This is the first article in a three-part series which investigates the top five threats to the data held by banks and financial institutions, and offers a fresh perspective on how the industry can make a fundamental shift away from failed perimeter
protection.
____________
The first step in developing a resilient cybersecurity posture is identifying what it is you are trying to protect. For most companies, that most valuable asset is data, and banks, which have always been laboratories of innovation, are on the leading edge
of data-driven enterprise. Whether customer data, information on lending activity, or assets and liabilities, banking relies on it to operate and grow.
In the court of public opinion, banks and financial services firms are a prime target of cyber criminals whose activities are frequently reported in the headlines. Just in the last few months, we have seen hackers access the access the personal information
of more than 100 million credit card customers and applicants at Capital One, and Citigroup experienced breach that compromised the personal information of about 200,000 of their North American Citi-branded credit card customers.
The number is hard to pin down, but a study released last year by
Accenture examined the security posture of 30 major banking applications. Each of them had at least one known security risk, and a quarter of them were revealed to have at least one flaw that is considered “high-risk.”
Insecure data storage topped the list of vulnerabilities, along with exposure to code tampering and insecure authentication. Besides the enormous economic risk and threat of regulatory response, data breaches--or even the perception of vulnerability to in
the court of public opinion, leads directly to loss of reputation and diminished trust.
All of the Worst Threat Scenarios Involve Privileged Access
Whether through intentional malicious acts or simple negligence, the people with access to the data held by banks are the biggest threat to data security and privacy. The so-called “insider threat” is very real.
Major cyber attacks have been traced directly to vulnerabilities in shared banking systems and third-party networks. For example, the well-publicized Scottrade data breach in 2017 was caused by a professional services vendor, while criminals
stole
$81 million from Bangladesh Bank the previous year by exploiting a vulnerability in SWIFT.
Banks, as a result, are the subject of greater scrutiny by regulators according to a
report that points out the convoluted and complex patchwork of testing and mandates that firms need to respond to. Banks have to deal with a growing corpus of reporting and questions
from multiple regulators who are looking for weaknesses in a cybersecurity posture.
As banks expand their internal cybersecurity operations to protect the critical data resources on which they run, the financial system is under unrelenting assault from internal threats. Kaspersky Lab revealed that financial services firms spend $1,436 per
employee on cybersecurity, even as data security threats seem to be everywhere and growing. Even the most hardened, off-the-grid security experts acknowledge that it is impossible to be totally secure. Developing a security strategy that identifies and addresses
the most significant, and most likely, threats to bank-held data is vital in a world where data itself is money.
Threat 1. Guessed and Stolen Credentials
Obtaining user passwords is one of the most common ways cyber criminals breach security defenses. A data breach investigations report by Verizon
found the number of data breaches involving weak or stolen passwords rose to 81 percent, a more than 60 percent increase over a period of two years.
Using brute force or dictionary attacks – or simply peering over someone’s shoulder – hackers essentially “guess” user passwords based on their knowledge of password habits and open-source intelligence. This is especially true for weak passwords which continue
to be used, despite repeated advice to the public, across multiple applications and platforms. In a recent
survey on the subject, more than half admitted using the same password for multiple online logins.
Even strong passwords can be compromised. Cybersecurity expert Troy Hunt, who maintains the Pwned Passwords database,
notes that once a password or passphrase is exposed by a data breach, it is no longer secure. His database includes more than half a billion compromised passwords, some of which are demonstrably “strong”.
Cyber criminals are constantly probing the vulnerabilities of banking infrastructure,
according cybersecurity journalist Brian Krebs, and frequently use massive lists of email addresses and passwords stolen from other websites and then systematically try to see if they’ll work with their bank targets.
Perpetrators are also adept at manipulating credentialed users into giving away passwords through phishing and spear-phishing campaigns. That email from the CEO asking to reschedule the quarterly board meeting? It might not be all it seems. A phishing campaign
in January followed this
template, and is just one way malicious entities attempt to steal credentials in order to gain illicit data-access.
Securing passwords is no easy task. Attackers put a great deal of effort into these campaigns, making the phishing websites look almost identical to legitimate sites. Even after security awareness and phishing identification training programs,
users still click on one out of every four phishing emails that hit their inbox. Security “strength” indicators are also weak tools for measuring actual password strength. In one stunning example shared by system and security administrator Aaron Toponce,
the password geyps5aykj0q71c637n9g14ycg is considered weak, while Password123! is considered strong.
To overcome this threat, banks are increasingly turning to technology that recognizes unusual behavior when it comes to data consumption by users, instead of relying entirely on passwords to secure data. Newer “programmable” tools that embed data security
and governance into the critical path between credentialed users and the data itself provide businesses with the ability to prevent breaches in real-time by slowing down or blocking the flow of data when consumption of that data exceeds set thresholds at the
application or user level.
This Programmable Data Security approach enforces protections at the application layer to protect against scenarios when password protection fails. In addition, as banks look to meet the rising regulatory challenge, they need a completely tamperproof audit
log of all data anomalies, administrative actions, and resolutions. This type of monitoring can also be produced by in-line tools and protected in tamper-resistant data stores.
____________
The next article in this series will examine the weaknesses in protecting private data by controlling access at the application level, and how banks can thwart private data exposure and theft using privileged database access.