Although 2014 had plenty of bad cybersecurity news for everyone — including large retailers, hotel chains, and even the US Postal Service — financial services companies were hit especially hard. They are often in hackers’ crosshairs due to the numerous checking and savings accounts they handle and the vast amount of sensitive and enticing customer information in their databases.
A global survey by Kaspersky Lab and B2B International showed that from April 2013 to May 2014 a full 93% of financial services organizations dealt with cyberthreats.
Banking heavyweight J.P. Morgan’s bad 2014 news made major headlines: It announced that the contact information for 76 million households had been compromised, although the corporation insisted that sensitive bank information was not part of the breach.
Cybersecurity budgets in the financial services sector are substantial and are getting larger. The Wall Street Journal reported on a PriceWaterhouseCoopers (PwC) survey that said spending on cyber defense in 2014 would total $4.1 billion. Over the next two years, the 758 companies in the survey said they would likely increase their spending by 10% to 20%, leading to $1.3 billion to $2.6 billion more in their collective budgets by 2016. The PwC survey also said that the number of financial firms reporting losses over $10 million increased by 140% from the previous year.
In this Tech Pro Research article, we look at cybersecurity trends affecting the financial services industry, along with elements of a robust security posture and recommended business practices and policy changes from sources including Booz Allen, DTCC, and Kaspersky Lab.
The following list summarizes the highlights from this article:
- Increasing risks from third-party network contacts
- Deeper and more integrated security approaches
- More use of big data in crime and fraud analysis
- Carrier mitigation services for protecting a financial services internet site
- Network segmentation strategies for defending against APT attacks
- Defining and guarding critical IT infrastructure
- Cybersecurity frameworks from NIST and SANS
- Proactively hunting cyberthreats
- Good network hygiene to keep systems healthy
A look at the future: Financial cybersecurity trends
If 2014 was bad, what will the future look like? In its annual financial cybersecurity trends report released last November, consulting firm Booz Allen attempted to clarify that picture. Here are the seven most relevant trends for North American banks and financial firms.
Third-party risk on the rise. Any contemporary enterprise — financial services included — has a digital network of partners, vendors, and other third parties. The security posture of important third parties in the financial and banking vertical can either promote or detract from a company’s cybersecurity. 2014 had its share of examples, and regulators are applying more pressure to financial services firms to mitigate these risks. Booz Allen projects a shift in 2015 toward “active cyber risk mitigation and monitoring with third parties,” as opposed to the existing “self-certification” process that is less robust. Security will have to be an integral part of any product and solution provided by a third party, with regular testing and updates.
Fusion center approach. An integrated approach to cybersecurity has until now been easier said than done. A new method is gaining traction, which could greatly benefit financial services firms: the fusion center. The concept is to integrate different and relevant teams, such as fraud, cyber, IT, physical security, and product development, in order to boost intelligence and shorten response time for more efficient risk mitigation.
“Criminals are quick to understand rules and the way data is stored in silos. Common patterns we see are criminals either flying under the rules radar, going undetected by older security systems, or flying between silos. That’s why the fusion center concept is so important. It’s critical to combine signals across channels and combine both network and business data to classify fraud in real-time.”
Defense in depth. Perimeter-based defenses have already shown their limits. Enterprises are realizing that greater protection of sensitive and critical data inside the walls is essential. The trend toward “defense in depth” cybersecurity solutions will increase in 2015. The goal is to make raw data, such as debit card PINs, useless to attackers. Technologies also include tokenization and smart cards.
Alternate payment risk exposure. The increase of electronic and wireless payment options, thanks to consumer popularity, creates more targets for cyberattacks. Supporting technologies include Bluetooth and NFC (near-field communications). Banks and financial firms have to assume that breaches will occur and take a holistic approach to protecting data involved in alternate payment schemes.
Big data analysis in cybercrime. Big data is disrupting the traditionally labor-intensive cybercrime analysis playbook. Financial companies are increasingly reaping the benefits of big data tools that provide real-time analysis across multiple data sets, speeding up the response time to threats and reducing costs.
Jason Trost of threat intelligence solution provider ThreatStream predicts that the Fortune 500 — and financial, energy, and healthcare companies in particular — will make more use of big data SIEM solutions based on Hadoop or platforms like Splunk. Given the stakes, those technologies will provide reinforcements. Trost also projects that APT APT (advanced persistent threat) tools and approaches will be the “new norm” for cybercrime in 2015.
Use of wargaming for response prep. In addition to existing testing methods, Booz Allen projects that financial services companies will borrow preparation and simulation practices from the military. It notes the use of wargaming as a method for better understanding how to defend themselves from cyberattacks.
Change in privacy expectations. Beyond PII (personally identifiable information), privacy will increasingly come to include the data that individuals generate as they use the internet and mobile devices: transactions, locations, and online behavior. Consumers are expecting this level of protection, though regulation does not require it. Booz Allen notes an opportunity for customer loyalty and competitive advantage for those firms that provide it.
Components of a robust security posture
The Depository Trust & Clearing Corporation (DTCC) is a leading post-trade market infrastructure for the global financial services industry. In October 2014 it published a report titled “Cyber Risk–A Global Systemic Threat.” Here are the five components that in DTCC’s view make up a “high-maturity” cyber defense program.
Internet threat mitigation. A solid internet presence has become critical for financial services firms, both for transacting business and for brand reputation. Carrier mitigation services, which may be offered by an internet provider, can detect telltale boosts in online activity to identify a DDoS attack and can deflect malicious traffic while permitting access to trustworthy users.
