Banking on defence to beat the bad guys
Banks and financial services are the number one target for hackers and nation-states, but as Doug Drinkwater reports, the industry is fighting to stay ahead of the threats with new tools, training, and increasing collaboration
Banks are a high target for hackers
Banks will always be a target for the bad guys who will often win; in the last two years alone, there have been huge breaches at JP Morgan Chase, Barclays, Halifax and Lloyds, while Kaspersky Lab reported on the activities of a prolific Russian-speaking group, ‘Carbanak', which siphoned US $1 billion from more than 100 banks across 30 countries.
Such attacks are unlikely to stop so long as banks hold money and vulnerabilities in both software and humans persist, but that's not to say there is no light at the end of the tunnel.
The industry is responding through industry and government initiatives to share skills, information and other resources, while forward-thinking banks have strong C-suite support, are proactively recruiting and are even part of cyber-security accelerators.
The UK's Bank of England has been particularly active, debuting the Waking the Shark red teaming exercises and launching the CBEST initiative, while the British Bankers' Association recently partnered with the European Union to collaborate on transatlantic threats. The FS-ISAC and Soltra are examples of information sharing between global financial institutions, while a number of banks have signed up for CERT-UK's CiSP and Cyber Essentials.
Money is being pumped in too; PwC estimates that US financial services will send an additional £1.3 billion on cyber-security until 2017, while JP Morgan publicly committed to spending £310 million after its breach last year.
Are cyber-criminals scheming differently?
Independent adviser Neira Jones, a former head of payments at Barclays, thinks that financial services is more forward-thinking than other sectors but admits that hackers will always stay ahead.
“What they are doing now is targeting the supply chain and their customers. For me, this proves that security is less of a technical issue, and more of an awareness issue,” she said, keen to stress that most Advanced Persistent Threats (APTs) start with phishing emails.
This last point was key, said Jones, as such attacks mean that traditional perimeter network security “goes out the window.”
On threats, she says: “I think that the threats are getting more sophisticated across the board as the evolution of malware is so dramatic.”
Citi Group SVP Marco Morana, also managing director at start-up Minded Security, agrees with Jones that malware is a “big problem” for the industry given the speed and spread of new variants, although Mike Jolley, head of information security and risk at Yorkshire Building Society, agrees that malware is a continuous battle but also suggests there are bigger threats to consider within organisations including supply chains and human error.
Others, meanwhile, say that hackers are using distributed-denial-of-service (DDoS) attacks to disrupt businesses or to distract the firm from more stealthy attacks.
Ben De La Salle, head of IT security and risk and investment bank Old Mutual Wealth, believes that DDoS is just one tool of the black hat trade – as is custom malware.
“The ease with which attackers can hire a service to launch a Distributed Denial of Service attack, with considerable volume at low cost, has increased significantly over the last few years. Custom malware can now be purchased as if buying any legitimate service from an online company.”
‘Freaky Clown', senior penetration tester and head of social engineering at Portcullis - who's also previously presented on ‘How I hack banks', believes however that the threats are broadly the same as before.
“I believe the current threat to banks hasn't changed much in recent years - we as an industry have just become more aware that criminals are using more flaws to gain access to ill-gotten gains.
“Banks are still under constant threat via their user base, the internet and via physical means. Most attacks by criminals are to obtain an end goal, this is generally money and no-one has more money than banks themselves.”
Either way, the experts agree that hackers are shifting from mass attacks to those with higher net-worth.
“These attacks are persistent; they learn about the target, do some social engineering, they might try to call the customer pretending to be banker or customer support,” says Mortana. “They use a mix of social engineering, plus knowledge of the target, to more likely compromise the target.”
“You can attack 40 million customers in the city, or you can go to just one account that has millions in it.”
He advises companies to follow the Kill Chain in APTs, but argues that future nation-state attacks could target transactions like SWIFT payments.
5 TIPS FOR BANKS
“Identify your assets and bundle them into business services.
importance to the
business with respect to those assets and
classify,” says Jolley,
advising to then risk
assess and apply
appropriate controls in line with business
“Don't forget that
is not just about
the trinity of ‘people,
never been more
“Data breaches are inevitable.
The quicker you can detect a breach, the cheaper it will be,
so a thoroughly
that involves all
stakeholders is worth its weight in gold.”
“It's good to share.
There are a few threat intelligence sharing
platforms, either at
Belong to as many
as you can.”
“Focus on effective controls:
emphasis is not
just on fixing
vulnerabilities but on which risk prevention
and detection controls are effective in
mitigating the impact
It's not just about technology
The emergence of new threats and threat actors, coupled with banks' willingness to embrace new but potentially vulnerable technologies has opened a debate – can banks still rely on legacy systems?
Experts remain split; some say IDS, IPS, antivirus and firewalls are still required, while others see a move to SIEMs, big data analytics, honeypots, anomaly detection and more.
Mike Jolley believes that the previous mulit-layered defence wrapping controls just around your organisation, or onion-defence model, is broken. He says you need to consider your extended enterprise, identifying critical services and applying appropriate controls to protect them irrelevant of location, but stresses that traditional technical controls such as IDP, SIEM, malware prevention, network segregation etc… protecting your core systems ... still have their place in a “changing landscape.”
“There is no longer a one-size fits all approach, there's no defence in depth for your environment anymore.” Mortana agrees, adding: “Unfortunately, that paradigm is broken now.”
Newer tools, like big data security analytics, intelligent risk engines and SIEM, have a role to play, says Jolley, but only if “turned on and tuned correctly”.
James Chappell, CTO of Digital Shadows, agrees that legacy systems still are useful and act as a first barrier of defence, but sees also an increasing move to virtualisation technologies.
“These technologies offer much more flexible architecture and faster response to the threat and regulatory requirements.”
Amichai Shulman, co-founder and CTO of Imperva, added in an email to SC: “We definitely see the use of deception technologies as something that organisations should look into. So far, we have seen the use of honeypot servers that randomly hope to trap attackers or honey tokens that detect compromised endpoints and the results of a data breach. However, we believe that more advanced technologies that more predictively detect initial reconnaissance and lateral movement stages are becoming important.”
But technology is not the only issue, its people process and technology together, as Jones says. Incident response is also paramount. Jolley also advocates use of goal-based security testing to test controls around people, process and technology, not just technical penetration testing.
“I've seen an increased focus on risk management and corporate governance,” says Jones. “I think most banks are testing their IR plan, but now more encouraging with people, process and technology.”
Morana says that bank boards generally tend to be well-versed in IT security, although Jolley says that many recruiters still put the CISO role under IT, and miss the fundamental role of the CISO, to protect information in whatever format it may be.