMC; 41st Parameter; Accertify; Nice Actimize; Oracle; Symantec; Trusteer; Arcot Systems; and Entrust (see "Magic Quadrant for Web Fraud Detection") Layer 4 is user- and account-centric across multiple channels and products (for example, online sales and in-store sales). As with Layer 3, it looks for suspect user or account behavior, but it also offers the benefit of looking across channels and products and correlating alerts and activities for each user, account or entity. Sample vendors include (this partial list is for illustration only): Layer 5 Nice Actimize, Norkom Technologies, Memento, Intellinx and SAS (see "MarketScope for Enterprise Fraud and Misuse Management," and "Enterprise Fraud and Misuse Management Solutions: 2010 Critical Capabilities") Layer 5 is entity link analysis. It enables the analysis of relationships among internal and/or external entities and their attributes (for example, users, accounts, account attributes, machines and machine attributes) to detect organized or collusive criminal activities or misuse (see "Enterprise Fraud and Misuse Management Solutions: 2010 Critical Capabilities"). Sample vendors include (this partial list is for illustration only): Detica-BAE Systems, Palantir Technologies and SAS Publication Date: 21 April 2011/ID Number: G Page 4 of 10

5 Where to Begin When Defending Against Malware-Based Attacks Gartner conducted a survey of 76 U.S. banks in February 2011 and found that malware is their No. 1 concern when it comes to the threat landscape. About 37% of banks reported this as the No. 1 threat in the 2011 survey, compared with 4% who said the same in Gartner's 2008 bank survey (see the Evidence section for a description of the survey methodology). Similarly, 79% of banks surveyed in 2011 said malware was a top three concern, while only 39% said the same in 2008 (see Figure 1 and Figure 2). Figure 1. No. 1 Security Threat Concern of U.S. Banks This is based on Gartner's 2011 survey of 76 U.S. banks and 2008 survey of 50 U.S. banks. Source: Gartner (April 2011) Publication Date: 21 April 2011/ID Number: G Page 5 of 10

6 Figure 2. Top Three Security Threat Concerns of U.S. Banks This is based on Gartner's 2011 survey of 76 U.S. banks and 2008 survey of 50 U.S. banks. It aggregates the first, second and third concerns. Source: Gartner (April 2011) Aside from banks, malware-based attacks have been responsible for targeted attacks in many types of companies and vertical industries. They are becoming a major concern and are increasingly delivered through targeted spear-phishing s and through malware-infected objects like advertisements that unknowing users click on. For example, these methods were used to infect multiple organizations, including Google, in what was known as Operation Aurora, and to infect several security companies, including RSA, the Security Division of EMC, when RSA's SecurID authentication system used by more than 40 million users was compromised. As we noted before, fighting these attacks and those that have yet to appear requires a comprehensive layered fraud management framework. However, depending on the size and complexity of the end-user institution, implementing the systems that support it can take at least three to five years, especially when it comes to the upper layers Layers 3, 4 and 5. The efforts are continuous, because fraud prevention rules and models require ongoing maintenance, tuning and care. Publication Date: 21 April 2011/ID Number: G Page 6 of 10

7 There are additional considerations that are not addressed in this research that are sectorspecific, such as the integration of systems that support compliance with those that support fraud prevention. For example, financial institutions' compliance with anti-money-laundering rules, or healthcare institutions' compliance with various rules such as the U.S. Health Insurance Portability and Accountability Act (HIPAA), often serves as key considerations in organizational architectures for enterprise fraud management. (For a discussion on financial institution architectures, see the work of Michael Gallias, a South Africa-based banker and fraud professional at Unfortunately, organizations don't have years to wait to introduce fraud prevention, while malware-based attacks proliferate. We, therefore, recommend starting with the first layer of this fraud prevention framework, as well as the second layer, resource-permitting. The first one can typically be deployed very quickly. The second one will take more time, and the ease and time spent on implementation depend largely on the complexity of an organization's Web and application server infrastructures. Layer 1: Endpoint-Centric Solutions for Malware Defense Implementing Layer 1 of the fraud prevention stack can mitigate malware-based threats (and others) to a large extent, and we recommend both secure browsing and out-of-band or dedicated hardware transaction verification for high-risk transactions as complementary measures to authentication mechanisms. As we noted before, these can be deployed relatively quickly, or within a few weeks or months. The time to implement for most Layer 1 measures depends more on preparing system rollout logistics, management processes and user education activities than it does on technical system integration tasks. The main exception to this ease of implementation concerns transaction verification, in situations where high-risk transactions are not already defined or where they are not able to easily call a transaction verification routine. This can happen, for example, if transaction analysis is not in line with transaction requests or if it is not conducted in real time. Secure browsing can be accomplished with locked-down browsers, preferably loaded on external USB flash drives and sitting on their own operating systems. It can also be achieved with downloadable desktop browser plug-ins that protect user browsers against code injection into memory and against unauthorized access to data. (Secure browsing techniques for mobile devices have yet to mature). So far, Gartner clients report that these secure browsing techniques have prevented malware-based attacks from successfully executing, when implemented. They should be considered as one effective, but by no means, fail-safe fraud prevention layer (as should all other methods outlined in this research). Out-of-band or dedicated hardware-based transaction verification uses a different communication channel to verify the authenticity of a transaction request. It is a valuable fraud prevention tool as long as only the specific transaction verified or signed by the requesting user is executed (as opposed to a transaction that a criminal has overwritten with his or her own values). Criminals have been known to successfully use social-engineering techniques to trick users into verifying the "wrong" transactions, so this method has already been beaten (see "Where Strong Authentication Fails and What You Can Do About It" for more information). Other factors can go awry as well, such as when fraudsters forward victim phone calls to their own phone numbers. Still, out-of-band or dedicated hardware-based transaction verification has proven to be a very effective, albeit not fail-safe, fraud prevention method. Layer 2: Navigation-Centric Solutions for Malware Defense Web-based navigation-centric solutions view the HTTP stream of a website and analyze in real time the traffic and Web sessions by user and IP addresses. This approach can identify Publication Date: 21 April 2011/ID Number: G Page 7 of 10

8 anomalous session navigations and behaviors by comparing individual sessions to the "normal" baseline, which can be established and continually updated by profiling the monitored sites after installation. A complementary but less robust approach is using rules to detect known abnormal navigation, such as a session that is moving too quickly (this infers an automated attack), or the detection of injected fields into HTTP user agent streams. This solution can be deployed relatively quickly in cases where website operations are straightforward (for example, not complicated by single signon across various properties), because system integration consists of inserting a listener on the right port. Following installation, more time is needed for the system to learn what constitutes abnormal behavior, or for enterprises to implement the right rules to detect abnormal behavior or sessions. It should be noted that this method can be used for non-http-based systems as well by feeding in other traffic streams that can be parsed and analyzed. HTTPS traffic is also accommodated, as long as the service or software has access to decryption keys. This method has been successfully used by Gartner clients to spot malware-based activity that shows up as abnormally quick navigation or navigation that doesn't follow normal human patterns and behavior. It has also been used successfully to identify fraud rings and to gain visibility into attacker patterns and behavior. Technology Is Not the Sole Solution It should be emphasized that putting the right technology in place is only one key ingredient in effectively fighting fraud. It's equally important to recruit and organize staff who are knowledgeable in fraud to manage these systems, the alerts that they generate, and the rules and models that they rely on. In addition, organizations must establish the right policies and processes that balance security, usability and convenience factors, and that account for the interests of various constituents. Processes can also extend out to customers and facilitate user participation in fraud prevention systems for example, by enabling users to set thresholds or parameters for their account activity whereby they must sign off on certain transactions before they are executed. Conclusion A layered fraud prevention approach provides defense in depth, and it is the best policy for preventing and containing losses that result from today's and tomorrow's threats. Enterprises should define a framework to which they can build, and which provides the rationalization needed to implement different moving parts that belong to a cohesive whole. Enterprises can start by deploying lower levels of the layered stack to help stave off immediate threats, with the assurance that these layers are part of an overall strategy that relies on basic fraud prevention principles, such as user and account profiling, that have generally stood the test of time. RECOMMENDED READING Some documents may not be available as part of your current Gartner subscription. "Magic Quadrant for Web Fraud Detection" "MarketScope for Enterprise Fraud and Misuse Management" "Enterprise Fraud and Misuse Management Solutions: 2010 Critical Capabilities" "Tompkins Financial Distributes IronKey Locked-Down Secure Computing Devices to Banking Customers" Publication Date: 21 April 2011/ID Number: G Page 8 of 10

9 "Where Strong Authentication Fails and What You Can Do About It" "Taxonomy of Authentication Methods" Evidence From December 2010 to February 2011, Gartner conducted a study of the financial industry in the U.S. with 76 in-depth telephone interviews. The primary objective was to fully understand how banks assess security threats across channels and how they deal with fraud. Qualifying organizations were banks with at least $2 billion in total value of deposits. The data was gathered directly from management-level IT professionals (CIOs, CISOs, VPs and directors/managers). Qualifying respondents were those knowledgeable about their organizations' customer authentication and fraud detection systems. Only an English version of the questionnaire was used. The 2011 survey included 76 banks, and a similar survey conducted in 2008 included 50 U.S. banks. For the 2011 survey tables that are based on the 76 sample cases, the potential margin of error for the reported results is 10%, at a 95% level of confidence. However, because the sample of our 2008 survey was relatively small, the data is useful for noting trends, but not for making absolute numerical conclusions. In addition, because the larger banks are overrepresented in our sample, results are intended to represent the respondent base and not the market as a whole. Note 1 Description of Fraud Prevention Fraud prevention works at the application layer. Enterprise applications are integrated with a fraud detection engine that assesses the fraud risk of a transaction, from user navigation and application access, to any type of activity, such as a change of address, payment or retrieval of sensitive information. Fraud detection can and should profile various entities, such as users, accounts, households, PCs, mobile handsets and kiosks, to spot abnormal transaction behavior from that entity (for example, "too many" transactions from a kiosk in a rural area in the middle of the night). Fraud detection uses rule-based policies that are based on human judgment and knowledge and/or predictive mathematical models to score the likelihood of fraud for a given transaction. The severity of transaction risk is ascertained through various methods for example: "Printing" the user access device (if there is one) and comparing it with other attributes of the transaction or groups of transactions Analyzing user or account behavior, and comparing it with the user's and account's profiles Using peer group analysis, which compares an individual entity or group of individual entities with their peers to spot suspected deviations Using entity link analysis, which helps detect criminal rings or linked entities engaged in fraudulent behavior This research is part of a set of related research pieces. See "Security and Risk Management Lessons, Courtesy of WikiLeaks" for an overview. Publication Date: 21 April 2011/ID Number: G Page 9 of 10

10 REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT U.S.A European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo JAPAN Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, andar World Trade Center São Paulo SP BRAZIL Publication Date: 21 April 2011/ID Number: G Page 10 of 10