Published on April 18, 2016
As data breaches target all sectors of society, cyber threats to financial institutions continue to garner especially close scrutiny due to the potential damages suffered by both the institution itself as well as its customers.
According to a 2014 news article, the Federal Bureau of Investigation estimated that more than 500 million financial records were hacked over the previous 12 months. Major publicized incidents reveal that financial institutions, particularly those in the United States, are a highly sought after target by criminal actors seeking to reap financial rewards.
Of note, from 2012 to 2015, one gang of cyber criminals successfully gained access to several high profile financial targets to include JP Morgan, as well as Scottrade, a Boston-based mutual fund, and online stock brokerages in Nebraska, New York, and North Carolina. This is just a microcosm of the bigger reality: there are more cyber attacks directed against financial institutions globally, than any other sector, at least according to one information security company.
Financial data is very appealing to criminals as it can be quickly monetized especially in an array of regional underground criminal marketplaces. These venues offer platforms to sell stolen merchandise to customers that in some cases have been vetted. Given that cyber crime is projected to cost the global economy an astounding $445 billion, the ability to quickly acquire and turnover stolen data can maximize profits substantially.
The threat actor list targeting financial institutions is varied. Cyber criminals and criminal gangs are the primary adversaries for these organizations, but they are not the only ones. Nation states have their own reasons to target financial institutions that do not include stealing money or customer data. Even nation state actors can “moonlight” in the criminal world as evidenced in the five Chinese People’s Liberation Army officers arrested by the Chinese government for hacking into U.S. companies.
Insiders can work with criminals or on their own to steal data or financial information. For example, a 2015 incident revealed how U.S.-based stock traders and Ukrainian hackers collaborated to make $100 million in illegal profits by stealing corporate press releases before they were released publicly. Even cyber activists have been known to target financial institutions for political/ideological reasons. From 2012-2013, hacktivists launched distributed denial-of-service attacks against several U.S. banks to protest an anti-Islam video posted on YouTube.
Being high-profile targets puts financial institutions at a distinct disadvantage as they must marry security with keeping business operations efficient, expeditious, and reliable. Hostile cyber actors have demonstrated keen insight into developing tactics, techniques, and procedures (TTPs) in order to increase the success rate of their operations. The adage, while cliché, remains true: attackers only have to gain entry once; organizations need to be vigilant and robust defensively all the time, a nearly impossible undertaking in this interconnected reality.
While there are myriad of threats that organizations need to be aware of, it is inconceivable that they will be able to address all security concerns with the same amount of dedicated financial, material, and personnel resources. A tailored risk management approach helps prioritize these concerns. Nevertheless, there are specific threats applicable to all financial institutions that should be addressed:
- Unencrypted Data: Financial institutions should have encryption policies in place that are manageable for the organization but also meet protection needs of its customers. As security technology will change and evolve over time, ensuring that an encryption policy adjusts accordingly is essential to maintaining a resilient security posture. Encryption should apply to e-mail transmissions but also for that sensitive data stored on financial institution systems. As mobile banking is increasingly adopted by consumers, encryption will play an even more prominent role in handling sensitive data particularly as mobile malware becomes more common. Encrypting data “at-rest” ensures that even if a device is stolen or compromised that data’s integrity is assured.
- Third Party Connections: Many financial institutions likely have connectivity with third-party partners. Indeed, a 2015 survey revealed that more than 40 percent of banking Chief Executive Officers saw joint ventures, strategic alliances, and informal collaborations as opportunities for growth. Managing third-party risk is essential for financial institutions via established compliance measures, regular testing, frequent auditing, and limiting network access are ways to narrow the threat aperture.
- Distributed Denial of Service (DDoS) Attacks: A 2015 report by Verizon found that DDoS attacks were the most common form of attack against financial services businesses, accounting for 32% of all attacks analyzed. These findings were consistent with an Arbor Networks report that found that 57% of financial institutions have experienced a DDoS attack – the highest of any sector. These attacks are used for extortion purposes, to impede business operations, or in some instances, as diversions to divert attention from more subtle exploitation operations occurring under the radar. Financial institutions need to develop a response plan to DDoS attacks that includes assesses DDoS risks, training individuals, and develop and test mitigation strategies.
- Spoofing/Phishing Attacks: Attackers have demonstrated their abilities to engage in spoofing attacks in which they hijacked financial institutions’ websites in order to steal login information. Typically, these two go hand in hand as the most polished phishing attacks seeking to compromise a user’s information will be a near-flawless e-mail rendition of that institution’s email message template, corporate logo, and seemingly legitimate URL that will direct the user to a spoofed institution site. Financial institutions can mitigate these types of attacks by 1) employing multi-factor authentication to bolster the security of user accounts, and 2) ensure that customers know the institutions business practices, customer notification process, and contact information to report suspicious e-mail messages.
A common question that keeps coming up is, should we already assume that networks are compromised? It’s not that networks are already compromised as much as they could be compromised whenever a cyber attacker has decided to make a victim of your organization. They have the luxury of time on their sides that can be used to learn about the organization and develop innovative and advanced TTPs against it.
The cost of breaches extends far beyond strictly financial considerations. Reputational loss and reduction in customer confidence can severely impact the long-term well-being of a financial institution ill prepared for the threats that they face. Each organization must develop a strategy that finds the right balance of security and business operational tempo. Knowing what those threats are, prioritizing them, and implementing mitigation strategies are essential for helping strike that balance.
This article was originally posted on CSO. Click here to view the original posting.