“The threat of cybersecurity may very well be the biggest threat to the U.S. financial system.”
So wrote JPMorgan Chase CEO Jamie Dimon in a letter to shareholders earlier this year. He went on to say his company spends $600 million annually and employs 3,000 personnel dedicated to cybersecurity.
JPMorgan Chase isn’t alone. Financial institutions spend an average of .3% of revenue and 10% of their IT budget on cybersecurity, according to numbers tallied by the consulting firm Deloitte. That works out to about $2,300 per employee.
There’s good reason for that level of investment too because, by the end of 2018, the finance and insurance sector was “the most-attacked industry for three years in a row,” according to the IBM X-Force Threat Intelligence Index. The same report says the sector accounted for 19% of the total incidents and attacks across all vertical markets that year.
There’s ample evidence to suggest that upward swing hasn’t slowed – but what exactly are the cyber threats facing financial services? We recently poured over several in-depth studies for a review and here’s what we found.
1) Phishing, stolen creds and privileged misuse.
About 10% of the 2,013 breaches examined in the 2019 Data Breach Investigations Report by Verizon stemmed from the financial services industry. The top methods of attack were a) compromised web applications through a combination of phishing and stolen credentials, and b) privileged misuse. The report spelled out some of the interplay between phishing and stolen creds:
“Adversaries are utilizing social engineering tactics on users and tricking them into providing their web-based email creds. That is followed by the use of those stolen credentials to access the mail account. There are also breaches where the method of mail server compromise was not known, but the account was known to have been used to send phishing emails to colleagues. So, while the specific action of phishing is directed at a human (as, by definition, social attacks are), it often precedes or follows a mail server compromise. And there is no law that states that phishing cannot both precede and follow the access into the mail account (there are laws against phishing, however).”
In terms of adversaries, about three quarters (72%) of the threat actors involved in attacks on financial services were external, 36% were internal and about 2% were traced to partners. Separately, there appears to be some overlap among those categories of threat actors as the report indicates 10% of the threat actors involved “multiple parties.”
The Verizon team emphasized fundamentals in the report as a key step toward mitigating the risks. First it recommends two-factor authentication (2FA) for “everything” including customers and partners. Second, while banks and other financial institutions can’t control the actions of customers, “spreading a little security awareness their way can’t hurt.”
With regard to privileged misuse, the report notes “details were light” on the 45 breaches attributed to that threat, “but tried and true controls are still relevant.” More specifically the report suggests monitoring and logging access to financial data “and make it quite clear to staff that it is being done and just how good you are at recognizing fraudulent transactions.”
2) Complex attacks with a combination of threats.
The Microsoft Detection and Response Team (DART) outlined a case study for what it called “one of the more destructive incidents” in the 2018 Microsoft Security and Intelligence Report by Microsoft Security. It detailed a state-sponsored advanced persistent threat (APT) that hit several financial services institutions:
“This APT gained administrative access after infecting a patient zero machine with a highly targeted, obfuscated backdoor implant, possibly delivered via a spear phishing email. Subsequently, the APT executed multiple fraudulent transactions, transferring large sums of cash into foreign bank accounts. In some cases, the attacker remained undetected for more than 100 days. After the attacker realized they were detected, the attacker rapidly deployed a pre-staged attack, delivering destructive malware to more than half of the systems in the environment; these customers’ operations were shut down for several days.”
The case study unscored three lessons from this attack including patching and keeping systems up-to-date, maintaining a system to back up data for recovery and avoid over-relying on antivirus for detection.
3) Too many tools firing too many alerts.
A 2017 survey of banks conducted by the market research firm Ovum found about 40% of banks get 160,000 duplicate, irrelevant, or erroneous cybersecurity alerts every day. These alerts are generated from an array of tools – about three-quarters (73%) of firms are running 25 or more tools.
Most of these tools are not interoperable – a fact that ranked among the top challenges facing security teams across vertical markets – according to research we conducted a year later.
More recent data, from the 2019 IBM X-Force Threat Intelligence Index, that focused on financial services institutions, supports the notion that the problem of ‘too many tools’ is still a sizable challenge that has yet to be resolved. A piece posted to the IBM Security Intelligence blog, citing the report, highlighted the problem of “disparate tools.”
According to the post:
“Many institutions have numerous, siloed security tools that add complexity rather than providing insight. When these tools don’t integrate or communicate efficiently, they don’t provide the visibility security teams need to establish seamless, holistic protection, which is required to keep up with today’s threats.”
4) Vulnerabilities revealed in pentests of banks.
Positive Technologies, a London based firm that in part, provides penetration testing, published a report about bank attacks based on three years of analysis performed on financial institutions in 2018.
The firm sees a wide range of “attacks on interbank transfers, card processing, ATM management, e-banking, and payment gateways.” Further, its testing identified vulnerabilities in web applications, network security, server configuration and password management deficiencies.
While the “network perimeter of banks is much better protected than in other industries” the firm was able to breach the network perimeter in external pentesting at 22% of the banks they examined. The top vulnerabilities they discovered and reported were:
- 67% of banks tested had outdated software;
- 58% of banks tested stored sensitive data in clear text;
- 58% of banks tested used dictionary passwords;
- 58% of banks tested uses insecure data transfer protocols;
- 50% of banks tested showed flaws in “remote access and control interfaces available to any internet user;”
- 33% of banks tested had flaws in anti-DNS pinning; and
- 33% of banks tested were vulnerable to SQL injections.
It wasn’t just perimeter where the firm found concerns as pentesters found similar vulnerabilities within the internal network security at banks too. However, on the inside, the same vulnerabilities appear to carry much more risk as Positive Technologies says it was able to gain “full control over infrastructure” at 100% of the banks they tested this way.
5) Evolution of cyber threats of the future.
A report by Accenture didn’t provide a ranking of the top threats per se, but it gives us a glimpse of what their threat intelligence team assesses is on the horizon. In a report titled, Future Cyber Threats: Extreme but Plausible Scenarios in Financial Services, the consulting firm cites the present and possible future state of five key threats:
- Credential and identity theft will evolve from payment utility fraud, carding, and account takeover (ATO) and synthetic IDs to become multiparty credential compromises;
- Data theft and manipulation will evolve from strategic collection of material and nonpublic information, to data theft and manipulation to advance fraud and disinformation campaigns;
- Disruptive and destructive malware will evolve from ransomware and wipers to focused destruction and disruption of key financial systems;
- Emerging technologies such as blockchain, cryptocurrency and AI will evolve from use in cryptocurrency fraud and hyper-ledger targeting to adversarial artificial intelligence;
- Disinformation operations will evolve from election interference and hactivism to large-scale, targeted market manipulation. It’s worth pointing out here, that in a separate report, the firm writes that high-frequency trading algorithms are especially vulnerable to disinformation.
The report suggests these future threats should be considered together rather than in isolation because “these five threats are likely to overlap and intersect” which could “create the right conditions for new classes of cyberattacks.”
* * *
Note: Bricata has simplified the four critical capabilities financial services companies need for comprehensive network protection: visibility, threat detection, threat hunting, and post-detection actions. If you’d like to see our solution in action, you are welcome to schedule a live demonstration.
If you enjoyed this post, you might also like:
Cybersecurity Case Study: Securely Integrating a Business Network After a Merger and Acquisition