Perimeter and internal network protection enhancements. The second component involves actively seeking cyberthreats at the perimeter of an enterprise and in its internal IT environment. Robust cyber defense includes building internal capabilities and gaining outside information, which can come from three sources:
“Community-driven sources, such as the Financial Services Information Sharing and Analysis Center (‘FS-ISAC’) which enables bi-directional sharing of information, such as the technical indicators of compromise from attempted intrusions at other financial firms.
“Government sources, including the Department of Homeland Security’s (‘DHS’) US Computer Emergency Response Team; the National Cybersecurity and Communications Integration Center; the FBI’s Domestic Security Alliance Council Cyber Watch; and the US Secret Service Electronic Crimes Task Forces. These groups publish information from government sources and critical infrastructure service providers.
“Commercial providers, comprising numerous commercial intelligence services that focus on specific industries or types of threat actors.”
The information from these sources gives financial services firms a broader perspective on what is occurring in the threat landscape, as well as what they can do internally. The information is actionable because cybersecurity pros can add it to their analytics systems and see whether their IT environment has been infected by identified malicious software or is communicating with a dangerous source. Likewise, mature cyber defenders share their own security data with community sources for better collective defense.
Redundant IT infrastructure — physical vs. cyber event. Financial services firms and market infrastructures have enhanced their protection from natural disasters and catastrophic physical attacks over the last 15 years by operating data centers in different geographic locations. But there is a potential risk in data replication across multiple centers because data corrupted by a successful cyberattack could be replicated across a firm’s infrastructure by the very systems designed to protect it from physical events. DTCC calls on financial services firms and their security teams to apply the current approaches to physical events to destructive cyberattack scenarios.
Protection against APT attacks. APT attacks are on the rise. In many cases the actors are nation states with a wealth of resources and capabilities they can use for economic and even military goals. For an APT attack, the nation state can employ advanced tradecraft and malware to either penetrate or degrade an organization’s network. The limited resources one company can use make it hard to defend an attack from a government source. APT attacks often gain a foothold in one system and then expand privileges and access to other systems. DTCC notes that a “network segmentation strategy” can help defend against this horizontal propagation tactic and minimize potential damage.
Market infrastructures leverage private communications networks. Market infrastructures can use private networks for high-value and high-volume communications, which provide more availability and stronger protection against cyberattacks. DTCC itself, for example, operates a private data network for its participants that is separate from the internet.
Industry recommendations: Infrastructure, frameworks, and threats
The DTCC report presents the following recommendations for the financial services industry.
Define critical infrastructure. Financial services firms need to clarify and enhance protections of their critical IT infrastructure. For US companies, there is a definition included in Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” issued by the White House in February 2013. The Order defines critical IT infrastructure as those “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
Review existing cybersecurity frameworks. DTCC recommends that financial services firms review existing cybersecurity frameworks to determine the best fit for their organizations. The National Institute of Standards and Technology (NIST) framework is specific to critical infrastructure. Other frameworks include the SANS Institute’s Critical Security Controls and the US National Security Agency’s Top 10 Information Assurance Mitigation Strategies.
Proactively seek threats. Instead of checklists, organizations need to shift their cybersecurity program toward proactively hunting for threats. Meeting existing requirements and addressing known threats will not provide adequate protection in the current cybersecurity environment. Hackers are moving too fast for legacy solutions to keep up with new attacks and methods.
Master network hygiene. The Australian Signals Directorate found that 85% of targeted cyberattacks could be stopped by the following four mitigation strategies:
- Use application whitelisting to help prevent malicious software and unapproved programs from running.
- Patch applications such as Java, PDF viewers, Flash, web browsers, and Microsoft Office.
- Patch operating system vulnerabilities.
- Restrict administrative privileges to operating systems and applications based on user duties.
Establish a single metric for network hygiene. DTCC says that financial services firms should create a single metric that both management and IT can use to promote network security and hygiene. The Common Vulnerability Scoring System (CVSS) is a metric that can be used for application vulnerability patching operations.
Financial cybersecurity recommendations
In its “Financial cyberthreats in 2014” report, Kaspersky Lab makes the these recommendations to businesses on how to protect themselves from financial cyberattacks:
- Use only reliable security solutions on all workstations within a company, define distinct policies for different categories of users, and track user activity logs on all devices.
- Employ mobile device management (MDM) systems to govern how employees use devices during financial transactions to protect them from potential cyberthreats.
- Use multifactor authentication technology during online financial transactions and avoid services that lack these technologies.
- Update all security solutions and anti-threat measures regularly. Cyberattackers are constantly innovating their methods.
- Teach employees, in particular those working with finances, the essentials of cybersecurity.
- Deploy a specialized anti-fraud solution both within an IT infrastructure and on employee mobile devices to prevent financial attacks before they happen.
In its report, DTCC advocates that national and regional policymakers move aggressively to address global cyberthreats. It suggests:
- Coordinated action at all levels of government around the world to address cyberthreats and orchestrate public policy. DTCC calls for a regime that serves the purposes of safety, cyber resilience, and information sharing.
- The creation of national definitions of “critical infrastructure” so that cybersecurity programs effectively protect against threats and systemic risks.
- A coordinated notification regime that emphasizes information sharing and cooperation among regulatory authorities and industry partners.
- Clarity in the purpose of notification regimes. If the purpose is consumer protection, the content required to support it will be different from the content needed to help protect critical infrastructures from attacks. Combining these purposes in one notice will probably fail.
- Building global industry working groups to collaborate with national regulators on developing cybersecurity regulations that address “the real-time and evolving nature of cyber threats.” Cyberattackers are operating at a far more rapid pace than those making policy decisions.