Vulnerabilities / Threats
8/4/2011
10:48 AM
Connect Directly
RSS
E-Mail
50%
50%

Banks Face Ongoing Cyber Threats

Although financial institutions have to date largely escaped the fate of the U.S. government and other industries, security experts warn that it's only a matter of time until a bank suffers a major breach from a cyber attack.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Love him or hate him, Julian Assange, the infamous director of WikiLeaks, has heightened awareness of the dangers of sensitive information leaking out of an organization. Although financial institutions have to date largely escaped the fate of the U.S. government and other industries, security experts warn that it's only a matter of time until a bank suffers a major breach from a cyber attack.

Indeed, the largest industry targeted by criminals is financial services, according to the "2010 Data Breach Investigations Report" from Verizon Business and the United States Secret Service. Not only did financial services represent 33% of the more than 900 breaches studied over a six-year span, the industry also accounted for a staggering 94% of all compromised records.

Today's cyber attacks are more targeted--and more dangerous--than in the past. "Attacks are 'low and slow' in that criminals are pinpointing specific institutions and patiently and painstakingly infiltrating the organization to remove precise data," explains Jonathan Penn, vice president, Forrester Research.

Advanced Persistent Threats (APTs) illustrate the persistence of today's cyber criminals. RSA, which supplies security systems to some of the world's largest financial services firms, announced in March that data related to its SecurID authentication tokens was stolen via an APT attack. APT has become a euphemism for attacks carried out by sophisticated, well-funded hackers--often linked to the Chinese government--that are executed methodically over long periods of time.

Not only do banks need to protect themselves from criminals outside the organization, they also need to protect against internal information leakage from employees, contractors, partners and vendors. "Someone intentionally taking and sharing information is an incredibly difficult problem to solve," notes Richard Mackey, vice president of consulting, SystemExperts Corp.

The recent media reports of leaked emails from a former Bank of America employee to the online hacker group Anonymous turned into a case of "much ado about nothing," but highlight how easily an information leak can occur.

The internal threat is real: According to Verizon, internal agents caused nearly half (48%) of financial services breaches. However, financial institutions are largely unprepared.

Although 56% of senior security executives are very confident about thwarting external breaches, only 34% display the same confidence about internal threats, according to Deloitte's "2010 Financial Services Global Security Survey."

The pervasiveness of mobile devices complicates security for banks. Employees are clamoring to use their mobile devices of choice at work, but security managers are still struggling to secure new, increasingly powerful devices.

Smartphones in particular are exploding in popularity, presenting the proverbial "good news/bad news" scenario for financial institutions. George Peabody, director of Emerging Technologies Advisory Service at consultancy Mercator Advisory Group, predicts that 60% of mobile phone subscribers will have smartphones by 2012. Since the criminals "move to where the people are," expect malware to proliferate on iPhones, Androids and other mobile devices, says Peabody.

A.N. Ananth, CEO of security solutions provider Prism Microsystems, describes three approaches banks can take to manage mobile device security. The first approach is to lock down the environment. Doing so, however, can make the carrier less efficient and put it at a competitive disadvantage. The opposite strategy of trust without restrictions, which Ananth calls the "kumbaya approach," increases the risk of a data breach. The middle ground is the best, he argues. "We like the trust-and-verify approach."

One-quarter of banks are taking a hard line on devices while about one in 10 have a generous "bring your device to work" policy, estimates Andrew Jaquith, CTO of Perimeter E-Security, a provider of information security services. The remainder, explains Jaquith, make up the "muddled middle" frantically trying to strike a bargain that allows employees to select their own devices as long as the organization can impose security such as device locking and hardware encryption.

Read the rest of this article on Bank Systems & Technology.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.