Financial services remain low-hanging fruit for cyber-criminals

The financial services sector is on its toes after reports of more breaches and security shortfalls internationally in the wake of the Capital One disclosure.

The data breach disclosure at the US bank Capital One has opened up debates on cyber-security in the financial services industry (FSI). News from peers across the world is concerning.

UniCredit, Italy’s largest bank by assets, this week announced an internal investigation in connection to the Capital One breach, without divulging the nature of investigation or the scope of a possible breach.

German peer Deutsche Bank has started an investigation on a potential data leak after it was disclosed that close to 50 former staff had access to the company emails despite being fired weeks ago.

The details of one million business phone calls made by employees from Bank of Cardiff, California, were found in an exposed Amazon S3 bucket. The bank has started patching servers that exposed data, though many call details are still available online.

"The threat of cyber- security may very well be the biggest threat to the US financial system," said Jamie Dimon, chairman and chief executive officer of JPMorgan Chase & Co, in a letter to shareholders in April. "The financial system is interconnected, and adversaries are smart and relentless — so we must continue to be vigilant."

The bank spends nearly £500 million per year on cyber-security, he said in the letter.

While financial organisations are developing their own software and systems, many are becoming reliant on third-party independent vendors to deliver the latest technology, noted a survey of FSI cyber-security professionals by Synopsys Cybersecurity Research Center (CyRC) and Ponemon Institute.

According to the survey, 60 percent of respondents said cloud migration tools, followed by blockchain tools (52 percent), create the greatest security risk.

"While nearly three-quarters of respondents surveyed are gravely concerned about the possibility of security vulnerabilities introduced by third-party suppliers, less than half of their organisations require third parties to adhere to specific cyber-security requirements or to verify their security practices," said the survey report.

Ensuring the proper configuration and maintenance of firewalls and the security of credentials helps mitigate the effects of a breach, said Patrice Puichaud, senior director at SentinelOne.

"The apparent speed with which Capital One were able to claim the configuration vulnerability had been fixed may suggest the remedy was obvious once known, and that in turn may indicate a simple oversight like not securing a Secret Access Key or failing to disable an older, disused key that could possibly have already become insecure," he wrote in an email to SC Media UK.

"Many are highlighting the significance of a single engineer causing damage in the case of the Capital One breach. The reality of any such situation such as this that it really only takes one person to infiltrate and compromise security at a business – and usually by accessing administrative or privileged systems," said One Identity director Andrew Clarke.

Forgetting to revoke access and remove credentials for former employees is a common security mistake, but it poses serious risks, said Securonix chief scientist Igor Baikalov.

"It's a failure of both process (employee termination checklist must include access revocation) and technology (access by terminated employees has to be detected). Moreover, since laid off workers are unlikely to be loyal and warmly predisposed towards the company, it's also a people issue: disgruntled employees are very likely to seek some damage to their employer," he wrote in an email to SC Media UK.

"Good security practice is to put employees who will be laid off under enhanced monitoring to prevent such incidents from happening. There is also the possibility that the credentials will fall into the hands of a malicious cyber- criminal and be used to attack the organisation," he added.

"No single method, tool, or service will ensure complete security coverage for any FSI organisation," said the Synopsys survey. "The only correct approach is the one that aligns with, supports, and protects the business."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews