Connect with us




Whitelisting is an important security control and is considered so effective against targeted attacks that the Australian DSD rated it one of the four most important controls[1]. By allowing only approved processes and DLLs to load, whitelisting can significantly raise the bar for attackers. Additionally, if blocked executions are investigated it can often be an early-day warning of an attack.

Peter Cohen

Peter Cohen

However, whitelisting does not prevent attack, it just makes it harder for the attacker, and organisations that may be targeted by more advanced actors need to consider whitelisting merely as a component of a mature set of security controls that provide much stronger holistic protection in combination than whitelisting would alone.

A number of actors have been observed using strategies that bypass the whitelisting in place and as it grows in popularity then this will only become more common.

Whitelisting bypasses

Memory-resident exploits

Many attacks exploit web browsers or common document editing software, such as Microsoft Office or Adobe Reader, in order to gain code execution inside the process that was exploited. At this point, more common attacks will use the code execution achieved to download full-feature malware as a binary executable to run on the system. This would be prevented by whitelisting as the downloaded malware would not be allowed to run.

However, more advanced attackers will not download a binary directly and may remain fully memory-resident within the memory space of the exploited process. To avoid losing control when the targeted software is exited, the memory-resident malware may migrate to the memory space of another approved process that is expected to remain running for as long as the system is powered on, such as explorer.exe.

Alternatively, a new approved process may be launched and used specifically to host the memory-resident malware. This technique is known as “process hollowing” and involves launching an approved process permitted by whitelisting and replacing the executable code in memory with malicious code. Recently, “Duqu 2” made use of this technique to make it appear that legitimate security software was running and active whilst really rendering them inactive and simultaneously using them to host Duqu’s own malicious code.

Whilst these techniques may sound advanced, many common malware families make use of them and even freely available penetration testing frameworks like Metasploit have supported fully memory-resident operation for years.

Privilege escalation and kernel exploits

Whitelists are only strongly enforceable against users who do not have local administrative access to their systems because administrative access can be used to disable the protection, add exceptions or otherwise render it ineffective. An attacker who exploits an administrative user could make configuration changes such that any further malware they wanted to use would be permitted.

However, this technique is not limited to use against administrative users. Privilege escalation attacks could be used as a second stage attack in order to get around whitelisting. For example, our security consultants used a kernel exploit as part of a Chrome browser exploit in Pwn2Own to both gain remote code execution and escalate privileges to break out of the browser sandbox and gain administrative level access. At this point, whitelisting protection could be disabled.

Poorly configured whitelists

Whitelists are a good control but not all whitelists are created equal. Each organisation will set up a whitelist that suits its working habits and in MWR’s experience, there are often holes in the whitelisting that an attacker can exploit to gain persistence. Common flaws include:

  • Validating only the program name – this can easily be circumvented by renaming
  • No validation of DLL loads – common tools such as rundll32.exe can be used to load executable content as DLLs instead
  • Writable paths – Path rules are commonly used to allow execution and if these are writable then the whitelist can be bypassed by writing malicious executable content to the allowed paths

By identifying a flaw such as these, the attacker can compromise a system with whitelisting in place.

Scripting and bytecode engines

Many whitelisting tools monitor native binary loads but do not appropriately account for other ways of executing arbitrary code. These are common scripting and bytecode engines that are either default or commonly installed by enterprises and can be used to achieve arbitrary code execution. Common examples include:

  • Java
  • PowerShell
  • Office Macros
  • VBScript
  • Batch files
  • InstallUtil bypass[2]

Our security consultants have successfully exploited environments with whitelisting in place using some of these technologies. Many whitelisting solutions cannot directly control these technologies other than to fully disable the entire scripting engine, which is often not viable when the technology is required for business applications.

Attacking hosts not subject to whitelisting

A simple bypass assumes not all hosts in an environment will be using whitelisting. Whilst whitelisting might have been rolled out to the majority of corporate desktops, alternative operating systems such as servers, Linux desktops and OSX hosts may not be whitelisted so aggressively. By targeting these hosts, attackers can gain the foothold on the network they need. For example, by targeting a Linux hosted web application or a marketing user with a MacBook, it may be that whitelisted solutions focused on windows hosts can be avoided completely.

Similarly, not all user profiles are subjected to whitelisting restrictions. Typically administrators and sometimes developers are able to run arbitrary executable code and so whitelisting can often be avoided by targeted these users. They also often have the highest privileges on the network and so are particularly attractive targets for an attacker anyway.

Secure configuration

Organisations should ensure that whitelisting is robustly and aggressively configured so that there are not obvious gaps that an attacker can exploit to plant malicious code on a system. This includes ensuring whitelisting is present on all hosts, regardless of operating system, that can be reached by an attacker.

This should include tight control of scripting and bytecode engines such that they do not represent a generic way to bypass whitelisting controls in place. In many cases, most users will not require the use of technologies like powershell and other configuration controls exist for controlling execution of VBScript and Office macros. For technologies that may be more problematic to control directly, such as Java, centralised logging of process execution can be used to help detect malicious use of Java specifically.

Other whitelisting policy violations should be logged and exported to SIEM infrastructure so that they can be investigated by security analysts as it may be an indicator of a compromised system or failed attack.

Network defences

The vast majority of malware will depend on the use of the network for command and control and data exfiltration. Therefore, robust network monitoring that can detect malicious channels is important, especially in environments that may be targeted by any malware that is above commodity level.

Network monitoring should benefit from, but not rely on, signatures and indicators of compromise (IOCs) as more advanced attackers can typically evade these with ease. A historical investigation capability is important as in many cases organisations only learn about compromise by more advanced actors months or even years after the initial compromise. The ability to investigate the historic activity of compromised hosts to understand the full extent of the compromise is crucial.

Endpoint threat detection and response

Whitelisting is primarily an endpoint-focused preventative control and so it is also important that strong detection controls are in place on endpoints. Standard logging in Windows and Linux provides valuable information to investigators but much more advanced logging and analysis is required to detect more advanced threats.

For example, detection of the use of process hollowing or thread injection as a technique to bypass whitelisting will require detailed process execution logging and live memory analysis to detect properly. Dedicated endpoint threat detection and response software will generally be required to achieve this.

Prevention alone is not enough – attack detection is required

Application whitelisting is a great preventative security control and is arguably the most effective first line of defence against initial endpoint compromise. However, no security control can protect against every attack and so it does not replace the need for good attack detection for when preventative controls fail.

A large enterprise without strong whitelisting controls is likely to have endpoints compromised by generic malware and adware that anti-virus misses regularly. An advanced attack is likely to slip under the radar easily in this situation.

Whitelisting can help reduce the noise of common malware infections, such that if a confirmed compromise is detected on a well patched endpoint with strong application whitelisting in place, then it is immediately cause for a stringent investigation, as it is much more likely to be the result of an advanced, targeted attack. Additionally, due to the low noise from common malware infections there should be much more resource available for investigation.




IDnow: Putting a new face on identity verification

IDnow: Putting a new face on identity verification 2

By Charlie Roberts, Head of Business Development UK&I at IDnow

Munich headquartered IDnow is an identity verification provider which uses AI-based technology to check all security features on ID documents. With its Identity Verification-as-a-Service (IVaaS) platform that combines humans and technology, IDnow has set out to make the connected world a safer place, by enabling the identity verification of more than seven billion potential customers from 193 different countries.

IDnow’s expert knowledge of German regulation, which is considered one of the most highly regulated markets globally, has become critical. Indeed, the firm is currently in talks with the UK government about creating “immunity passports” for people who have recovered from Covid-19 to determine how recently someone has been tested and whether they can return to work.

Since launching its solutions in the UK in November last year, IDnow has seen enormous demand from organisations for its AI-based products.  Compared to the same period in 2019, the firm has reported a 358% increase in order intakes as Covid-19 accelerates the need for digital processes

So why the increased demand? We caught up with Charlie Roberts, Head of Business Development UK&I at IDnow, to talk about the AI identity verification market and how AI can help financial services organisations detect and mitigate identity fraud.

So why has IDnow seen such increased demand for its identification products?

While technology is – on the whole – changing the way people do business for the better, it nevertheless carries with it a certain degree of risk to security.  In the current climate in particular, with an accelerated move towards buying and selling online, identity fraud is on the rise. In fact, our research estimates this type of fraud has doubled in the last year alone. And, while banking and financial services may be the lowest hanging fruit in terms of targets for attempted identity fraud, the threat is certainly not restricted to this sector.

The problem is the cost to the economy. In June this year, Action Fraud announced that over £6.2m has reportedly been lost in the UK due to coronavirus-related scams, making cyber fraud one of the biggest threats in our economy and the fastest growing crime.

