“…the financial services industry continually has the highest cost of cybercrime,”– Chris Thompson, Global Security and Resilience Lead – Financial Services, Accenture Security
Cybersecurity has become everyone’s problem because no one is immune to attacks, and just like a line of dominos, when one person or organization falls, it can compromise the security of everything it’s connected to. That said, some organizations are far more interesting and lucrative than others as cyberattack targets. Over the last few years, bad guys have increased their assaults on large businesses in general and financial institutions in particular. Why? The reason is the same as when Willie Sutton, a bank robber in the 1920s and 1930s, was asked why he robbed banks; he replied, “because that’s where the money is.”
Since attacking consumers directly, compared to big businesses and financial organizations, is a lot more work with a much smaller payoff, we’ve seen a steady decline, for example, in the use of banking malware to steal user credentials. According to Kaspersky, an anti-malware security vendor, the number of banking malware detections has declined from 773,943 in 2019 to 625,364 in 2020 – almost a 20 percent drop.
Another factor has been the changing opportunities for cyberattacks: the combination of 2020’s explosion of remote working and the consequent chaos that went with it as businesses adapted to the new environment meant that scammers and hackers had a whole host of new attack vectors. Many of the previously regional or national hacking collaboratives went international and commercial and, as a result, a whole new catalog of tools and techniques that simplified launching malware attacks became available to a worldwide audience of bad actors.
Boston Consulting Group’s 2020 study found that banking and financial institutions are 300 times more at risk of a cyberattack than other companies while an Accenture study found that “the average annualized cost of cybercrime for financial services companies globally has increased to US$18.5 million — the highest of all industries included in the study and more than 40 percent higher than the average cost of US$13 million per firm across all industries.”
Recent Cybersecurity Attacks
Recent examples of how extensive and disruptive malware attacks have become include cyberattacks carried out against Colonial Pipeline, a fuel pipeline operator that supplies roughly 45 percent of the fuel consumed on the U.S. east coast, and JBS, the world’s largest meat processor which supplies over 20 percent of U.S. beef. Both companies were recently shut down by ransomware using what amounts to low cost, shrink-wrapped malware available from black markets on the Dark Web.
While cyberattacks on infrastructure businesses such as fuel distribution and food products are a big concern, the financial sector is an even bigger threat to our economy due to amplification factor where the breach of a single vendor or service provider impacts many customers. Consider the 2017 Equifax breach that affected 143 million consumers. The hackers got into Equifax’s system through a consumer complaint portal via a known software vulnerability that hadn’t been patched.
The attack would have ended there except that Equifax internal systems weren’t isolated from one another, so the attackers were able to jump from their entry point to other, more valuable servers. Finally, because Equifax had failed to renew an encryption certificate on one of its internal security tools, the attackers were able to exfiltrate data out of the network in an encrypted form which went undetected for several months.
While the Equifax attack was successful due to poor network management and design, malware and ransomware attacks are becoming far more commonplace due to other systemic weaknesses. Bluevoyant, a cybersecurity company, commissioned a global survey of cyber risk from 253 CIOs, CISOs and CPOs in the financial services industry and found that:
- 85% have suffered a breach because of weaknesses in their supply chain in the last 12 months
- 38% use supplier risk data and analytics in their third-party cyber risk management program
- 38% audit and report third-party cyber risk every six months or less frequently
- 89% have seen increases in their cyber risk management budget in the past 12 months.
Risks of the Future
Although “traditional” methods for compromising the security of targets are still used – this includes brute force attacks, exploits based on known weaknesses, etc. – the majority of incursions are now mediated by phishing and, most critically, targeted phishing attacks (also called “spear-phishing”) along with the introduction of increasingly sophisticated malware.
For example, recently, we’ve witnessed the next evolutionary stage of the Necro Python bot, a Python-based self-replicating, polymorphic bot that was discovered earlier this year and is designed to defeat conventional malware protection systems. Analysis of the bot by the Cisco Talos Intelligence Group revealed:
… the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code.
… The bot hides its presence on the system by installing a user-mode rootkit designed to hide the malicious process and malicious registry entries created to ensure that the bot runs every time a user logs into the infected system.
A significant part of the code is dedicated to downloading and running a Monero miner XMRig program. The bot also injects the code to download and execute a JavaScript-based miner from an attacker-controlled server into HTML and PHP files on infected systems. If the user opens the infected application, a JavaScript-based Monero miner will run within their browser’s process space.
The scope and capabilities of this bot should concern every CIO, CISO, and security professional because this level of sophistication means that it’s not only hard to detect the bot when it gets into your network, it’s also extremely difficult to get rid of. This is an example of the future of malware cyberattacks and protecting your organization from these assaults and providing robust malware protection require a far more disciplined approach than most organizations have implemented to date.
What Can Financial Service Companies Do to Protect Themselves?
“The threat of cyber security may very well be the biggest threat to the U.S. financial system.” Jamie Dimon, CEO of JP Morgan Chase, speaking at the Business Roundtable CEO Innovation Summit in Washington, D.C. on Dec. 6th, 2018.
The European Central Bank’s 2020 edition of its ECB Banking Supervision: Risk assessment for 2020 report identified the main risk factors that the eurozone banking system is expected to face over the next three years. Driving these risks are:
- The continued digitization of financial services
- The obsolescence of certain banking information systems
- The interconnection with third-party information systems and, by extension, migration to the cloud
Given the complexity of computer systems and networks in financial services, there is only one strategy that will provide the level of in-depth defense required to future-proof malware protection and that is to implement the Zero Trust Model.
The Zero Trust Model
Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan. – NIST Special Publication 800-207
A Zero Trust Model, as defined by NIST, is based upon the following principles:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
The last principle is the key to making a Zero Trust Model actually work in the real world. By inspecting all traffic including secured communications using TLS/SSL decryption and inspection (SSLi), financial organizations can track what’s coming into their networks and what’s trying to get out. Correctly implemented and deployed, SSLi can efficiently and cost-effectively prevent the entry of malware and the exfiltration of sensitive data making the Zero Trust Model robust and complete.