Financial institutions are in a race against cybercrime, and today’s cybercriminals are doing all it takes to come in first. For hackers, the ultimate prize is gaining access to data that can be sold to global criminal organizations. This data includes:
- User login credentials at target institutions
- Consumer data including email, phone and credit card information
- Intellectual property
- Time-sensitive data that can be monetized on the stock market
In addition, cybercriminals can receive commissions for redirecting unsuspecting users to malware delivery web sites.
To get an idea of the scale of this problem, the 2012 Norton Cybercrime Report revealed that cybercrime cost Canadians $1.4 billion within a recent 12-month period, with the average victim losing $169. Meanwhile, Financial Review reported that US banks lost $890 million to bank robbers in 2011 but a staggering $12 billion to cybercriminals.
Distributed Denial of Service Attacks: A Diversionary Tactic that Gives Criminals Access to Your Most Valuable Information
Distributed Denial of Service (DDoS) attacks have become the most public campaign against banks, with groups such as Anonymous and Al Qassam, as well as nation states, attacking leading financial institutions. While some groups stage DDoS attacks as a form of protest, others are using these attacks as a diversionary tactic to gain access to information that can be monetized.
The attackers hope to make victims so busy dealing with the DDoS attacks that they leave the back door open, so the attackers can steal valuable customer lists and credit card information. The Spamhaus attack, in the reported 300Gbps range, demonstrated the potential threat the Internet poses to online organizations via DNS reflection attacks. There are reportedly 21 million misconfigured DNS servers that can be used to as a base or further attacks.
BankInfoSecurity.com recently reported that, “Increasingly, U.S. banking institutions are reluctant to acknowledge – much less discuss – the ongoing DDoS attacks against their online services. Perhaps that’s because they’re concerned that consumers will panic or that revealing too much about the attacks could give hacktivists information they could use to enhance their DDoS abilities.”
Advanced Persistent Threats: Hackers Won’t Stop Trying Until They Break into Your Network
Advanced Persistent Threats (APTs) pose a huge challenge to financial institutions, because the hackers won’t stop until they find a way to break into the network. It may take weeks, months or years, but they’ll eventually get in.
APTs are perpetrated via phishing attacks, infected URLs or waterholing (compromising a normally safe website that the victim frequents). The combination of inadequate patching processes with browsers and plugins (i.e. Java, PDF and Flash), along with the extensive tools to create malware that can subvert antivirus, URL Filtering and IPS defenses means criminal organizations are having a field day.
Many organizations believe that since they don’t see problems with their existing security controls, then their data must be protected. This approach plays organizations right into the criminals’ hands.
One of the biggest challenges of APTs is being able to even detect the attack and then to determine who is beyond the attacks, as perpetrators often subvert their IP addresses to hide their identities. In most cases, forensic investigators need access to the remote criminal’s servers to assess the amount of data that was extracted. Another challenge is protecting data from a growing number of global hackers, as crimeware kits give inexperienced hackers and criminal gangs the tools they need to quickly setup shop.
APTs also have the ability to work around URL filtering tools. Perpetrators can bypass some of this protection by enabling malicious websites the morning after the phishing emails have gone out. This prevents the malware protection tools from identifying the new threats during their scan and gives criminals a window of opportunity until these sites are identified.
How Can You Protect Your Financial Data from Cyber Attacks?
While it’s crucial to take basic security measures, such as using URL filtering, intrusion protection and anti-virus solutions, many attacks get around these tools. That’s why you need additional threat intelligence to learn if someone is targeting your institution. Here are five measures that will help protect your network from cyber attacks:
- Establish an intelligence sharing and incidence response system between the groups that would act in unison during an attack.
Communications plays a key role in helping you protect your network, as the earlier you receive a warning, the better you can prepare for an attack. According to BankInfoSecurity.com, inter-bank and industry communications are particularly helpful if your financial institution is targeted later in a DDoS attack, as you can learn from the prior attacks and suffer less severe outages than those targeted earlier. The U.S. government’s Cyber Intelligence Sharing and Protection Act (CISPA) is one step in sharing this information. However, many are concerned about the potential use of CISPA to further spying efforts.
Your financial institution incidence response team should partner with the following groups to develop a threat intelligence network that warns of impending or current attacks against brands, executives or customer data:
- The financial community, including banks, transaction organizations and insurance firms
- The government
- Utilities companies, especially power and communications
- Critical security vendors – especially the ones that you currently use
- Law enforcement agencies
- External threat feed intelligence sources
The Financial Services Information Sharing and Analysis Center already encourages collaboration on critical security threats facing the financial sector. Meanwhile, the Canadian Cyber Incident Response Centre (CCIRC) provides cyber intelligence to the government, critical infrastructure operators, international counterparts and IT vendors.
