What organizations are at the greatest risk of cyber attacks? Governments and financial institutions immediately come to mind, due to the types of information they have access to. The Trend Micro research report, "Spear-Phishing Email: Most Favored APT Bait" discovered some evidence to support this perception, finding that governments were by far the most frequent targets of advanced persistent threats, with 65 incidents in its sample size. Activist groups were in a distant second with 35 instances, while financial firms (10) came in fifth place, narrowly behind heavy equipment (22) and aviation (13).
Of course, cyber criminal activity over the last year and a half has illustrated that retailers – Target, Home Depot, etc. – and the entertainment industry – Sony Pictures, most notably – are also at risk. Individuals could have their financial information stolen at a store by a compromised point of sale terminal, or via data that was improperly secured and then leaked by an organization. Theft doesn't necessarily have to start with a bank, given how payment card information is now distributed across so many channels, devices and services.
Banks feel pressure from targeted attacks, zero-day exploits and security oversights
Banks, however, are still under much more pressure from cyber criminal activity than many other institutions. In the report "Security Prediction for 2015 and Beyond: The Invisible Becomes Visible," Trend Micro researchers predicted that targeted attacks in the coming years would continue to exploit banks and payment systems in particular.
How would such a targeted attack look in practice? The methodology for a target like a bank might go as follows, as outlined by the Trend Micro research paper, "Cybercriminals Use What Works: Targeted Attack Methodologies for Cybercrime":
- Intelligence is gathered about the target. Attackers may pick an organization based on geographic location and then compile information about what applications it uses and what kinds of relationships exist between its teams.
- Perpetrators then look for a point of entry. Email (via spear-phishing), instant messaging and especially social media provide many potential avenues into the organization's networks
- Backdoors may be set up so that cybercriminals can establish command-and-control infrastructure. Accordingly, they can find and exploit weaknesses in the network at a later time.
- As time goes on, the network is scoured for valuable assets. Lucrative targets are then isolated for exfiltration.
- The selected data is then exfiltrated. The actual transmission may be done all at once or gradually to avoid detection by cyber security systems.
Going forward, there will be increased focus from banks on network security solutions that can gather real-time data by analyzing all ports and many commonly used protocols. Custom detection engines and sandboxes will be critical for identifying command-and-control infrastructure, malware infections and other risks that can elude traditional defenses.
Speaking of elusive threats, banks in particular have recently faced the challenge of dealing with zero-day exploits as well as exploitation of security oversights. In the United Kingdom, the Bank of England may have pressured some financial institutions to shore up their defenses against zero-day attacks, which take advantage of security flaws in software that has not been patched yet. In the U.S., last summer saw a limited breach of JPMorgan Chase after attackers discovered a single server that lacked two-factor authentication.
Assessing bank preparedness for targeted and zero-day attacks
These two incidents – one a preemptive action against attack and the other an actual breach – illustrate the ongoing challenges in protecting banks from cybercrime. Last year's widely publicized discussion of the risks associated with ATMs running Microsoft Windows XP turned out to be more hype than substance, but the topic revealed the many weak points in today's financial systems that require attention from cyber security teams:
- Aging software: Most of the world's ATMs ran Windows XP, originally released in 2001, through the middle of 2014.
- New modes of banking: Payment and other types of mobile applications will need to be secured against the risks facing wearable devices with Wi-Fi, Bluetooth and/or Near Field Communication.
- Cyber warfare: An all-out cyber war is still a relatively low risk compared to something like a run-of-the-mill phishing attack. However intelligence agencies on both sides of the Atlantic have singled-out banks for war games, underscoring the risk of such an event for banks.
- Disguised banking Trojans: Trend Micro researchers recently discovered banking Trojans disguised as legitimate ICS/SCADA software updates. Though heavy industry is more at risk from this particular development, it shows how financial malware is rapidly evolving.
Essentially, new issues such as targeted attacks and zero-day exploits have joined traditional threats such as malware infection, creating a complex risk environment for banks. Security experts have stressed the importance of banks preparing for zero-days and sharing information with government agencies and security firms. Such a platform, called Cisp, already exists in the U.K.
"If I was a customer of that bank and they weren't protecting against zero day attacks, I'd take my money out of there," Steve Bell, a spokesman for security firm Bullguard, told The Guardian. "If a bank hasn't got defenses against zero-day attacks, they really don't have a handle on cyber security."
Individuals are typically not liable for fraudulent transactions on their accounts that result from cyber attacks. All the same, they should keep an eye on account activities and ensure that they are not amplifying the risk to their assets by entering bank account passwords over a public Wi-Fi network, for instance.
For banks themselves, security will continue to be an around-the-clock issue that necessitates a mix of mechanisms such as two-factor authentication to limit access, real-time network monitoring and close attention to new channels such as mobile and wearable devices. Given how many assets many of these institutions manage, as well as their centrality to the economies of their respective countries, it will be important for the banks to work with security firms, partners and government agencies as they evolve their defensive and proactive strategies.