Mind the Cyber Gap! Challenges for the Financial Services Industry
2019 is not looking great so far in terms of cybersecurity – a report identified that for the first half of the year, there were 54% more data breaches than the same period last year. With little time left, there’s hardly an expectation that the trend will reverse and in response businesses and governments around the world prepare to weather new storms by increasing cybersecurity spending with an estimated 8.7% for this year over the entire industry. However, the real “growth” is in the annual financial losses, caused by cybercrime – they’re well on track to reach the token figure of $2 trillion in 2019 and are expected to surge to the eye-watering sum of $6 trillion in 2021, all of this happening at the decidedly gloom backdrop of a severe skilled worker shortage – Welcome to the Cyber Gap.
Security experts in the financial services sector are hardly strangers to these facts and statistics – pressure on the sector has been steadily rising for quite some time now. It feels like companies have been plunged into navigating the strait between Scylla and Charybdis. On the one end, attackers have clearly demonstrated an escalating degree of sophistication, proficiency, and cost-efficiency of their malicious campaigns, demanding increased security spending, while on the other non-banking Fintech companies lead the innovation “arms race”, spearheading the adoption and deployment of untested technologies and business models, while often avoiding the weight of the anchor – legal and standards compliance.
The battle for securing the IT of the financial world rages on (at least) three fronts: protecting the end-user, preventing large-scale instances of “CEO fraud” and, of course, defending its own IT footprint, be it in terms of internal or customer-facing systems. Let’s take a look at these battlefronts:
The end-user is truly the bottom of the food chain of the digital security world – preyed upon by all malicious actors and unequipped to respond. Often less interested in their own cybersecurity than the providers they share their data with and severely limited in their attempts to improve it by an under-developed market, the user finds solace mostly in the knowledge that their data is “not alone” – any competent malicious campaign will manage to harvest the data of thousands, if not millions of victims with regrettable certainty. The targets of such attacks are usually either large data arrays, containing suitable information – credit card numbers (e.g. the MoviePass breach), wire transfers, pictures of driver’s licenses (e.g. Capital One, First American Corp breaches) – or the personal devices that are used to access e-banking or m-banking services.
While financial services providers cannot directly address third-party breaches, thorough and robust authentication requirements are necessary to prevent successful exploitation. Typical negative examples include the preference for SMS as a second authentication factor, even though the related SS7 protocol has publicly documented vulnerabilities, observed to be exploited in the wild in this particular context as early as 2017.
The other major target – end-user devices – is also under constant threat, as demonstrated by the resurgence of the Emotet botnet/dropper, utilizing Word macros in spoofed email messages as the delivery mechanism for other, even more, sinister malicious code. Again, without any direct means of control, the financial service provider is forced into the position of trying to detect outlier transactions, usually attempted long before the user is aware of the breach.
Large-scale “CEO fraud” attacks also remain immensely popular, at least in part due to their relatively high efficiency and their ‘blitz’ format: The MO of the attackers follows a tight script; the victim(s) are businesses with a pre-established level of trust (usually a direct customer/vendor relationship) and a history of large wire transfers in terms of payment mechanisms. The attackers gain access to previous email communications and are able to successfully impersonate the vendor, using the established tone of communication (formal, friendly, …) and email spoofing techniques afford them the opportunity to forge a spear-phishing letter, demanding or requesting the redirection of a due invoice, often claiming the identity of a person of authority, such as a CEO (hence the name). This attack type was leveraged very successfully by the group APT38 during the last few years, resulting in the theft of an estimated $100 million.
Of course, a company’s own IT security is always paramount when cybersecurity posture is measured, and with good reason – handing the keys to the kingdom is never a good security recipe. In practice, data breaches often originate from configuration management failures (lack of critical security patches, outright missing access control, untracked vulnerable dependencies, etc.) or (more rarely) insider threats. While “knowing who to trust” has been an essential question since the dawn of finance, IT operations configuration management at scale is a decidedly newer problem. To address it, experts agree in recommending a strong focus on monitoring and detection – after all, most breaches are detected more than 6 months later. A modern cybersecurity enterprise setup includes a Security Incident and Event Management (SIEM) product, collecting and analyzing logs in real-time as well as a Security Operations Center (SOC) team, be it managed or in-company, able to defuse brewing crises and prevent the privilege escalation of an already active attacker.
So how does a financial services company survive the jump over the cyber gap? Advice is hardly uniform, but most experts agree on several points: focus on cyber on the strategic level, invest in experts and culture, as well as in tools, and finally: Test, test, test – internal QA & security, third-party pentests and even bug bounty programs. As to your cyber strategy – in a word, the current paradigm is resilience, but that is, as they say, a story for another time. |
CyResLab ESI CEE