So we have seen an enormous uptick in enquiries about AutoIdent and VideoIdent because of their combined human and machine approach. Any identity verification check that doesn’t look 100% accurate gets automatically passed through to a human for extra security, all on the same platform, in a matter of minutes.

What are the most common fraud methods?

Of all fraud methods, social engineering is the biggest issue for companies. It has become the most common fraud method in 2019, accounting for 73% of all attempted attacks. It lures unsuspecting users into providing or using their confidential data and is increasingly popular with fraudsters, being efficient and difficult to recognise.

Fraudsters trick innocent people into registering for a service using their own valid ID. The account they open is then overtaken by the fraudster and used to generate value by withdrawing money or making online transfers.

They mainly look for their victims on online portals where people search for jobs, buy and sell things, or connect with other people. In most of the cases, the fraudsters use fake job ads, app testing offers, cheap loan offers, or fake IT support to lure their victims. People are even contacted on channels like eBay Classifieds, job search engines and Facebook.

Fraudsters are also creating sophisticated architecture to boost the credibility of these cover stories which includes fake corporate email addresses and fake websites.

In addition, we are seeing more applicants being coached, either by messenger or video call, on what to say during the identity process. Specifically, they are instructed to say that they were not prompted to open the account by a third party but are doing so by choice.

How can we fight social engineering?

The first priority is to ensure people are aware of the problem, and then ensure people have the right technology in place to be able to track fraudulent activity and react quickly.

Crucially, it requires a mix of technical and personal mechanisms. Some methods include:

  • Device binding: To make sure that only the person who can use an app – and the account behind it – is the person who is entitled to do so, the device binding feature is highly effective. From the moment a customer signs up for a service, the specific app binds with their used device (a mobile phone for example) and, as soon as another device is used, the customer needs to verify themselves again.
  • Psychological questions: To detect social engineering, even if it is well disguised, trained staff can be used as an additional safety net both during detection, but also in addition to the standard, automated checks at the start of the verification process. They can ask a customer an additional set of questions once a risk of a social engineering attack has been detected. These questions are constantly updated as new attack patterns emerge.
  • Takedown service – with every attack, organisations can learn. This means constantly checking new methods and tricks to identify websites which fraudsters are using to lure in innocent people. And, by working with an identity verification provider that has good links to the most used web hosts, they are able to take hundreds of these websites offline.

Is social engineering the only type of identity fraud?

No! There is also false identity fraud. Our research indicates fake IDs are available on the dark web for as little as £40 and some of them are so realistic – including the use of holograms – they can often fool human passport agents. The most commonly faked documents are national ID cards, followed by passports in second place. Other documents include residence permits and driving licenses.

Charlie Roberts

Charlie Roberts

Similarity fraud is another method of identity fraud in use, although it’s not as common thanks to the development of easier and more efficient ways (like social engineering). This method involves the use of a genuine, stolen, government-issued ID that belongs to a person with similar facial features.

Can anything be done about this?

Biometric security is extremely effective at fighting this kind of fraud. It can check and detect holograms and other features like optical variable inks just by moving the ID in front of the camera. Machine learning algorithms can also be used for dynamic visual detection.

To fight similarity fraud, biometric checks and liveness checks used together are very effective – and they are much more precise and accurate than a human could ever be without the help of state-of-the-art security technology.

The biometric checks scan all the characteristics in the customer’s face and compares it to the picture on their ID card or passport. If the technology confirms all of the important features in both pictures, it hands over to the liveness check. This is a liveness detection program to verify the customer’s presence. It builds a 3D model of their face by taking different angled photos while the customer moves according to instructions.

The biometric check itself could be tricked with a photo but, in combination with the liveness check, it proves there is a real person in front of the camera.

This all sounds like a significant time investment for companies?

It does but, if you can find a solution that offers both a fully automated system AND a video identification solution on a single platform, then it becomes pretty friction-free and part of the workflow. In fact, customers can be checked in a matter of minutes. Organisations worldwide need to be taking this very seriously. With over 1.9 billion websites and counting, there is a huge potential for fraud, and it’s a serious problem that must be slowed down.

The threat of identity fraud is not going away and, as fraudsters become more and more sophisticated, so too must technology. With the right investment in advanced technology measures, organisations will be in a much stronger position to stop fraudsters in their tracks and protect their customers from the risk of identity fraud.

