External attack surface is the new frontier in security

By Ben Harknett | 13 May 2015

Trust and stability are of the utmost importance to financial institutions. The relationship between a borrower and lender e.g. a bank and its customers, is the foundation of modern commerce. The dawn of the digital age has seen more pressure placed on financial institutions to make sure that trust, security and stability is paramount when customers are interacting with an institution’s digital footprint.

The digital footprint organisations in the banking and finance sector have is growing at an exponential rate. It’s now common place for consumers to be interacting with banking institutions online, via mobile applications and social media.

In a recent study we undertook at RiskIQ it was revealed that on average, financial institutions have 7,500 assets, each that are accessible in the open web or in app stores - of these over 60% of web assets were hosted externally, on external servers outside the IT department’s control. This is a worrying thought when we trust that every interaction we have as consumers with financial organisations is secure.

The External Attack Surface

When it comes to information security the most prominent strategy many organisations, regardless of sector, choose to follow remains an in-depth defense approach tied to the belief that the perimeter to be defended is the firm's firewalls and internal networks.

Assets hosted outside of an organisations firewall present a new challenge to the security professional, as company assets spread beyond this safe point they present an external attack surface which can be used to target this organisation or brand.

Unsurprisingly, this external attack surface is far more expansive than the internal one, often by several orders of magnitude as the interactions between consumers and financial institutions  are increasingly happening on the web, via mobile applications and on social media platforms and organisations are responding by developing new digital assets, many of which reside outside the firewall; on hosted web platforms, in mobile app stores and on social media sites.

As part of our study, which looked at 35 top banks and financial institutions to find out more about the external attack surface organisations in the banking sector have. To quantify this we performed a detailed analysis of the web assets and mobile applications associated with those organisations,  checking for potential security issues and weaknesses.

It's often the case that threats against an organisation's external digital footprint can be segmented by the delivery system used to reach the user and the source of the vulnerabilities. Delivery systems include redirecting or farming websites and web assets, brand spoofing via unauthorised websites, or phishing emails. Common sources of vulnerability included software and communications security flaws, scripting languages, third-party components and libraries, and uncontrolled asset hosting which can lead to an injection of rogue or compromised assets, software bugs, etc. 

When it comes to externally hosted assets we found that 93% of Banks had assets hosted with cloud-based IaaS providers such as Amazon Web Services or Rackspace. While 94% were incorporating code from one or more third-party analytics/tracking services which could pose a security risk. For example, Gigya was hacked by the Syrian Electronic Army (SEA) in November 2014 using a DNS redirect, leading to the website defacement of a number of well known commercial sites. 

The survey also found that seven out of 10 banks (70 percent) were also running their own digital ads using third party ad serving technology. Similarly, 94 percent incorporated code from one or more third-party JavaScript libraries, which is seen as a common attack vector. In fact, jQuery, the world's most used JavaScript library, has been attacked several times.

The Mobile Banking Movement

The world is becoming ever more mobile and the banking and finance industry are embracing this by allowing customers and employees to engage with their services with greater flexibility regardless of location. The consequence from a risk perspective is a growing external attack surface for cyber-criminals to exploit.

Our research uncovered 1,777 mobile applications for the institutions studied, an average of to 51 per bank. However, only 6% of these mobile apps were found in the official app stores (Google Play, Apple App Store, Windows Phone Store, etc). The rest were scattered through a secondary tier of app distribution sites, making it difficult or impossible to tell if updates or security patches would reach customers and if they had any foreign tampering along the way.

Of those discovered, 80% of the apps required users to grant them 10 or more permissions, typically in excess of what was needed for app functionality. These permissions often grant unnecessary access to functions such as a user’s contact or a recording tool. 

As the research shows, the modern banking industry  brings with it more digital exposure and therefore more digital risk. In response, security teams need to develop an effective external threat management programme as a core component of their overall security capability. This means an “outside looking in” approach that strives to protect users of digital channels and the integrity of the digital brand in addition to protecting corporate assets.

By Ben Harknett, VP EMEA, RiskIQ

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development