Paul Pratley, Investigations Manager from Verizon asks if firms are prepared to take control of their security
You may think that the threat of an electronic attack is receding; you’d be wrong. Attackers are just getting smarter. Today’s global economy has streamlined commerce for both corporations and consumers, and financial systems are readily accessible worldwide. But this availability also opens opportunities for cybercriminals, who are becoming increasingly adept at stealing stored data, data in transit and encrypted data. The challenge for all organisations is to remain alert and stay one step ahead.
More insight into this world of cybercrime is now available. Verizon’s 2014 Data Breach Investigations Report (DBIR) has identified the attack threat patterns that are specific to each industry, and is opening up a more focused and effective approach to fighting the cybercriminal.
The current threat landscape
After analysing 10 years of data during our Data Breach Investigations Report series, we realise most organisations still cannot keep up with cybercrime – and the bad guys are winning. But by applying big data analytics to security risk management, we can begin to bend the curve and combat cybercrime more effectively and strategically.
Verizon security researchers, using advanced analytical techniques, have found that 92 percent of the 100,000 security incidents analysed over the past ten years can be traced to nine basic attack patterns, the use of which varies across vertical markets. Most importantly we found that on average, just three threat patterns cover 72 percent of the security incidents in any industry.
The nine threat patterns are identified as: miscellaneous errors such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; Web app attacks; denial of service attacks; cyberespionage; point-of-sale intrusions; and payment card skimmers.
The specific threat to finance
Organisations in the finance and insurance industry face some unique challenges with regard to information protection. While not immune to routine opportunistic attacks by miscreants who continually scour the Internet for easy pickings, their status as a high-value target means they attract significantly more directed and tenacious criminal attention. Because of this, they typically have a higher degree of maturity around security controls and processes.
When all things are considered, dealing with security incidents may seem like the smallest of concern when the very existence of financial institutions has been on the line. Yet, a successful attack on a financial institution could leave irreparable damage - quantifiable in tangible items such as stolen or misappropriated resources, but also in the more intangible yet hugely significant aspect of brand image and reputation.
We found that just three of the nine threat patterns discussed cover 75 percent of security incidents experienced by financial services organisations. These are:
#1 Web application (web app) attacks – found in 27 percent of analysed incidents
For example – where attackers use stolen credentials or exploit vulnerabilities in web applications — such as content management systems (CMS) or e-commerce platforms.
#2 Denial of service (DOS) – found in 26 percent of analysed incidents
DOS attacks use armies of “botnets” of PCs and powerful servers to overwhelm an organisation’s systems and applications with malicious traffic, causing normal business to grind to a halt.
#3 Skimming – found in 22 percent of analysed incidents
For example - criminals tampering with a card payment device to install a “skimmer” that automatically captures a customer’s card data, usually ATMs that are targeted.
Put simply, improving defences against these three areas could help financial organisations substantially lower their risk. It seems simple, and it is - by looking at each attack pattern in detail, organisations can tailor their security strategies to target these specific areas.
Attack #1 – web app
Financial companies increasingly rely on web-based tools to delivery their services. From personal and corporate banking to insurance, payments and trading, most banking services are now accessible through the browser. This makes them extremely vulnerable to this type of attack.
In the wake of the financial crisis, there is still a lot of ill-will toward banks and other financial institutions and this can explain why, in our 2014 dataset, just under two out of every three web app attacks were attributable to activist groups driven by ideology. These attacks have more to do with causing disruption and damage than with stealing payment card data.
Technically speaking, web app attacks are difficult to defend against as attackers have a huge variety and combination of techniques available to breach these online systems.
What can organisations do?
Use multi-factor authentication. This should not just be applied to customers but for all administrative access.
Consider switching to a static CMS. Instead of executing code to generate the content for every request, pre-generate pages to reduce the opportunity for exploits.
Enforce lockout policies. Locking accounts after repeated failed login attempts will help to thwart brute-force attacks.
Monitor outbound connections. Unless a company’s server has a good reason to send millions of packets to a foreign government’s systems, lock down the server’s ability to do so.
Attack #2 - DOS
The scale of DOS attacks has gone up 115% since 2011, as attackers have refined their methods. In the past, malware was often used to co-opt the PCs of unwitting home users into the criminal’s botnet. Now, attackers are targeting servers. These are more powerful and have high-bandwidth connections, allowing the attacker to mount much bigger attacks.
While DOS attacks are rarely connected to attempts to steal data, they can still be extremely damaging to a company’s reputation and business operations. DOS attacks can take down online banking, quoting and policy management trading platforms, even internal systems that might be exposed to the internet. The impact of these systems going down for an hour, let alone a day, the costs of lost productivity and time spent on remediation can be enormous.
Our data shows that DOS attacks affect all kinds of companies, from large to small, high to low in profile.
What can organisations do?
Segregate key assets. Keep the most important systems on a separate network circuits so they won’t be compromised by an attack targeting other servers.
Test anti-DOS services. Don’t install-and-forget about them.
Have a plan. Key operations teams need to know how to react if there is an attack. Oragnisations should also have a backup plan in case their primary anti-DOS service doesn’t work.
Attack #3 - Skimming
The organised criminal groups responsible for skimming attacks are getting extremely sophisticated in their tactics — some use 3D-printing technology to create replicas of ATM fascias that are incredibly difficult to tell from the real thing.
These can be installed in seconds, and wirelessly send card details back to the criminals. As a result, most breaches are only detected after customers notice fraudulent activity on their accounts. But there are still actions organisations can take to defend against these attacks.
What can organisations do?
Use tamper-resistant terminals. ATMs are increasingly designed with this in mind.
Use tamper-evident controls. Automated video monitoring can detect visual anomalies.
Encourage users to be vigilant. Have them report their concerns immediately.
Inspect ATMs frequently. Have staff inspect ATMs as often as possible to reduce the window in which a skimmer could be in place.
Staying alert to attack
Organisations across every vertical need to realise no one is immune from a data breach. The battle against cybercrime is one that is still in progress, and attackers have their eyes firmly on the prize of the rich data that financial institutions hold. Combine this with the longer time it is taking organisations to identify compromises– often weeks or months, compared with the minutes or hours it takes to be infiltrated – then more targeted action needs to be taken.
To reduce the risk, businesses need to implement the basic tenets of an information risk management program and maintain this initial investment over time. From networks to data defence technology basics such as firewalls; anti-virus technology; identity and access management, as well as the non-technical aspects of security and risk management policy and process development.
Application vulnerability scanning services are a software-as-a-service (SaaS) offering that enables companies to identify web application vulnerabilities before they’re exploited. A DOS Defense Detection and Mitigation services analyses traffic at the network level and PCI Compliance can help organisations transform their technology and processes to help protect card data from skimming and web-based attacks.
In a nutshell, be on the offensive and not the defensive as cybercrime certainly exists. Don’t believe for an instant that it will go away.