According to a recent UK financial industry study, financial services firms are facing an unprecedented level of cyberattacks in the past year, and many of those attacks are successful. The report found that while banks and financial services providers were able to prevent a reported £705.7 million worth of fraud in the first six months of 2018, cybercriminals were successful in stealing more than £503 million from UK financial institutions.
Financial organisations tend to have the reputation of having some of the most mature overall cyber security practices, and a willingness to invest in modern security solutions to protect their data and networks. Still, the financial industry faces an uphill climb.
Data shows banks and financial institutions struggle to stay on top of application security, but it is not for lack of trying. The financial industry has the largest population of applications under test and thus the hardest time fully addressing the flaws they find.
The latest State of Software Security report (SoSS) from Veracode revealed the financial services industry is one of the slowest when it comes to addressing common vulnerabilities found in software. The report resulted from an annual analysis of 70,000 application scans of our customers over a 12-month period, and showed financial services companies on average took 29 days to address a quarter of their vulnerabilities; they also took a further 573 days to remediate all vulnerabilities. Comparatively, the healthcare, retail, technology and government sectors all remediate flaws more quickly.
Leading vulnerabilities in the financial sector
The analysis also revealed a notable 67 per cent of current applications used by banks are at risk from information leakage attacks. This refers to applications that can reveal sensitive data attackers can use to exploit other web applications or its users. This is concerning given the fact that global financial institutions are consistently a favourite target of attackers. Further, code quality issues effect 62.7 per cent of applications in the sector, while cryptographic issues effect 61 per cent.
The use of third-party applications and open source components used to create applications without proper incremental scanning further compounds the potential vulnerabilities in the application layer of financial services institutions.
How can financial service organisations lower their cyber risk?
There are steps financial organisations can take to work toward lowering the risk they face with unsecured software.
Fixing flaws quickly matters: the speed at which organisations fix flaws they discover in their code directly mirrors the level of risk incurred by applications. The faster organisations close vulnerabilities, the less risk software poses over time.
Consider all dimensions of risk: the sheer volume of open flaws within enterprise applications is too staggering to tackle at once. This means that organisations need to find effective ways to prioritise which flaws they fix first. While many organisations are doing a good job prioritising by flaw severity, they are not effectively considering other risk factors such as the criticality of the application or exploitability of flaws.
Collaboration between security and development is critical: the practice of security and development teams working in close collaboration to improve software security, known as DevSecOps, is beginning to provide evidence that it’s proving its worth. The more an organisation scans its applications for flaws per year, the faster security fixes are made. The frequent, incremental changes brought forth by DevSecOps makes it possible for these teams to fix flaws lightning fast compared to the traditional development team.
Address all vulnerable components: enterprises still struggle with the occurrence of vulnerable open source components within their software. As organisations tackle bug-ridden components, they should consider not just the open flaws within open source libraries and frameworks, but also how those components are being used. Some component flaws may have mitigating factors if they’re not being used in such a way that the flaw is exposed to exploit.
Stronger cyber security practices in the UK financial sector
Additionally, organisations can opt not to connect critical systems to the internet. If this approach is not possible as it effects the functionality of the business, an alternative approach could involve compartmentalising internal networks. Using this method would protect an organisation in that a successful attack may only compromise one compartment rather broadly across the IT infrastructure.
Unlike other sectors, many financial institutions need to be able to demonstrate a regime of manual penetration testing to regulators. In some cases, banks will choose to place greater emphasis on manual detection and classification of risk compared to those issues found through automation. Resolution of risk identified by the human may go higher in the priority list as a result.
This may create a counterintuitive incentive for large banks to spend more budget and management cycles on labour intensive techniques that yield lower return in terms of a business outcome – reduction of business risk. It’s recommended that these financial institutions ensure that they are dealing with the low-hanging fruit that can easily be found by scan automation, rather than spending the majority of their treasured resources on the most exotic and therefore least likely attack vectors found by humans, whether employed directly or through bug bounty programs.
Finally, UK financial institutions should heed the call from UK Finance, an industry leadership group comprised of more than 250 firms, to collaborate with peers, law enforcement, and regulatory bodies to combat cyber attacks by sharing cyber intelligence. Financial institutions should follow the practices outlined above to improve security within, and can strengthen the industry as a whole by communicating with one another on best practices and new threats.
Paul Farrington, EMEA CTO, Veracode
Image source: Shutterstock/MaximP