Securing the Digital Vault Comprehensively
Cybersecurity is a large and complex problem, and as more banking operations move into a digital environment, the threat will only grow. For banks to securely lock their doors and protect their assets and customers, they must protect their digital perimeters, authenticate legitimate users, respond to external threats and consistently probe systems for vulnerabilities.
Making matters even more complicated, the public nature of recent cyberattacks, including the December 2013 attacks on Target, has raised the profile of cybersecurity among consumers. In addition to actual losses, the reputational loss suffered by cybersecurity breaches can affect a bank’s long-term business prospects.
The threats can range widely in scope, including broad-based attacks on the IT network itself, focused attacks on individual accounts or employees, and the exploitation of vulnerabilities in mobile devices or cloud networks.
At RSA’s annual security conference in February, Art Gilliland, senior vice president and general manager for Enterprise Security Products at Palo Alto, Calif.-based Hewlett-Packard, explained that companies need to beat cybercriminals at their own game and “think like a bad guy.” He further described the lifecycle of a cyberattack, with each phase being conducted by a specialist in that specific area of cybercrime.
First, a criminal will research a target and build a profile. Next, that profile is sold to an infiltration specialist who builds a tool kit for breaching the target. That access point information is then sold to a criminal who breaks in and captures the data or information of interest. This data – often customer information or, for banks, financial data – is then captured for sale on the black market or destroyed, depending on the criminal’s goals.
Understanding the primary tools cybercriminals use to pull off a breach helps financial institutions prioritize and focus their attention on the greatest risks. As cybercrime becomes more sophisticated, advanced persistent threats (APTs), mobile device breaches and Distributed Denial of Service (DDoS) attacks will provide the greatest threat to financial institutions. Let’s look at these in more detail:
The APT is a focused attack that is tailored to exploit a specific target, often a key executive or staff person who has access to valuable data. APTs are often conducted by crime groups with a sophisticated online presence aimed at causing major damage to consumers and institutions alike.
APT attacks are designed to stay quietly under the radar so that they may persist for long periods of time, and they are the most likely to include a variety of specialists to move the attack forward. The attack avenues for APTs can vary based on the sophistication of the bank’s security.
If an Internet browser isn’t patched or a firewall’s configuration is inadequate, these criminals will exploit those weaknesses to gain system access. They also can launch attacks from the inside-out through social engineering tactics or by sending malicious code to users that, when opened, spreads malware throughout the network. Many APTs will use these methods to gain access to your core system, because that’s where the financial data – and money – lives.
While technology can help identify unusual activity and flag suspicious issues, the real key to mitigating risks from APTs is education, for both employees and customers. Banks need to ensure that security training is refreshed regularly and encourage employees and users to incorporate advanced authentication protocols that are both multi-factor and multi-channel.
To combat mobile device breaches, many organizations use the Bring Your Own Device (BYOD) strategy, which is a convenient and productive approach for both the organization and the employee. However, special attention must be paid to the security risks involved. Most devices store company data of some sort. If lost or stolen, a cybercriminal can compromise the confidential information in a variety of ways, including accessing email and customer records. Similarly, many of these devices have direct access into the bank’s corporate network, allowing the hacker to easily penetrate networks and intranets.
Another concern comes from the applications users download to their phone or tablet. Malware applications targeted at mobile devices are increasing, especially in the less-regulated app stores. Organizations must ensure that employee-owned devices meet all compliance requirements to guard against a security breach. This entails developing corporate policies that cover every aspect of BYOD. Among them, include a policy that focuses on mobile device management, whereby your organization supports only specific devices that can be controlled by way of enforceable complex passwords, encryption, patching and remote-wiping rules.
DDoS attacks occur when an individual or organized group floods a target bank’s online system with a massive volume of traffic, overloading corporate bandwidth and causing a suspension of service availability for legitimate users. This results in crashing the networks that serve online banking, ATMs and other key virtual properties.
These attacks, which are not actually hacking, have primarily served to make a political statement or embarrass large institutions. However, there is a rising trend of hackers using a DDoS attack to distract a bank’s infosecurity staff while they penetrate the network somewhere else. In these secondary attacks, hackers exploit vulnerabilities in the network while employees and resources are deployed toward recovering service availability and calming customers’ concerns from the DDoS strike.
Preventing a DDoS attack is difficult, but banks can take steps to minimize the success of an attack. First, establish a relationship with your Internet Service Provider (ISP). If the communication lines remain open, a DDoS attack can be identified quickly and headed off by the ISP. Financial institutions also can leverage web traffic trend analyses to determine where traffic is originating, particularly if large amounts are coming from outside the country.
If an attack does occur, banks should ensure that call center and customer-facing staff are informed and educated on how to react to the outages and reassure customers that their data and money are safe.
Comprehensive Security Framework
At the RSA conference, Stephen Trilling, senior vice president of Security Intelligence and Technology for the Atlanta-based Symantec Group, advised companies to quit thinking of security as separate functions and build a comprehensive framework that crosses divisional and operational lines. This way, a perimeter security program could share information on suspicious web traffic with the authentication system to ensure that complex attacks are stopped before they breach the network.
According to the Commerce Department’s National Institute of Standards and Technology February 2014 Cybersecurity Framework, a complete cybersecurity framework develops and implements activities in these five main categories:
- Identify: understand and manage cybersecurity risk to systems, assets, data and capabilities
- Protect: ensure appropriate safeguards for the delivery of critical infrastructure services
- Detect: identify the occurrence of a cybersecurity event
- Respond: take action regarding a detected cybersecurity event
- Recover: maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity event
While no security system is 100% foolproof, taking these initial steps can make your organization more difficult to breach and minimize the risk of loss in the event a criminal does break into your bank’s network.