financial services Archives - Security IT Summit | Forum Events Ltd
  • Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

financial services

Government and Financial Services best equipped to defeat cyber attacks

960 640 Stuart O'Brien

Government and Financial Service sectors globally are the most hardened against cyberattacks in 2020.

That’s according to the third edition of the Synack Trust Report, a data-driven analysis of cybersecurity preparedness across all sectors and industries, found that government and Financial Services scored 15 percent and 11 percent higher, respectively, than all other industries in 2020.

Government agencies earned the top spot in part due to reducing the time it takes to remediate exploitable vulnerabilities by 73 percent.

Throughout the year, both sectors faced unprecedented challenges due to the global COVID-19 pandemic, but still maintained a commitment to thorough and continuous security testing that lessened the risk from cyberattacks.

“It’s a tremendously tough time for all organizations amidst today’s uncertainties. Data breaches are the last thing they need right now. That’s why it’s more crucial than ever to quickly find and fix potentially devastating vulnerabilities before they cause irreparable harm,” said Jay Kaplan, CEO and Co-Founder of Synack. “If security isn’t a priority, trust can evaporate in an instant.”

The 2020 Trust Report is grounded in data from the patented Attacker Resistance Score (ARS) Metric, which drew information directly from tests conducted on the Synack Crowdsourced Security Platform from 2019 through July 2020 — right through the COVID-19 response period. Synack calculates a unique ARS metric between 0 and 100 for every asset, assessment and organization it tests. The calculation takes into account attacker cost, severity of findings and remediation efficiency. The higher the ARS, the more hardened assets are against attack.

“The 2020 Synack Trust Report is a must-read for anyone who has ever been asked by their C-Suite, CEO, or Board: ‘Can I trust our digital systems? And how do we compare to other companies?'” wrote Michael Coden, Global Leader Cybersecurity Practice, BCG Platinion, Boston Consulting Group, in his forward to the 2020 Trust Report. “The report makes it clear that companies surviving the continuous barrage of cyberattacks are the ones that frequently test as many of their digital assets as possible with the appropriate depth and breadth to the criticality of that asset.”

Key 2020 Trust Report findings include:

The Government sector earned 61 — the highest rating

The chaos of 2020 added new hardship to many Government bodies, but security hasn’t necessarily suffered as many agencies have become more innovative and agile. Their ability to quickly remediate vulnerabilities drove this year’s top ranking. 

Financial Services scored 59 amidst massive COVID-19 disruptions

Financial Services adapted quickly through the pandemic to help employees adjust to their new remote work realities and ensure customers could continue doing business. Continuous securitytesting played a significant role in the sector’s ARS.

Healthcare and Life Sciences scored 56 despite pandemic challenges

The rush to deploy apps to help with the COVID-19 recovery led to serious cybersecuritychallenges for Healthcare and Life Sciences. Despite those issues, the sector had the third highest average score as research and manufacturing organizations stayed vigilant and continuously tested digital assets.

Severity of vulnerabilities found on the Synack platform increases

Twenty-eight percent of the vulnerabilities discovered by the Synack Red Team, the community of ethical hackers working on the Synack platform, were considered high, very high or critical. Synack leads the industry in finding the most critical and dangerous vulnerabilities in customers’ digital assets and apps, giving them the insight necessary to prevent attacks.

ARS scores increase 23 percent from continuous testing

For organizations that regularly release updated code or deploy new apps, point-in-time securityanalysis will not pick up potentially catastrophic vulnerabilities. A continuous approach to testing helps ensure vulnerabilities are found and fixed quickly, resulting in a higher ARS metric.

Visit www.synack.com to download the report for free.

Financial services head to the cloud to escape security concerns

960 640 Stuart O'Brien

The financial services industry is accelerating its shift to the cloud, as it presses forward with digital transformation in the face of security concerns. 

That’s according to the Financial Services edition of F5’s 2020 State of Application Services (SOAS) report, which says 60% of surveyed organisations in the industry believe public cloud platforms will be strategically important for them in the next two to five years, up sharply from 49% in 2019.

It comes as 84% of financial services organisations execute on digital transformation plans, with three quarters saying the key driver is to increase the speed of new product and service deployment.

Cloud adoption is increasing even as security concerns remain widespread. While two-thirds of organisations are confident in their ability to withstand an application attack on premises, only 40% said the same when it comes to the public cloud. 

“The idea that financial services applications would be the slowest to move into the cloud has been clearly disproven,” said Lori MacVittie, Principal Technical Evangelist, Office of the CTO at F5.