Encourage your carriers to implement Request for Comments (RFC) 2827 or Best Current Practice (BCP) 38 that demonstrates how carriers can implement network filtering to block spoofed DDoS attacks originating from their own networks. All ISPs should implement these to effectively protect everyone, as these controls will stop spoofed attacks that originate from compromised cloud servers with access to large pipes. If the financial community requested this from their immediate ISPs, it may require smaller ISPs to also add this protection if they are allowed to interconnect with others (peering connections).
- Have a backup ISP
An article on BankInfoSecurity.com recommends that all financial institutions have a backup ISP that runs on a separate infrastructure. According to the article, “ISPs are often targeted in DDoS attacks, so institutional websites could be taken down, even they aren’t the target. By having a backup ISP, an institution reduces its risk of having its website knocked out of service.”
ISP’s have different levels of DDoS protection, enabling you to have a premium ISP with full DDoS “scrubbing” capabilities plus a lower service for availability issues, such as cable cuts.
Also consider having border gateway protocol (BGP) peering between your ISPs, so you can blackhole a known bad IP immediately and have full control over which ISP servers and IP ranges are available to you.
- Train your employees to recognize suspicious emails
Since phishing and infected attachments are two of the main ways hackers gain access to financial data, it’s crucial to teach your employees how to spot potential attacks. You can do this by establishing a proactive and ongoing training program that builds your employees’ defences against phishing attacks. Consider augmenting the training campaign with actual self-generated phishing emails to keep employees keenly aware of the responsibility they have to protect the organization’s assets.
- Test Your Defenses
Another key to protecting your network from cyber attacks is to proactively asses and test the state of your defenses. You can perform quarterly external penetration tests on your network, applications and communications (e.g. your virtual private networks). Ultimately, your user base is your first line of defense. If your organization cannot detect an unannounced external penetration test, how could it possibly detect a stealthy attacker threat? This can provide immediate feedback of control or process gaps in your defenses which can aid in the business case. Ultimately, the business needs to assess the risk before adding new controls and the associated expense.
You should also review the state of you call centres and telephony systems and determine how you will maintain business continuity during a Telephony Denai of Service (TDoS) attack. Emergency centres and some bank call centres have been hit, and protection can be minimal at best.
- Take additional precautions against DDoS attacks and malware
When it comes to protecting yourself from DDoS attacks and APTs, you should also:
- Deploy tools that protect against overwhelming DDoS attacks at the carrier level, as well as lower bandwidth application-level attacks at the perimeter.
- Integrate all of your security control logs and events, as well as correlate these with log sources from sensitive or at-risk resources (e.g. databases, webservers, etc.).
- Add immediate context to your log management system by integrating threat feeds with IP, domain and URL blacklists of known malware sites. Ensure that any correlated blacklist event can be certified malicious to build a business case to clean or re-image suspect machines.
- Use behavior-based or sandbox malware protection tools. Since many malware tools can only detect things they’ve seen before, you need ones that look for suspicious behavior in the actual end point or in attachments that can be run in virtualized or sandboxed environments.
- Add application intelligence and user identify awareness to your Internet traffic monitoring and/or firewalls to assess or control the Internet applications (potentially malicious, personal or business) on your network. With DHCP, Citrix, smartphones and VPN uses (as examples) changing IP addresses so often, it becomes a resource nightmare to quickly asses the risk of specific suspicious activity and then track it down to a specific user.
- Encrypt all end points (laptops, workstations, servers, smartphones, etc.) to minimize the risk of data loss when a device is lost or stolen.
- Encrypt all attached devices to protect against data loss (USB, DVD, CD, etc.).
- Encrypt the storage area of your sensitive data and intellectual property to ensure that backups, as well as lost or other storage mechanisms, are not a vehicle for loss.
- Add security controls to examine encrypted connections that would normally bypass existing controls. Understand that SSL inspection only decrypts standard SSL tunnels and will not decrypt custom encryption protocols that are used by criminals, Skype, etc.
- Consider adding Data Leakage Protection (DLP) to control what data the end point can accidentally or maliciously push down invisible or encrypted connections.
- Monitor and control your wireless space to ensure no “invisible” channels of communicates are available from either rogue access points or smartphone hotspots.
DDoS attacks and APTs are a growing concern for financial institutions. An ongoing risk assessment is required to ensure that your sensitive or critical assets (data, intellectual property, etc.) are protected with the highest capability security controls to meet your business risk tolerance. As the security threats change, your risk assessments need to keep pace.
With today’s threats, you must accept that your defenses will fail. You need a dedicated team (in-house or as a managed service) that can identify threats before the level of data loss becomes unmanageable. Nortel had an ongoing compromise for approximately 10 years. RSA, a security-focused company, was another prime example that no one is invulnerable.
Your organizational governance must support a security program that accepts the above and has the adequate security controls and processes in place to support it.
What about you? What do you think are the biggest threats to financial network security, and how would you protect yourself from these threats? Can you be sure that that your intellectual property or sensitivity data is not currently at risk? Please leave your comments and questions below.