Banks’ cyber resilience requires ongoing review against escalating threats
The news last month (June) that the Luuuk malware had snared its first victim, an unnamed European bank, has again highlighted the magnitude of the challenge facing the banking sector. While the reported theft of €500,000 during the course of a week certainly does not break any records, the discovery of what is believed to be a variant of the feared Zeus malware, is just the latest in a line of increasingly sophisticated cyber attacks, writes Seth Berman, executive managing director of Stroz Friedberg.
Greater cooperation between law enforcement, regulators, banks and security specialists has long been identified as a prerequisite to strengthen individual institutions’ cyber resilience. The recent decision by the Bank of England to introduce the CBEST vulnerability testing framework must, therefore, be welcomed. Furthermore, a degree of progress is also being made in identifying and disrupting criminals gangs wreaking havoc across the banking industry. Earlier this month (July), domains and servers behind the Shylock Trojan were successfully targeted as part of a UK National Crime Agency co-ordinated initiative.
Despite greater co-ordination and awareness, individual institutions cannot afford to let down their guards. Hackers are not only getting better at finding and taking advantage of technical vulnerabilities, they are also becoming experts in exploiting human weaknesses of both customers and bank employees. Using research on a few specific individuals within a bank, an attack could be launched through the use of a sophisticated spear phishing email. With professional social networks and corporate websites offering a multitude of personal information, hackers are able to exploit employees’ lack of vigilance and mount an attack. Once the hackers find their mark, the phishing attack allows an initial point of entry, through which the hackers deploy sophisticated malware.
Perhaps of even greater concern are attacks known as Advanced Persistent Threats (APTs). These are highly sophisticated and long term attacks on corporate networks, commonly perpetrated by state sponsored or quasi-state sponsored entities, in an effort to quietly penetrate a network and steal key data. Such attacks are very difficult to prevent and, once they occur, are likely to remain undiscovered for many months. During that period the attackers have nearly unfettered access to the system.
Faced with a heightened cyber risks, banks must ensure they regularly review and test existing incident response strategies. The review must identify key assets and potential weakness in physical and computer security, with the goal of developing a plan to reduce any vulnerabilities. Such assessments are far more all-encompassing than traditional IT audits. Compliance with a particular security standard is a useful starting point, but is not enough. Traditional IT audits alone create a real danger that the business will fall victim to ‘security standard checklist syndrome’, where the demands of the standard are met, but the overall security fails to address the actual risk landscape. A comprehensive security assessment will ensure that focus of the security effort is in the right place.
It is important to recognise that the problem of cyber security is not one that the IT team alone can solve. Good security requires not only sufficiently robust and correctly targeted IT budgets, but users who are aware of the threat and their role in preventing it. Phishing attacks can only succeed if users click on the link they are sent in a rogue email and will only be prevented where users recognise the damage they can do by such actions. Despite what we all may wish, realistically, IT alone cannot prevent such attacks.
A culture change is needed, where users understand that they are as much responsible for security as the IT department itself. There needs to be better dialogue between the IT team and users – starting with educating users about not only the specifics of the relevant IT policies, but the reason for having these. Only if users understand why certain restrictions have been introduced will they avoid circumventing existing policies, thereby creating new attack vectors. As part of this process, it should also be made clear to users that any concerns should be reported immediately, without any repercussions.
The financial services industry remains a firm favourite with cyber criminals. Viewed as lucrative targets, it only takes a single successful attempt to penetrate a system before the victim may be forced to start counting the financial, regulatory and reputational cost of an attack. To minimise such risks, banks must ensure they fully understand the rapidly shifting threat landscape and take steps to review preparedness at all levels.