B.2.2.1 Internet Surveillance for Abuses Targeting Financial Industry
Tools or services for
surveying information gleaned from actual Internet usage patterns to identify phishing activities or any suspicious behavior
that indicates potential attacks targeting financial institutions or their customers.
B.2.2.2 Brand/Trademark/Copyright Infringement Detection/Reporting
Services that
search the Internet and related databases (e.g., registries) for any activities or postings that might indicate infringement of
brands, trademarks or copyrights, as such abuses are often elements of a phishing attack.
B.2.2.3 Real-time Detection/Reporting
of Phishing Attacks
Tools or services that can detect
in real time the actual deployment of phishing machinery or flag new attacks the moment they are launched.
B.2.2.4 Monitoring/Surveillance of Cyber-Criminal Activities
Investigation services that pro-
vide surveillance of the larger criminal enterprise or marketplace in which phishers operate, including communications
between providers of various services used to launch phishing attacks (e.g., spammers), fence
stolen credentials, or launder
stolen money.
B.2.2.5 Industry-wide Shared Monitoring/Surveillance Services
Facilities that allow broad
industry sharing of common monitoring/surveillance services in ways that distribute costs, improve effectiveness, expand
scope, or extend across jurisdictional boundaries.
B.2.3 Category VIII: Proactive
Measures
Since proactive measures can be considerably more cost-effec-
tive than reactive measures, there are opportunities for the financial industry to leverage its collective resources in ways that
could improve the overall cost-effectiveness of phishing counter measures.
B.2.3.1 Proactive Threat Modeling
Modeling techniques that can be used to project how phishing schemes
are likely to evolve and what new targets will likely be attacked.
B.2.3.2 Future-Threat Prediction & Analysis
Proactive measures to anticipate
what new techniques
might be used by phishers and analysis of how to counter such threats before they emerge.
B.2.3.3 Industry Self-Testing and Audit
Industry audits or tests that can be used to detect vulnerabilities
to certain phishing attacks or poor practices that may result in unnecessary risks.
B.3 Non-Technical Measures to Address Phishing
Some options available to the Financial Industry
involve non-technical measures. Both tactical and strategic options are included in this set of categories. In many cases, effec-
tive strategies will incorporate combinations of technical and non-technical measures to counteract the phishing threats.
B.3.1 Category IX: Hardening
the User
An uneducated, inexperienced user will always be a source of
vulnerabilities in any system that they participate in—i.e., users are potential
marks
for phishers. As long as users remain suscep-
tible to “social engineering” attacks, they will be likely victims and also sources of vulnerabilities that can comprise even the
most secure systems. It is also worth noting that concern about user vulnerabilities extends
to employees of merchants, infras-
tructure providers and financial services firms. Phishing attacks can target a system administrator in much the same manner
that individual consumers are targeted.
B.3.1.1 End-User Education to Reduce Susceptibility to Exploits/Attacks
Any infor-
mation campaigns or educational materials that can inform end users of the risks of being phished, including measures that
communicate effective messages to users as they conduct their business online.
B.3.1.2 Redefining the Trust Relationships
Any means by which financial
institutions and other
responsible parties can strengthen their trust relationships with end users (e.g., customers, consumers) can help reduce the sus-
ceptibility of users to social engineering attacks.
B.3.1.3 Engaging End-Users in Countering Phishing
Programs that harness the
eyes, ears, and fin-
gers
of users in detecting and reporting new phishing attacks, or whole new phishing schemes.
B.3.1.4 White-Hat Operations Involving End-Users
Any approaches that engage “good guys” in
roles that mimic phishers to ascertain end-user susceptibility
to phishing attacks, or to thwart actual phishing activities.
B.3.2 Category X: Hardening the Institution
Phishing, by its very nature, exploits the trust that cus-
tomers have for their financial institutions and other organizations they conduct business with. In many cases, phishers mimic
the behaviors of legitimate enterprises or they take advantage of ineffective responses from enterprises confronting phishing
threats. Consequently, many firms and organizations will have to change their behaviors or learn
how to respond to these new
assaults on their reputations.
B.3.2.1 Training Customer Service Staff
Programs designed to enhance the effectiveness of customer ser-
vice organizations in responding to customers who have been targeted by phishers.
Do'stlaringiz bilan baham: