Our Viewpoints

Our Viewpoint

Holistic Patch Management for Financial Institutions

July 01, 2013

Patch Management is often an overlooked and underappreciated component of an effective IT security strategy. While regulators have begun to increase their focus on Patch Management policy and programs in their IT examinations, the truth is that many community banks adopt a do-it-yourself approach, with coverage that is often too narrow and depth that is too shallow to accomplish the purpose for which such a program is intended. Likely, your institution has made a significant investment in edge-based security systems and anti-malware solutions to protect the confidentiality, integrity and availability of your information and systems, but the nature of threats has shifted in the past several years. Instead of attacking your hardened targets such as firewalls and operating systems, hackers are now attacking softer threats such as vulnerabilities in your applications in order to gain a beachhead into your organization’s network.

Malware can gain access to your network through many avenues, the most common of which are:

  • A compromised website that a user legitimately goes to for information Malware.png
  • A malicious website that the user is deceived into going to
  • An infected USB device
  • An infected laptop that is plugged into the network
  • Malicious software masquerading as a legitimate application

When launched, today’s malware can take advantage of unpatched vulnerabilities in applications such as Java, Flash and Adobe Reader to deliver their payload (which is why Windows Server Update Services - WSUS - often falls short). Depending on the type of malware, it typically will take a few additional steps: scan the network for additional vulnerabilities, download even more nefarious malware or communicate to its point of origin for instructions. Because malware is spread as a result of vulnerabilities, it is possible to infect a machine even if antivirus software is present and up-to-date. More sophisticated Advanced Persistent Threat (APT) malware can infect the machine without even triggering an alarm from the antivirus application. This last scenario can be quite scary as one can be lulled into a false sense of security by not having a solution that alerts and notifies proactively.

For the past five years, I have been responding to security breaches at financial institutions across the country, and as a first responder I have seen several patterns emerge when it comes to malware outbreaks:

  • Financial institutions often do not know the patch status of their systems, and as a result, some significant security holes can be created by unpatched or under-patched systems. As an example, I am aware of a financial firm in the Midwest that had a massive virus outbreak that choked its network and infected almost all of its project data. The institution was down for two days for cleanup and had to restore the contents of its file servers from backups because data was altered on its critical documents. The source – a Java exploit.
  • The enterprise needs to take laptops into consideration for Patch Management as well, because they can transmit network-aware malware. An institution was crippled by a network-aware computer worm (a standalone malware computer program that replicates itself in order to spread to other computers or servers) that spread to all of its branches. Over 1,700 machines were infected by an Adobe Reader exploit, even though they had the latest antivirus software. The source was a laptop that was infected and brought to the institution. If the enterprise lacks consistent reporting of all desktops and laptops, or fails to consistently review those reports, there exists the very real possibility that vulnerabilities may be present that can or will be exploited.
  • Mobile users can be a source of infection to the enterprise in multiple ways. If they have a Virtual Private Network (VPN) connection, malware can be transmitted across the VPN tunnel. If the user works from home or a coffee shop on a compromised system, their information can be captured and used by an unauthorized user. Recently, a large firm was tracking errors on its database server, which was traced to a user who was on vacation. A forensic investigation determined that her home machine was compromised by a key-logger application, and her domain credentials were compromised as well. The user’s home machine was unpatched and had low-quality antivirus software.
  • Advanced persistent threats (APTs) are real and difficult to detect. It is not uncommon for different types of malware to use the same exploit, which can be of value if a thorough examination is performed on an infected machine. A large trade organization in NYC was complaining that its network was performing slower than normal, and that it had a virus on one machine earlier in the week. The machine was behind on patches, but had current antivirus software. A forensic examination was completed that revealed significant malware on the one machine, and an expanded search later revealed that 80 percent of the machines had malware that not only allowed remote access, but also keystroke logging! Without forensics, the malware would have been undetectable. A timeline traced the initial infection back eleven months.
  • The best defense is an informed user. It is often the user who notices something unusual in the performance of a system, or the appearance of an email, link or attachment. If informed, he or she will know what to do. A small group of individuals from a financial firm in Texas received some very convincing-looking phishing emails. The office manager quickly told everyone not to click any of the links, suspecting that they were malicious. Only one person didn’t get the message, and her machine was immediately infected with some significant malware. However, the manager responded quickly and appropriately and unplugged that machine from the network. Forensics revealed that, within moments, it was infected with 8 different types of network-aware malware, one of which had remote-access capability and another keystroke logging capability.

Your institution’s Patch Management needs to be comprehensive and an integrated component of its information security plan. Your Patch Management program needs to include not only Microsoft Security Updates, but also common third-party application security updates like Java, Adobe Flash and Reader. The Patch Management program needs to be able to generate consistent periodic reporting, and that reporting needs to be reviewed in the same way as reporting that covers the antivirus software and signature status of your organization’s computers and servers. Finally, the reality exists that the institution will need to consult with a company skilled in forensics investigation should the its defenses at one time or another fail.

D+H finds that many clients who perform Patch Management themselves do not have adequate scope or depth to truly protect the bank’s networks and the bank’s information assets. Just as security needs to be evaluated for all avenues of access to your protected data and systems, Patch Management needs to cover desktop and laptop applications and systems connected to your corporate network. Community banks need to ensure that they have a good patching program not only to meet regulatory guidelines, but also to mitigate the very real vulnerabilities and threats that are present in the financial arena and targeting the desktop, laptop, and network. D+H takes pride in the very positive results of its Total Desktop Management (TDM) and Critical Systems Management (CSM) solutions (which provide protection and management of your network devices, servers and desktops), as well as its professional forensics teams, in helping its clients meet and defend against these very real threats and challenges. The nature of the vulnerabilities and threats are changing over time, and financial institutions and service providers to the banking industry need to keep pace with this ever-evolving persistent threat.


Bob Gaines
Risk and Compliance Engagement Manager

As a risk and compliance engagement manager, Bob Gaines ensures that the services delivered to financial institutions are of the highest caliber and that client security controls are evaluated in alignment with the most current best practices. Bob brings almost twenty years of experience working in the information technology field, and a deep understanding of how security can protect the confidentiality, integrity and availability of data and information systems in a regulated environment.