A New Way to Fight PhishingBITS, FS-ISAC Partner for New e-Mail Registry Solution
Registering and monitoring e-mail accounts and messages is the first step toward improving online security.
BITS, the technology division of The Financial Services Roundtable, and the Financial Services Information Sharing and Analysis Center say stronger e-mail authentication is the answer to phishing, and the foundation of heightened online security. So what are these organizations doing to help banking institutions fight online attacks?
Together, BITS and FS-ISAC have partnered to launch the Trusted Email Registry, a service that aims to provide standardized reporting and information collection about e-mail traffic from Internet service providers. Andrew Kennedy, who oversees e-mail security, malware, social media and cloud-computing risks for BITS, says the registry will provide banking institutions domain-specific lists and reports that detail trusted and non-trusted international domains.
"The information comes as an aggregate report focusing on one domain, which provides insight into what large ISPs are seeing from e-mail purporting to originate from financial institutions," Kennedy says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].
The information categorizes senders as good, bad and unknown.
"Using this information, financial institutions can continue to secure their e-mail channel," Kennedy says.
During this interview, Kennedy discusses:
- How institutions can explore business cases for e-mail authentication;
- The importance of layered security;
- How the new e-mail registry can enhance internal and external security.
Kennedy leads BITS' security initiatives, including work on e-mail security, malware, social media and cloud computing. Before BITS, Kennedy worked as an IT professional and security consultant with more than a decade of experience working in the biotech and software industries in California.
TRACY KITTEN: We all know that phishing attacks waged via e-mail fraud are increasing risks for financial fraud on the retail and commercial sides of the business, but could you give our audience a little background about why BITS and the Financial Services Information Sharing and Analysis Center thought this was an area they needed to tackle in early 2012?
ANDREW KENNEDY: We're really excited to be able to talk about the launch of the Trusted Email Registry and really excited to have worked here with the FS-ISAC to do this launch.
BITS has actually been working on e-mail authentication and e-mail security for a number of years, so we kind of see this is as a logical continuation of those efforts. In 2007, we published the BITS e-mail security tool kit, which is a position paper that talks about what can be done to secure the e-mail channel and in 2009 we published the e-mail sender authentication best practices guidelines that's kind of the how-to document for deploying e-mail authentication technology.
One of the biggest drivers from our perspective is that phishing attacks have become more sophisticated over the last few years. The attacks are becoming more sustained. There are sustained campaigns going after end users. The phishing attacks appear to be legitimate using company logos and appearing to come from known senders. Often these phishing attacks have knowledge about the recipient which leads the end-user to believe that it may be somebody that they know.
We're also really excited about the launch of this registry because financial services and ISPs have come together to strengthen the e-mail security for all end-users and really increase the collaboration between entities within the Internet ecosystem.
Tackling E-mail Security
KITTEN: How have BITS and FS-ISAC partnered to help banks and credit unions improve online security, specifically e-mail security?
KENNEDY: Broadly, FS-ISAC is really a critical industry partner for sharing intelligence and threat information. BITS and the FS-ISAC have worked together the last few years to co-sponsor an annual industry meeting on security and risk. Specific to e-mail, we have differing memberships which really will help present this no-cost service to a broader variety of financial institutions so we get critical mass, and then working together with the FS-ISAC we've helped develop the set of parameters for this service to be run.
Trusted Email Registry
KITTEN: Now the Trusted Email Registry, which was launched in mid-January, collects information about e-mail traffic from Internet service providers. It also provides domain-specific reports for financial institutions to review. But how will this information provide banking institutions with deeper insights into e-mail fraud attempts and phishing attacks?
KENNEDY: One of the key new items that this service brings to bear is standardized reporting. The ISPs will provide information in a variety of different formats and this service will present them in a digestible format for financial institutions to consume. The information comes as an aggregate report focusing on one domain which provides insight into what large ISPs are seeing from e-mail purporting to originate from financial institutions. The information is presented in a way that you can see the aggregate information from known good senders, known bad senders and uncategorized senders. Using this information, financial institutions can begin to continue to secure their e-mail channel.
KITTEN: What can institutions do to learn more about the registry? How can they get more involved with the registry?
KENNEDY: BITS members can visit BITS.org to sign up and FS-ISAC members can visit the FS-ISAC website to learn more.
KITTEN: What kinds of information do banks and credit unions need to provide to ensure that they get as much from the registry service as possible? Are there privacy concerns?
KENNEDY: Financial institutions should bring a domain list. I think that's the most important thing to have. There are often thousands of domains that need to be monitored, but in some cases financial institutions will need to sign a release so that richer information can be captured from the Internet service providers and passed through the service to the financial institutions. At no time is sensitive information about retailer or commercial customers exposed in this process. The aggregate reporting focuses on overall statistics such as how many e-mails are seen, how did those e-mails pass differing forms of authentication checks, and what region of the world was the e-mail originated from. All that helps the financial institutions understand how their domain is being perceived by downstream mailbox providers. I don't think there are any privacy concerns here. The aggregate information that we receive from the ISPs has no personally identifiable information associated with it. All the information is really high-level, aggregate information that focuses on how many e-mails are being received and where they're coming from.
Steps to Improve Online Security
KITTEN: What recommendations could you offer to institutions for 2012 as they work to improve online e-mail security, whether that security be internal or security for their external customers and members?
KENNEDY: I really recommend that financial institutions examine the business case for deploying e-mail authentication. BITS has worked hard in the past few years to provide tools and white papers to help understand this issue, and this service is another tool to be used. But this technology isn't just one way, it doesn't have to be just focused at the customers, the commercial customers or the retail customers and their downstream mailbox providers. Financial institutions can also turn this technology on themselves, thus getting better insight into what e-mail they're receiving and learn more about those messages entering their network.