Vulnerabilities / Threats
8/4/2011
10:48 AM
Connect Directly
RSS
E-Mail
50%
50%

Banks Face Ongoing Cyber Threats

Although financial institutions have to date largely escaped the fate of the U.S. government and other industries, security experts warn that it's only a matter of time until a bank suffers a major breach from a cyber attack.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Love him or hate him, Julian Assange, the infamous director of WikiLeaks, has heightened awareness of the dangers of sensitive information leaking out of an organization. Although financial institutions have to date largely escaped the fate of the U.S. government and other industries, security experts warn that it's only a matter of time until a bank suffers a major breach from a cyber attack.

Indeed, the largest industry targeted by criminals is financial services, according to the "2010 Data Breach Investigations Report" from Verizon Business and the United States Secret Service. Not only did financial services represent 33% of the more than 900 breaches studied over a six-year span, the industry also accounted for a staggering 94% of all compromised records.

Today's cyber attacks are more targeted--and more dangerous--than in the past. "Attacks are 'low and slow' in that criminals are pinpointing specific institutions and patiently and painstakingly infiltrating the organization to remove precise data," explains Jonathan Penn, vice president, Forrester Research.

Advanced Persistent Threats (APTs) illustrate the persistence of today's cyber criminals. RSA, which supplies security systems to some of the world's largest financial services firms, announced in March that data related to its SecurID authentication tokens was stolen via an APT attack. APT has become a euphemism for attacks carried out by sophisticated, well-funded hackers--often linked to the Chinese government--that are executed methodically over long periods of time.

Not only do banks need to protect themselves from criminals outside the organization, they also need to protect against internal information leakage from employees, contractors, partners and vendors. "Someone intentionally taking and sharing information is an incredibly difficult problem to solve," notes Richard Mackey, vice president of consulting, SystemExperts Corp.

The recent media reports of leaked emails from a former Bank of America employee to the online hacker group Anonymous turned into a case of "much ado about nothing," but highlight how easily an information leak can occur.

The internal threat is real: According to Verizon, internal agents caused nearly half (48%) of financial services breaches. However, financial institutions are largely unprepared.

Although 56% of senior security executives are very confident about thwarting external breaches, only 34% display the same confidence about internal threats, according to Deloitte's "2010 Financial Services Global Security Survey."

The pervasiveness of mobile devices complicates security for banks. Employees are clamoring to use their mobile devices of choice at work, but security managers are still struggling to secure new, increasingly powerful devices.

Smartphones in particular are exploding in popularity, presenting the proverbial "good news/bad news" scenario for financial institutions. George Peabody, director of Emerging Technologies Advisory Service at consultancy Mercator Advisory Group, predicts that 60% of mobile phone subscribers will have smartphones by 2012. Since the criminals "move to where the people are," expect malware to proliferate on iPhones, Androids and other mobile devices, says Peabody.

A.N. Ananth, CEO of security solutions provider Prism Microsystems, describes three approaches banks can take to manage mobile device security. The first approach is to lock down the environment. Doing so, however, can make the carrier less efficient and put it at a competitive disadvantage. The opposite strategy of trust without restrictions, which Ananth calls the "kumbaya approach," increases the risk of a data breach. The middle ground is the best, he argues. "We like the trust-and-verify approach."

One-quarter of banks are taking a hard line on devices while about one in 10 have a generous "bring your device to work" policy, estimates Andrew Jaquith, CTO of Perimeter E-Security, a provider of information security services. The remainder, explains Jaquith, make up the "muddled middle" frantically trying to strike a bargain that allows employees to select their own devices as long as the organization can impose security such as device locking and hardware encryption.

Read the rest of this article on Bank Systems & Technology.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant