According to a new report from Websense Security Labs, the average number of attacks against financial services institutions is 300 per cent higher than the number of attacks suffered by companies in other industries. Aside from the obvious financial incentives for hacking banks, criminals seek out financial services firms because they collect and store the greatest amount of personal customer information, making them a target with a very high ROI should they successfully carry out an attack. This makes it essential for banks to take an innovative approach to information security, while maintaining an awareness of the threat environment to help prevent future attacks.
Why are banks coming under attack?
Since computers began to process and store financial transactions, banks have become attractive targets for hackers. Tapping into a banking system allows a cybercriminal to obtain personal information and submit fraudulent transactions. Banks possess a huge database of customer data, including credit card information and email addresses, which they can use when planning for future attacks.
While banks pour millions of dollars into developing the highest-level security systems, one of the greatest vulnerabilities to banks remains their employees. For cyber criminals targeting banks, often all it takes to break into a system is an email. In fact, many of the world’s leading banks, including Barclays, HSBC, Lloyds Banking Group, RBS and Santander, have reported human error to be responsible for 93 per cent of breaches.
Here’s how it works:
A targeted attack on an organisation is often disguised to look like a message from a trusted source, such as a chief executive, or a high-ranking employee. Hackers regularly break into secure layers of an organisation by sending something as simple as a fraudulent request for an account statement or a series of requests that are passed on to a bank employee. In most spear phishing or Advanced Persistent Threat (APT) attacks, an email is specially crafted using sophisticated social engineering aimed at a specific individual from a target organisation. In order to make it more convincing, the email is customised to the employee, referencing the people or businesses that they know.
Once a bank employee or an executive clicks on an email and opens an attachment, the attachment exploits vulnerabilities, providing an opening for a wave of malware that provides hackers access to a bank’s network and give them unauthorised access to the bank computers. This enables them to steal sensitive – and very valuable – information. Once installed, this malware can bypass strong authentication technologies, collect user information, and provide fraudsters with the information they need to access a bank’s sensitive information.
Beefing up security for bank IT
With banks coming under increasing pressure to enhance their security, bank IT security professionals must take the precautions needed to ensure that client information is kept safe. Below are several guidelines to keep in mind.
- Sanitise all incoming emails – Incoming emails, especially those with commonly used attachments such as PDF or Office documents, must be cleansed of all threats, known and unknown, before entering the bank’s network. The easiest way to take control over a system is to trick users into opening an innocent looking document from a “trusted” sender.
- Use Active Content Disarm based security – With hackers implementing evasion techniques into their attacks, security solutions need to be able to disarm active content from innocent looking documents in order to completely neutralise any attack on the network.
- Invest in long-term solutions – Make sure that your security measures can handle today's – and tomorrow’s – threats such as Sandbox evasion malware, email spoofing, social engineering and more. Hackers are always looking for new ways to attack the system.
- Explore advanced authentication techniques – Imposters are not only malicious criminals sending you emails, but they also attach infected files to their emails. Make sure that your security solution can authenticate the files you receive against vendor specifications.
- Properly train your employees – One would be amazed to learn how many data breaches could have been prevented had employees been properly trained. Not only should cyber security training happen regularly, but it may even prove beneficial to publish monthly or quarterly reminders to keep security at the forefront of everyone’s mind in order to make security practices part of the bank’s culture.
- Limit data access to only those that need it – Since the human element is more difficult to control, it’s important to grant access to only the necessary data and to be conscious of how it’s used and shared.
- Be sure to use a combination of security measures – There is no one tool that can defend from all cyber threats. It is recommended to equip computers and other system components with the most up-to-date firewalls and antivirus software. A secure email gateway (SEG) with zero-day exploit prevention capabilities can also monitor emails being sent to an organisation for unwanted content and prevent these messages from being delivered. This technology is able to scan all incoming files and remove malicious codes, including undisclosed and zero-day exploits, helping banks stay protected.
- Make sure to check updates and news regarding hardware – Hardware should be kept up to date as technology improves. One needs to look no further for proof of this than what happened to Juniper and Fortinet, where it was discovered that backdoors in the physical gateways had gone undetected in the software since 2012.
- Deploy the latest technology to defend against the latest threats — Make sure that all of your security solutions are up to date with the latest anti-hacking technologies, such as Sandbox evasion capabilities.
While following these guidelines will not guarantee 100 per cent protection against cyber attacks, implementing even a couple of these will boost your bank’s ability to defend itself against today’s sophisticated cyber attackers.
Itay Glick, Founder and CEO of Votiro
Image Credit: Shutterstock/Oleksiy Mark