“Instead we are seeing the industry go ‘all in’ on multi-cloud adoption as organisations seek to increase the pace of their digital transformation and more quickly deploy the applications that will deliver a high-quality customer experience. Ultimately, financial services organisations that face growing competition from digital challengers are turning to the cloud to meet the needs of customers who now expect a seamless fintech service.” 

As cloud adoption increases, the F5 research says financial services organisations are seeking to balance the innovation imperative with security needs.

Many are looking to open banking, which 47% of surveyed organisations (among the two-thirds of respondents who provide banking services) have either implemented or plan to do so. Within this subset, 68% are deploying API gateways to deliver innovation, allowing them to securely share data with partners and open APIs to public developer networks.

82% of organisations with open banking initiatives have published APIs to third parties, compared to 62% of those not engaged in open banking.

The reports says that in this context security remains a pressing concern, especially with 87% of organisations embracing multi-cloud environments, and 41% determining the type of cloud to support an application on a case-by-case basis.

Asked about the biggest challenges of managing applications in a multi-cloud environment, 59% of respondents highlighted the need to apply consistent security policies across all company applications, well ahead of migrating apps among clouds/data centers (32%), gaining visibility into application health, or optimising the performance of the application (both 26%).

Security clearly resonates as a priority for the entire industry. Over half of respondents named it as the most important characteristic of an application service, while financial services leaders ranked real-time threat analytics as their number two strategic trend, compared to number six across all industries. Three quarters of respondents said it is important to enforce the same security policies on premises and in the cloud.

Nevertheless, the industry fears that it lacks the capacity to effectively respond to threats, with 72% of respondents reporting that they face a security skills gap.

The importance of security is further underlined by the applications financial services organisations choose to prioritise. Among the industry’s top five app services deployed today, four are security-focused: common security services and SSL VPN (both deployed by 86%), WAF (81%, up from 77% in 2019) and DDoS protection (80%).

That is balanced by a focus on application services that underpin the effort to drive high-quality customer experiences: 80% of financial services respondents said they are deploying services such as load balancing, global server load balancing and DNS, compared to 75% globally. 

Looking forward, the industry is planning to deploy application services that will support greater adoption of public cloud and modern (cloud- or container-native) architectures. 42% expect to deploy SDN gateways or SDN WAN in 2020 (up from 34% in 2019) while 39% will deploy API gateways (up from 27%) and 35% Ingress control (up from 21%).

46% of financial services respondents identified Software-defined networking (SDN) as a strategically important trend for them in the next 2-5 years, up from 42% last year.

Financial services organisations ‘increasingly prone to authentication and DDoS attacks’

960 640 Stuart O'Brien

Financial services organisations have experienced a significant increase in the number of authentication and distributed denial of service (DDoS) attacks over the past three years.

That’s according to research from F5 Labs, which says the opposite was true of web attacks, which were notably down during the same period.

The analysis, which examined customer security incident response (SIRT) data from 2017-2019, covered banks, credit unions, brokers, insurance, and the wide range of organisations that serve them, such as payment processors and financial Software as a Service (SaaS).

On average, brute force and credential stuffing constituted 41% of all attacks on financial services organisations over the full three-year period. The percentage of attacks grew from 37% in 2017 to a high point of 42% in 2019.

Brute force attacks involve a bad actor attempting large volumes of usernames and passwords against an authentication endpoint. Other forms of brute force attacks simply use common lists of default credential pairs (for example, admin/admin), commonly used passwords, or even randomly generated password strings.

Occasionally, brute force attacks leverage credentials that have been obtained from other breaches. These are then used to target the service in an attack known as “credential stuffing.” 

Delving deeper, F5’s SIRT team found that there were clear regional variations in attack trends. In EMEA, brute force and credential stuffing attacks only amounted to 20% of the total, which is higher than the 15% observed in Asia Pacific but significantly lower than North America’s 64%. The latter is likely driven by a large volume of existing breached credentials.

“The first indications of an authentication attack are often customer complaints about account lockouts, rather than any sort of automated detection,” said Raymond Pompon, Director at F5 Labs.

“Early detection is key. If defenders can identify an increase in failed login attempts over a short period of time, it gives them a window of opportunity to act before customers are affected.”

DDoS attacks were the second biggest threat to financial services organisations, accounting for 32% of all reported incidents between 2017 and 2019. It is also the fastest growing threat. In 2017, 26% of attacks on financial services organisations focused on DDoS.  The figure soared to 42% in 2019.

