By John Klassen
The websites of state and federal regulators are among the online destinations most frequently accessed by compliance managers and anti-money laundering/anti-fraud analysts and researchers. While improving productivity, government online resources often suffer from various IT security weaknesses. BSA/AML specialists who access vulnerable sites become a target — because their browser betrays them.
AML researchers who use a regular browser risk dangerous exposure of their employer’s IT infrastructure. Too many AML teams still lack proper protection against web-borne exploits when they access the internet to conduct KYC, BDD, EDD, negative news research or in-depth investigations.
Switching to “incognito” or “private” browsing mode on a local browser is not sufficient. Adversaries can still identify the originating organization and launch pinpointed malware and spyware attacks against financial institutions.
Another consequence is inaccurate or contaminated research results when, for example, adversaries remove or alter content because they notice FIs looking into their background. This can foil a critical investigation.
“The target is aware that they are being looked at by someone, regardless of the reason,” explains Kevin Sullivan, founder of the Anti-Money Laundering Training Academy and author of Anti-Money Laundering in a Nutshell. “That alone might be enough to spook a bad guy and send him running.”
How can we protect AML researchers?
As an example, consider this case of a malware campaign that hit banking compliance managers using a regulatory website:
In 2016/17, financial institutions in more than 30 countries were targeted by attackers who compromised websites known to be frequently accessed by compliance managers in the financial services sector. In this “watering hole” campaign, they infected those website visitors with previously unknown malicious software. A bank in Poland discovered the malware on its network and informed other institutions, who also confirmed infiltration by the same malware strain. Investigators later identified the source of the attack as the website of the Polish Financial Supervision Authority KNF, Poland’s financial regulator.
Users of the site, including AML/anti-fraud specialists from the U.S. obtaining regulatory updates, had been redirected to an exploit kit that was programmed to install malicious hacking software on selected targets in the financial sector.
Get ready to disconnect from the web
This watering hole attack was avoidable. In 2018, more banks prevented such incidents by disconnecting from the “bad parts” of the web. They equipped their BSA/AML teams with a cloud browser that isolates and processes all content offsite in the cloud, in an isolated container with managed security.
Why is this important? Mainly three factors allowed the watering hole attack to succeed. All three were the result of using a regular browser:
- First, when bank employees access the web with a local browser, they risk disclosing their IP address, organization and location. On infected sites, as in the case mentioned above, this can trigger a targeted attack by a data-driven automated malware dropper.
- Second, exploit kits can take hold in the victims’ IT infrastructure because regular browsers indiscriminately download and process web content, including malicious code, on the local computer.
- Third, local browsers leak data. Unlawful disclosure of suspicious activity reports can result if a regular browser is used on the same platform where reports are compiled and filed.
Security researchers have confirmed that traditional AV software provides little or no protection against sophisticated attacks like this. More likely, it will exacerbate this problem. A better way to protect the compliance managers and researchers is to effectively disconnect them from the internet’s risk zone.
Leading banks, regulators and law enforcement have found a way to do just that: browser isolation in the cloud. To ensure complete anonymity and protection from all web-borne exploits, they provide their compliance teams and FIs with a compliance-ready cloud browser.
A cloud browser, provided as an offsite service with centrally managed security, is built fresh from a clean image at the start of each web session. Because only randomly assigned IP addresses of the cloud browser provider are used, attribution to a specific organization and browser fingerprinting become impossible.
With a secure cloud browser, all web content is isolated and rendered in a secure container in the cloud. No code from the web touches the bank’s local IT. Only visual display information (pixels) reaches the user.
It would be wonderful to believe that Congress will continue to act in a bi-partisan manner to provide much needed oversight to banking regulation. Whether this happens or not, banks should expect that their regulators have not taken their eyes off the nature of their responsibilities and should continue to invest in thoughtful controls, practices and personnel.
Bonus effects: compliance-friendly auditability, reduced MTTR
Cloud browser customers report significant productivity improvements for their BSA/AML compliance teams. Compliance-ready logs enable banks to reliably monitor and audit each step taken during the AML online research process.
Because the centrally managed cloud browser eliminates the need for web access policy exemptions or improvised security measures that slow down the workflow, SARs are filed faster and minimum time to resolution is reduced significantly.
John Klassen is product marketing manager at Authentic8. For more information, visit www.authentic8.com.