Financial services must change mindset to contain cyberattacks
Article by CyberArk EMEA VP Rich Turner
147 million. 150 million. 57 million. Big numbers, in any context. But when you consider that together, this 345 million represents the number of consumers affected by just three recent cyberattacks - on globally renowned names Equifax, Under Armour and Uber respectively - the widespread impact of cyber threats is potentially breathtaking.
Make no mistake, cybersecurity is now big business. Analysts predict that global spending on enterprise security will top $96 billion this year, an 8% rise from 2017. This is in no small part thanks to a turbulent 12 months which saw hacks on organisations of all shapes and sizes, and three global cyberattacks that were unprecedented in scale: WannaCry, Triton and NotPetya. With the impact of these attacks fresh in the memory, cyber security is finally on almost every company’s agenda.
Yet there is still a perception in many quarters that hacks are an exception to the rule. In fact, they now are the rule. Hackers’ skills are advancing at such a rate that it’s become impossible to completely prevent them from infiltrating a company’s networks. And given Verizon’s 2017 Data Breach Investigations Report reveals 90% of data breaches are motivated by financial gain or espionage, it’s no surprise that the financial services industry is a popular target for cyberattacks, as it handles more currency and transactions than any other sector.
With that in mind, it’s critical organisations do everything they can to understand the new techniques that are evolving, and how they should react in the event of a successful attack. The bottom line: it is a must to think like an attacker if they are to be kept at bay.
The Bangladesh bank SWIFT hack in 2016 was the first to really demonstrate – on a global scale - the importance of surveillance. In the event, a group of unknown hackers were able to use SWIFT credentials to infiltrate the company’s trading completely undetected, sending dozens of fraudulent money transfer requests.
But they couldn’t siphon off money from the bank’s transactions straightaway – they needed to sit undetected within the network and learn how to conduct them before they could start filling their pockets. Only a simple printer error and a typo prevented the theft of nearly $1 billion, as was their intention. They still got away with $81 million.
The incident demonstrated to hackers across the world that it was possible to steal data and money on a grand scale without an organisation noticing. In recent years financial services firms across the globe have therefore shifted their focus away from how to prevent attacks from penetrating the perimeter, and instead towards how to defeat hackers roaming within networks and protect their ‘crown jewels’. There is an increasing and realistic recognition that attackers can and will get in, with the emphasis now on how to contain them.
Essential to see red
Traditionally many financial services firms have relied on penetration testing (PT) to discover potentially exploitable vulnerabilities. The theory goes that, by testing particular networks, system or applications, organisations will be able to identify as many vulnerabilities as possible and ‘patch’ them to prevent attackers penetrating their network.
This practice is simply not sufficient to prevent hackers from gaining access to company servers – new techniques are constantly evolving which can discover previously hidden network vulnerabilities. It also presumes that provided organisations react to the latest threats, attackers won’t be able to infiltrate their internal servers.
This is where ‘Red Teaming’ terminology – borrowed from the military – comes in. Put simply, in a cybersecurity context, red teaming means employing a team of ‘ethical hackers’ to simulate cyberattacks. The idea is for these hackers to act like an external attacker, penetrate company networks and remain undetected for as long as possible, while stealing valuable data and learning how to exploit company systems for monetary or intellectual gain.
By regularly undertaking this process themselves, organisations not only learn how vulnerable they are to an attack, but also establish how they would react in the event of an attack to lock down privileged accounts and prevent the loss of critical intellectual property (IP), as well as large sums of capital and precious consumer data. This is an exercise that helps organisations think as attackers to – and allows defence strategies to address the threat better and more effectively.
Negating the threat within
According to our Global Advanced Threat Landscape Report, FS firms’ own employees still represent the greatest threat to companies’ IP, as many already possess the credentials to access confidential information. Rather than infiltrating company systems specifically, many hackers are also targeting traders with attack methods such as ransomware and phishing attacks, with a view to stealing their credentials and using them to navigate internal networks undetected.
One of the tools being used to help identify these anonymous hackers is user behaviour analytics. These systems are designed to analyse the historical data logs of each individual user - including network and authentication logs collected and stored in log and information management systems - and identify potentially malicious activity. The insights generated help organisations to regularly review the special privileges for each type of user and ensure that – using privileged access security platforms - each individual is only able to access the information required to perform their role, and no more.
Machine identities are changing the game
With the introduction of the new Second Payment Services Directive (PSD2) this January, banks are required to open up their payments infrastructures and APIs to third parties to allow major retailers and service providers such as Amazon or John Lewis to liaise directly with them and take payment from consumers’ accounts. This bypassing of payments platforms like PayPal, or even the major credit card providers through machine-to-machine authentication, however, presents a new attack surface for organisations.
Many have therefore adopted either a two-factor authentication or a token model to grant permissions to retail players offering goods and services, which gives them access to a customer’s background and allows them to manage the transaction themselves. However, there are concerns that authenticator apps requesting payments could be compromised, prompting calls for potential suppliers to have a privileged access security strategy in place which is at least equivalent to banks to be in place, in order to prevent compromise.
The threat landscape is always evolving, and it moves faster for financial services than it does for almost every other sector. It’s critical that organisations are attuned to the latest developments in cyber security and understand the new techniques hackers are using to steal IP. Firms must adopt a ‘think like an attacker’ mind-set as failure to do so can not only prove immediately costly, but also cause irrevocable long-term damage to trusted relationships with customers; much more damaging than any one-off theft.