Andrea Danti - Fotolia
The financial services industry’s need to stay connected in a global economy and the increased adoption of cyber insurance are waylaying security efforts.
This is despite the fact that the banking industry is one of the most popular targets for cyber criminals, according to the 2015 Financial Services Drill-Down Report from security firm Websense.
The requirement for businesses in financial services to maintain a real-time connection to the global economy has impaired certain logical security precautions, the Websense report said.
A study cited recently by The Wall Street Journal found that, while 90% of banks encrypt transmitted data, only 38% encrypt data at rest – and 30% of the banks surveyed did not require multifactor authentication for third-party suppliers.
One Fortune 500 bank admitted that several of its servers had not been patched for the Heartbleed vulnerability, because patching these servers would break continuity with several European banks that have not yet upgraded their systems – and this would disrupt operations.
“That shows the struggle and pressure many financial services organisations are facing, to maintain the availability of service while needing to adopt security best practice – but then finding that those are at odds with each other,” said Carl Leonard, principal security analyst at Websense.
“There need to be suitable conversations at the right level to ensure the risks are fully understood by the business, because it always comes down to a risk analysis exercise to decide the best course of action.”
Cyber insurance products short-circuit security efforts
The Websense report said this is compounded by the fact that cyber security insurance may be providing a sense of false security and some banks with such policies are not fixing their security problems, relying on their policies as financial liability risk management.
The report points out this assumption is flawed because cyber security insurance is limited in its coverage, and only partially limits the financial impact of a worst-case cyber attack scenario.
“Addressing the root causes of cyber risks through best practice – rather than relying on insurance – is something financial institutions should address if they fall into this category,” said Leonard.
The Websense report confirmed the financial services sector is the most-targeted industry sector, experiencing three times as many security incidents as others. Hackers most seek user credentials, personal data and account information.
“This sector offers cyber criminals rich pickings, because financial services typically hold client information – and they are where the money resides,” said Leonard.
“The Websense data shows that financial services firms are under duress and they have lots to deal with in terms of the volume and complexity of attacks,” he said.
Read more about cyber security in the financial services sector
- The UK’s major banks and lenders are among firms responsible for 183% increase in ICO investigations into reported data breaches in the financial services sector since 2013.
- Cloud Security Alliance research reveals softening attitude towards off-premise technologies from financial services firms.
- The theft of up to $1bn from financial institutions in a daring cyber crime operation underlines the need for monitoring.
- Cyber criminals using DDoS attacks to extort funds from victims are carrying out more attacks despite a $26,000 bounty.
Hackers vary attack methods
For example, the report shows that attack methods vary significantly from month to month, making it difficult and unsettling for defenders.
“While 50% of attacks in March 2015 used obfuscated code, that trend completely disappeared in April, which means that there is no time to adapt before something new comes along, making detection and analysis difficult because of the extreme swings in attack methods,” said Leonard.
And because credential stealing attacks are among the most common types of attacks targeting financial services, some families of malware are most commonly used against this sector. The most common attacks include Asprox, Vawtrack and the Geodo data credential stealing email worm, which is seen four times more in the banking industry than any other sector.
“Geodo is spread via emails. First it compromises a financial services firm and then uses the email systems of that business to distribute itself. While this is very common in this sector, other attacks are not seen by financial services firms for months at a time, such as Gatak, which has not been seen in this sector for around seven months,” said Leonard.
The fact that attack types are so highly specific to the financial services industry, he said, highlights the need for organisations to understand their own industry sector and the malware families most commonly used, to be as well prepared as possible for at least some of the attacks they are likely to see over and above the baseline attacks common to all sectors.
Stepped-up lure efforts
The report also shows a third of all lure stage attacks target financial services, meaning hackers are spending a large amount of energy targeting this sector with a disproportionate amount of reconnaissance and lures devised to penetrate the organisation – and then go in search of the big payload.
“Many of the attacks targeting financial services could be stopped very early on in the threat lifecycle, but many organisations are focusing on the artifacts of the attack when it hits their endpoints, which means they are investing in things like sandboxing while it is actually the lure stage that most of the attacks could be observed and stopped,” said Leonard.
While all organisations need to maintain focus on the latter stages of attacks, he said they need to make sure the earlier stages of attacks are analysed such that they can gain intelligence and protection capabilities. Intercepting attacks early in the lifecycle can help organisations reduce the volume of baseline attacks hitting their endpoints.
Another top finding of the study is that the financial services industry ranks as one of the highest for targeted “typo squatting” attacks, ranking third among 20 industries.
“Typically attackers registers a domain that is just a character or two different from their target domain, and then uses that domain to send email into the target organisation that at first glance appears to come from within the organisation,” said Leonard.
Financial services attack methods migrate to other sectors
While this report focuses on the attacks affecting the financial services sector, the report is of relevance to all industry sectors due to what researchers call the “trickle-down effect”.
This means that attacks that are currently popular in the financial services sector could easily migrate or trickle down to other sectors in the coming months, said Leonard, as the malware authors gain success.
In the light of the study’s findings, he said financial services and other firms need to understand the lifecycle of a threat and should be able to perform gap analysis on their existing infrastructure, to identify weak points.
“If they find they are focusing heavily on later stages of attacks – such as communications with command and control or payload analysis – but they are not able to intercept attacks early on, that is putting undue pressure on technologies operating at the later stages of defence. They should invest in earlier stages and take a more proactive approach to understanding how payloads get into their environment, so they are better able to plug the holes,” said Leonard.
“If they are not doing so already they should also plug themselves into the available threat intelligence sharing communities at a national computer emergency response team (Cert) level, an industry-specific group such as FS-ISAC or some other means to understand exactly what is relevant in their industry, so they can move to a more proactive stance,” he said.
Another strategy that a growing number of organisations are using to address cyber security skills shortages to ensure they are not operating in isolation, is to use managed security service providers.
“By outsourcing their security operations centre, organisations can gain knowledge from across multiple companies and multiple industries that can be applied by a managed service provider into their own environment as attacks migrate and change,” said Leonard.