Continue Reading


NextGen Communications – the future of customer experience

NextGen Communications – the future of customer experience 3

By Andrew Beatty, Head of Global Next Generation Banking at FIS

As software development increasingly resembles push updates in services, how can financial institutions best take advantage of their investments? The answer is leveraging today’s technologies to empower institutions to elevate their customer experience with personalised and integrated communications.

Long a staple of the British market, digital banks are expanding worldwide. The pandemic played to the strengths of these organisations. With branches closed or restricted, the accessibility and flexibility of these banks were major assets.

To better understand just why digital banks succeed, we need to look at their operating models. Using Software as a Service (SaaS) and Platform as a Service (PaaS) operating models rather than more traditional and slower alternatives allows them to supercharge development.

These new technologies can elevate customer experience (CX), with a specific focus on customer communications – an area often neglected in favour of purely aesthetic upgrades to flashy-looking front-end systems.

Communicating effectively

Every minute of every day, institutions globally generate 18 million texts, 188 million emails, 511,000 tweets, 232 VoIP calls and use 4.4 million GB of internet data. This colossal amount makes it difficult to provide a consistent experience that meets ever-higher customer expectations across all communication interactions and devices. Banks need to be accessible and provide a seamless experience through any and all of the channels their customers prefer, be that Native App Push, email, SMS, print, social media, Call Centre or bots.

FIs typically lack an integrated experience. What’s needed is enabled by a consistent data schema and workflow foundation that elevates the communications experience. Customers may not know to specifically request these, but they will notice their absence. Fundamental to these capabilities are application programming interfaces (APIs) that enable banks to pick and choose best-of-breed technologies, allowing banks to focus on improving the CX and increasing Operational Efficiency and Governance.

Loyalty matters

Banks succeed on the backs of loyal customers. What inspires loyalty in customers is a banking relationship that includes both listening and speaking. Research shows that 63% of customers would consider switching banking providers if communications don’t meet their expectations. For customers who said that their banks did not proactively offer them personalised services, the customer satisfaction experience rate fell to 39%.

Research shows that more than 70% of CX leaders struggle to design projects that increase customer loyalty. Contrast this number with 75% of enterprises aiming to beat their competitors by offering the best digital consumer experience, and we can gain a sense of just how crucial communications are; a seamless CX is more important than ever to meet these goals.

These last few months have been a testing ground for banks old and new. Every email, every statement about actions taken during the pandemic is a chance to prove (or disprove) that a bank has a robust, customised communication solution. Integration across all interactions is critical.

Questions to ask

Here are six questions executives who want to improve CX at their banks need to ask when evaluating infrastructure improvements:

  1. How will capabilities evolve without requiring extensive development to support new data schemas, workflow, communication types and new channels?
  2. Will the new solution allow accelerated change management (business user-enabled) of all communications to meet internal and external demand, or will we be handcuffed to an internal or external software release for these updates?
  3. Will our middle/back office and call centre benefit from this solution by having the capability to send ad-hoc communications from a previously approved library?
  4. Will we have end-to-end tracking of all our as-delivered communications for all stakeholders (call centre, back office, etc.)?
  5. How is delivery remediation handled? (e., failed email delivery to SMS)
  6. Are all required delivery methods supported in one centralised platform?

Consider these questions before embarking on a major project. This should help ensure the selected solution results in improved Customer Experience, superior Operational Efficiency, and better Governance for your financial institution.

FIs must take advantage of emerging technologies and investment in core technologies by considering service options for all key elements of their CX. A robust data integration and workflow layer along with API integrations allow the different components of technology infrastructure to have seamless real-time integrations with third-party Customer Communication Management technologies. This can accelerate existing digital transformation initiatives and take full advantage of a modern core transformation investment – putting technology to work for FIs and their customers.

Continue Reading


The Derry Group launches new employee engagement and communications app

The Derry Group launches new employee engagement and communications app 4

The Derry Group, a one stop shop for the distribution, storage and order picking of chilled and frozen products has today announced the launch of its new employee engagement app, Thrive.App.

Their flagship company Derry Refrigerated Transport is a leading service provider for chilled and frozen distribution throughout Ireland, the UK and Europe. Derry Refrigerated Transport is the first haulage company in Ireland to sign up to the newest self-service, rapid deployment Thrive.App which brings together the key features needed for businesses to power up their internal communications for their frontline teams.

With hundreds of employees working across multiple locations in Ireland, communication, organisational engagement and information sharing is essential for the growing business.

In order to meet the additional challenges presented by the current global pandemic and the fact that the company works out of various locations throughout the country The Derry Group recognises the need to look at new ways in which all employees can more effectively communicate and share information with each other.

Commenting on the deployment of the new Thrive.App, Patrick Derry, Managing Director, said,

“We have worked hard to build and transform our business to what it is today, and our employees are key to our success. It is important to us that we give them everything they need to carry out their roles successfully as well as feeling supported and recognised for what they do. With the Thrive.App our employees can now easily access the information they need to support them in their role, they see important updates as they occur, and they know what is happening across all areas of the business.

The launch of Thrive.App will bring everyone closer together, which is particularly important during the current challenges of Covid19 and the fact that we have teams in various parts of the country.

The Thrive team have provided the best support and guidance in helping us to launch the employee app and we are confident they will continue to support us to make it a success across our organisation.”

James Scott, CEO, Co-Founder of Thrive, adds; We are delighted to help and welcome The Derry Group as a new client and look forward to working together to ensure their employee communications and engagement app is a success and loved by their teams within the Group structure whether based in Armagh, Dublin or Cork. 

Our goal is to help organisations in shifting their communications from traditional methods such as printed newsletters, notice boards and team briefings to instant, modern apps and we have loved helping The Derry Group do this. We look forward to seeing the direct positive impact the app will have on their employee communications and engagement.”

Continue Reading

Call For Entries

Global Banking and Finance Review Awards Nominations 2020
2020 Global Banking & Finance Awards now open. Click Here

Latest Articles

The ultimate tech guide to remote working for the casual worker   5 The ultimate tech guide to remote working for the casual worker   6
Business4 hours ago

The ultimate tech guide to remote working for the casual worker  

By Paul Routledge D-Link Country Manager Like many others, you may have grabbed your laptop in the middle of March...

Safeguarding international logistics arrangements during the coronavirus crisis 7 Safeguarding international logistics arrangements during the coronavirus crisis 8
Business4 hours ago

Safeguarding international logistics arrangements during the coronavirus crisis

By Adam Ewart, CEO and Founder of Send My Bag It has certainly been a whirlwind couple of months. The coronavirus...

The Future of Finance Teams: Digitally Transformed 9 The Future of Finance Teams: Digitally Transformed 10
Top Stories4 hours ago

The Future of Finance Teams: Digitally Transformed

By Simon Bull, Sales Operations & Business Development Manager at Aqilla Finance teams haven’t always been at the forefront of...

High-yield bonds will help, not hinder, businesses’ recovery 11 High-yield bonds will help, not hinder, businesses’ recovery 12
Finance4 hours ago

High-yield bonds will help, not hinder, businesses’ recovery

By Jesse Chenard CEO of fintech MonetaGo, One of the best indicators of stock market growth is high-yield bonds. The junk...

A holistic view of organisational security 13 A holistic view of organisational security 14
Business4 hours ago

A holistic view of organisational security

By James Ward, Senior Cyber Consultant at MASS The finance sector is typically more developed than others when it comes...

IDnow: Putting a new face on identity verification 15 IDnow: Putting a new face on identity verification 16
Technology4 hours ago

IDnow: Putting a new face on identity verification

By Charlie Roberts, Head of Business Development UK&I at IDnow Munich headquartered IDnow is an identity verification provider which uses AI-based...

Finance leaders must act against increasing fraud 17 Finance leaders must act against increasing fraud 18
Finance5 hours ago

Finance leaders must act against increasing fraud

By David Thorley, Director of Customer Development, FISCAL Technologies The COVID-19 pandemic has resulted in a whole host of increased...

NextGen Communications – the future of customer experience 19 NextGen Communications – the future of customer experience 20
Technology5 hours ago

NextGen Communications – the future of customer experience

By Andrew Beatty, Head of Global Next Generation Banking at FIS As software development increasingly resembles push updates in services,...

The UK Property recovery has begun 21 The UK Property recovery has begun 22
Finance8 hours ago

The UK Property recovery has begun

By Jamie Johnson is the CEO of FJP Investment, The UK property sector will be integral to the country’s economic...

The Derry Group launches new employee engagement and communications app 23 The Derry Group launches new employee engagement and communications app 24
Technology13 hours ago

The Derry Group launches new employee engagement and communications app

The Derry Group, a one stop shop for the distribution, storage and order picking of chilled and frozen products has...