Vulnerabilities / Threats
8/4/2011
10:48 AM
50%
50%

Banks Face Ongoing Cyber Threats

Although financial institutions have to date largely escaped the fate of the U.S. government and other industries, security experts warn that it's only a matter of time until a bank suffers a major breach from a cyber attack.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Love him or hate him, Julian Assange, the infamous director of WikiLeaks, has heightened awareness of the dangers of sensitive information leaking out of an organization. Although financial institutions have to date largely escaped the fate of the U.S. government and other industries, security experts warn that it's only a matter of time until a bank suffers a major breach from a cyber attack.

Indeed, the largest industry targeted by criminals is financial services, according to the "2010 Data Breach Investigations Report" from Verizon Business and the United States Secret Service. Not only did financial services represent 33% of the more than 900 breaches studied over a six-year span, the industry also accounted for a staggering 94% of all compromised records.

Today's cyber attacks are more targeted--and more dangerous--than in the past. "Attacks are 'low and slow' in that criminals are pinpointing specific institutions and patiently and painstakingly infiltrating the organization to remove precise data," explains Jonathan Penn, vice president, Forrester Research.

Advanced Persistent Threats (APTs) illustrate the persistence of today's cyber criminals. RSA, which supplies security systems to some of the world's largest financial services firms, announced in March that data related to its SecurID authentication tokens was stolen via an APT attack. APT has become a euphemism for attacks carried out by sophisticated, well-funded hackers--often linked to the Chinese government--that are executed methodically over long periods of time.

Not only do banks need to protect themselves from criminals outside the organization, they also need to protect against internal information leakage from employees, contractors, partners and vendors. "Someone intentionally taking and sharing information is an incredibly difficult problem to solve," notes Richard Mackey, vice president of consulting, SystemExperts Corp.

The recent media reports of leaked emails from a former Bank of America employee to the online hacker group Anonymous turned into a case of "much ado about nothing," but highlight how easily an information leak can occur.

The internal threat is real: According to Verizon, internal agents caused nearly half (48%) of financial services breaches. However, financial institutions are largely unprepared.

Although 56% of senior security executives are very confident about thwarting external breaches, only 34% display the same confidence about internal threats, according to Deloitte's "2010 Financial Services Global Security Survey."

The pervasiveness of mobile devices complicates security for banks. Employees are clamoring to use their mobile devices of choice at work, but security managers are still struggling to secure new, increasingly powerful devices.

Smartphones in particular are exploding in popularity, presenting the proverbial "good news/bad news" scenario for financial institutions. George Peabody, director of Emerging Technologies Advisory Service at consultancy Mercator Advisory Group, predicts that 60% of mobile phone subscribers will have smartphones by 2012. Since the criminals "move to where the people are," expect malware to proliferate on iPhones, Androids and other mobile devices, says Peabody.

A.N. Ananth, CEO of security solutions provider Prism Microsystems, describes three approaches banks can take to manage mobile device security. The first approach is to lock down the environment. Doing so, however, can make the carrier less efficient and put it at a competitive disadvantage. The opposite strategy of trust without restrictions, which Ananth calls the "kumbaya approach," increases the risk of a data breach. The middle ground is the best, he argues. "We like the trust-and-verify approach."

One-quarter of banks are taking a hard line on devices while about one in 10 have a generous "bring your device to work" policy, estimates Andrew Jaquith, CTO of Perimeter E-Security, a provider of information security services. The remainder, explains Jaquith, make up the "muddled middle" frantically trying to strike a bargain that allows employees to select their own devices as long as the organization can impose security such as device locking and hardware encryption.

Read the rest of this article on Bank Systems & Technology.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.