Yet again there were distinct regional variations. 50% of all attacks reported in EMEA over the three-year period were DDoS-related. Asia Pacific was similarly affected with 55%, but the volume dropped to 22% in North America.

According to F5 Labs, denial-of-service attacks against financial service providers usually target either the core services used by customers (such as DNS) or the applications that allow users to access online services (i.e. viewing bills or applying for loans). Attacks are often sourced from all over the world, likely via the use of large botnets that are either rented out by attackers, or purpose-built from compromised machines.

“The ability to quickly identify the characteristics of traffic when under attack conditions is critically important. It is also vital to quickly enable in-depth logging for application services in order to identify unusual queries,” Pompon explained.

While authentication and DDoS attacks continue to spread, there was also a concurrent dip drop in web attacks against financial services organisations. In 2017 and 2018, they accounted for 11% of all incidents. In 2019, it was just 4%. 

“While it is difficult to determine causality, one likely factor driving this trend is the growing sophistication of properly implemented technical controls such as web application firewalls (WAFs),” said Pompon.

F5 Labs’ 2018 Application Protection Report found that a greater proportion of financial organisations tend to deploy WAFs (31%) than the average across all industries (26%).

Most of the web attacks recorded by the F5 SIRT centred on APIs, including those related to mobile authentication portals and Open Financial Exchange (OFX). Web scraping –copying content for the purpose of creating realistic phishing pages – was also in evidence. 

F5 Labs suggests that web attacks against financial services targets tend to be more persistent compared to other sectors – partly due to the cybercriminals’ precise targeting and the potential high value of success.

F5 Labs’ analysis concludes that, although the financial services industry tends to require less convincing about the merits of substantive security programs, there is no room for complacency.

“Despite the valuable assets at stake, it can still be a challenge to convince some organisations of the need for multifactor authentication, which probably represents the most impactful way to prevent nearly all access-style attacks like brute force, credential stuffing, and phishing,” said Pompon.

“Having said that, there is still a lot that can be done. On the preventative side this includes hardening APIs and implementing a vulnerability management program that features external scanning and regular patching. On the detective side, it is critical to continually monitor traffic for traces of brute force and credential stuffing. As ever, it is essential to develop, and regularly practice, procedures for incident response that address all risks.”

Ramnit Trojan resumes attacks on European financial institutions

960 640 Stuart O'Brien

The Ramnit banking Trojan has returned to its old hunting ground after recent forays into the e-commerce space,

The discovery follows analysis by F5 Labs and F5’s EMEA-based F5 Security Operations Center (SOC) examining active Ramnit banking Trojan Malware configurations in February and March 2019.

All signs indicate that Ramnit’s authors are —once again—largely targeting financial services websites to coincide with Tax return activity, primarily in Italy.

Ramnit was previously hitting the headlines during the 2018 holiday season for shifting its attack focus to US e-commerce sites1.

In the most recent studied Ramnit sample active in March this year, the Trojan’s authors were primarily focused on financial services and financial tech sites in Italy (40% of all attacks). 9% of attacks were aimed at the UK and 8% at France2. Overall, 70% of all Ramnit targets in March were European, 27% American and 3% were located across the rest of the world3.

Interestingly, while social networking sites made up a smaller portion of targets observed in February and March, some of the biggest social networking platforms in the world were still under fire, including Twitter, Facebook, Tumblr, and YouTube. 

In other notable developments, F5 Labs was able to discover how this March’s Ramnit configurations are continually adapting, including scaling web injection tactics4 to attack websites5. An interesting innovation in this respect entailed going after targets with no link to a specific company or website.

Instead, several words in French, Italian, and English were added to the mix in the hope of catching random websites. Along with the simple word targets, Ramnit also included the name of an Italian Opera and a few misspelled domain names. 

“Ramnit is a persistent banking Trojan that first emerged in 2010 as a less sophisticated form of a self-replicating worm. Today, both its tactics and targets have evolved to include many other industries. It is highly adaptable, as we can see with this recent shift back to the financial sector, as well as its authors’ new attempt to expand the attack surface,” said Roy Moshailov, head of security and malware research, F5 Networks.

“It is critical for banks and financial institutions to implement web fraud protection solutions to protect their customers and to help ease the burden of fraud expenses—especially banks that are actively being targeted. Other industries also need to be aware of attackers’ increasingly clever techniques so they can take similar precautions. The main thing is not to be complacent. Because Trojan malware is typically installed through phishing or malicious advertising, it’s also vital that all organisations to provide security awareness training to employees and clients.”

Image by dawnfu from Pixabay

Cybersecurity and Financial Services – How Can Organisations Combat the Threat?

960 640 Guest Post

By Genevra Champion, Sector Marketing Manager, IT Governance

The financial services industry is naturally a lucrative target for cyber criminals. Financial organisations trade and control vast amounts of money, as well as collect and store customers’ personal information so clearly, a data breach could be disastrous for an industry that is built on trust with its customers. 

The financial services industry is second only to retail in terms of the industries most affected by cyber crime –  the number of breaches reported by UK financial services firms to the FCA increased 480 per cent in 2018, compared to the previous year. While financial servicesorganisations are heavily regulated and cybersecurity is becoming more of a business priority, there is still much more to be accomplished when it comes to businesses understanding what measures must be taken – from the C-suite down – to effectively protect organisations against inevitable breaches.  

So how can financial services firms proactively equip themselves to respond to increased regulatory scrutiny and mitigate the impact from the growing number of threats they will face? 

Mitigating the threat

Financial institutions were able to defend against two-thirds of unauthorised fraud attempts in 2018, but the scale of attacks significantly increased. Significant market players including Tesco Bank, Metro Bank and HSBC all reported breaches in the last year. Clearly, the banks’ cybersecurity defences have not developed at a fast enough pace. Cyber criminals can and will dramatically outspend their targets with increasingly sophisticated attack methods. In addition, many of the traditional banks struggle with large, cumbersome legacy systems, which pose significant reliability issues, as well as flaws in security. 

Last year’s IT banking disaster led to thousands of TSB customers being locked out of their accounts, leading to fraudsters exploiting the situation by posing as bank staff on calls to customers in order to steal significant sums of money from customers. The breach occurred while the company was conducting an upgrade on its IT systems to migrate customer data to a new platform. This wasn’t just bad luck for TSB, but a failure to adequately plan and assess the risks that come with such a huge project. The bank has since pledged to refund all customers that are victims of fraud, a move which will likely see other banks reviewing their approach to the rise of this particular type of cyber crime. 

The industry must understand that security incidents are an ever-present risk. However, organisations can be prepared – scoping a defence strategy specific to the firm, with processes for implementation, will mean an attack can be quickly identified, isolated and resolved, minimising business impact.

Appropriate defence strategy

The FCA has set out various cybersecurity insights that show how cybersecurity practices of UK financial services firms are under the regulatory microscope, as the cyber threat continues to grow. The approach from the FCA includes practices for organisations to put into action such as those that promote governance and put cyber risk on the board agenda. The advice also covers areas such as identifying and protecting information assets, being alert to emerging threats and being ready to respond, as well as testing and refining defences. With cyber crime tools and techniques advancing at a rapid pace, and increasing regulations, it’s no wonder that many organisations struggle to keep up to ensure their defences stay ahead of the game.

In order for in-house security teams to keep up to date with current and evolving threats and data protection issues, firms must invest in regular training. Specialist skills are required to mitigate cyber risk, which for some could be cost-prohibitive.  As an alternative, an insourced model allows you to leverage a dedicated and skilled team on an ‘as you need’ basis to deliver an appropriate strategy. With a Cyber Security as a Service (CSaaS) model in place, organisations can rapidly access a dedicated team with the knowledge and skills to deliver a relevant and risk appropriate cyber security strategy. 

Crucially, in addition to completing a gap analysis and a multi-layered defence strategy, the model will also apply to people and processes. Attackers will generally aim at the weakest point of an organisation – often it’s staff. Human nature means passwords are forgotten, malware isn’t noticed, or phishing emails are opened, for example. Therefore, a blended approach of technology, processes and shared behaviour is required that promotes the need for staff awareness and education of the risks, in order to effectively combat the threat.  

Conclusion

With increased regulatory attention across security and privacy, firms must take steps to improve their defences, or risk severe financial and reputational damage. The issue of cybersecurity risk must become as embedded within business thinking as operational risk. Anyone within an organisation can be a weak link, so the importance of cybersecurity defences must be promoted at all levels – from the board all the way through to the admin departments. It’s everyone’s responsibility to keep the organisation protected against threats. 

While the threat of cyber attack is real, financial services firms do not have to take on the battle alone. With a CSaaS model in place, organisations can start to take back control of their cybersecurity strategy and embed it as a trusted, cost-effective and workable core part of the business’ process. 

Image by Jason Goh from Pixabay