You may think that the threat of an electronic attack on your business is receding; you’d be wrong. Attackers are just getting smarter. But organizations in the finance and insurance industry face some unique challenges with regard to information protection.
My previous article flagged the key three threat patterns that covered 75 percent of security incidents experienced by financial services organizations – findings resulting from the Verizon 2014 Data Breach Investigations Report. These were – Web Applications (web app), Denial of service (DOS) and skimming.
Now let’s take a look at these separately and go into the finer details of how this information can assist financial organizations in the ongoing fight against cybercrime.
Attack #1 – web app
Financial companies increasingly rely on web-based tools to deliver their services. From personal and corporate banking to insurance, payments and trading, most banking services are now accessible through the browser. This makes them extremely vulnerable to web-based attacks.
In the wake of the financial crisis, there is still a lot of ill-will toward banks and other financial institutions and this can explain why, in our 2014 dataset, just under two out of every three web app attacks were attributable to activist groups driven by ideology. These attacks have more to do with causing disruption and damage than with stealing payment card data.
What can you do?
- Use multi-factor authentication. This should not just be applied to customers but for all administrative access.
- Consider switching to a static CMS. Instead of executing code to generate the content for every request, pre-generate pages to reduce the opportunity for exploits.
- Enforce lockout policies. Locking accounts after repeated failed login attempts will help to thwart brute-force attacks.
- Monitor outbound connections. Unless a company’s server has a good reason to send millions of packets to a foreign government’s systems, lock down the server’s ability to do so.
Attack #2 - DOS
The scale of DOS attacks has gone up 115% since 2011, as attackers have refined their methods. In the past, malware was often used to co-opt the PCs of unwitting home users into the criminal’s botnet. Now, attackers are targeting servers. These are more powerful and have high-bandwidth connections, allowing the attacker to mount much bigger attacks.
While DOS attacks are rarely connected to attempts to steal data, they can still be extremely damaging to a company’s reputation and business operations. DOS attacks can take down online banking, quoting and policy management trading platforms, even internal systems that might be exposed to the Internet. The impact of these systems going down for an hour, let alone a day, the costs of lost productivity and time spent on remediation can be enormous.
What can you do?
- Segregate key assets. Keep the most important systems on separate network circuits so they won’t be compromised by an attack targeting other servers.
- Test anti-DOS services. Don’t install-and-forget about them.
- Have a plan. Key operations teams need to know how to react if there is an attack. Organizations should also have a backup plan in case their primary anti-DOS service doesn’t work.
Attack #3 - Skimming
The organized criminal groups responsible for skimming attacks are getting extremely sophisticated in their tactics — some use 3D-printing technology to create replicas of ATM fascias that are incredibly difficult to tell from the real thing. These can be installed in seconds, and wirelessly send card details back to the criminals. As a result, most breaches are only detected after customers notice fraudulent activity on their accounts. But there are still actions organizations can take to defend against these attacks.
What can you do?
- Use tamper-resistant terminals. ATMs are increasingly designed with this in mind and most can be retrofitted.
- Use tamper-evident controls. Automated video monitoring can detect visual anomalies.
- Encourage users to be vigilant. Have them report their concerns immediately.
- Inspect ATMs frequently. Have staff inspect ATMs as often as possible to reduce the window in which a skimmer could be in place.
Remember -- No one is immune from a data breach.
The battle against cybercrime is one that is still in progress, and attackers have their eyes firmly on the prize of the rich data that financial institutions hold. Combine this with the longer time it is taking organizations to identify compromises– often weeks or months, compared with the minutes or hours it takes to be infiltrated – then more targeted action needs to be taken.
In a nutshell, be on the offensive and not the defensive as cybercrime certainly exists. Don’t believe for an instant that it will go away.
For more information on Verizon’s security leadership, click here.
If you have any non-media related inquiries our experts are available to help you discuss your organization’s security needs. To speak with a security expert at Verizon, contact SecuritySolutionsContact@verizon.com.