2015 Data Breach Investigations Report found that two-thirds of all cyber-attacks against the finance industry over the last year followed just three basic patterns.
- Denial of Service attacks – which are designed to cause disruption or steal data by flooding online systems with data (accounting for 32% of incidents)
- Crimeware – which uses malicious software and phishing techniques to steal data such as passwords that allow them to take money (accounting for 16%)
- Web app attacks where attackers use stolen credentials or exploit vulnerable web apps to steal data (accounting for 14%).
Comment from David Flower, Managing Director Europe, Bit9 + Carbon Black:
“Banks are right to be worried, if a hacker is out to get them then it is only a matter of time, trial and error before they get in. One of the problems banks face is that they are very network focused, when endpoints are increasingly the target. Take JP Morgan Stanley, for example. In that breach, it was an employee device that was attacked, which was then used as a jumping off point to infect the rest of the network and exfiltrate data.
We only see the very tip of the iceberg when it comes to data breaches, but the vast majority slip under the radar unreported. Or worse, they aren’t discovered at all. With new regulation coming in – for example, the EU’s announcement earlier this week that it is recommending a Europe-wide framework for cyber security to protect essential services, like banking – banks are going to have to even more vigilant now that they will be forced to publicly declare any breaches which could have a serious impact on their customer relations and reputations.
Recent data breaches have already damaged trust. We surveyed over 2000 UK consumers earlier this year to see if they felt companies were doing enough to protect their data; the results were quite damning. 81% thought cyber-thieves might already have their data, with 63% being concerned that this meant they were at risk of becoming a cybercrime victim. The public mood is certainly on the side of there being more regulation and transparency and this new ruling does take us one step closer to that. But the research would suggest that the public wants to take things event further: 94% of UK consumers said they believe disclosure laws should go further and make it mandatory for companies to detect breaches and data loss faster.
This is why banks need to ensure they have multifaceted defences that not only prevent threats at the source of intrusion, but which also provide always-on continuous monitoring and recording on each and every endpoint, so that they can detect and respond to threats more quickly.”
Comment from Kevin Bocek, Chief Security Strategist, Venafi:
“Banks are critical to our everyday lives, yet their entire operation relies on digital systems – from payment terminals to mobile apps – so they’re right to prioritise it. This digital world, our entire system of trust on the internet, is based on cryptographic keys and certificates. These allow us to determine what we can and can’t trust; banks, in particular, have thousands of them. If they expire, or worse, are stolen, then chaos ensues. People won’t be paid, people can’t transact or go anywhere, society would literally collapse – keys and certs sit at the foundation of this digital economy.
However, most banks have no idea how many of these keys they have, whether they are still in use, if they have been compromised… it’s a real problem, and hackers know it. Over the past five years we have seen a huge rise in trust-based attacks on Certificate Authorities (CAs) that authenticate digital certs, but we are also seeing more of these keys being sold on the dark web with banks being a primary target. This spells big problems for banks. For a hacker, a digital certificate is a key to the kingdom – they can travel around through encrypted traffic, able to bypass firewalls and IDS systems by being apparently trusted, free to help themselves to whatever they want. The more banks try to protect themselves by encrypting connections, the more they could potentially add to the problem if they have no way to track and understand which of them can and can’t be trusted. Banks need to get a handle on this otherwise they are sitting ducks.”
[su_box title=”About Bit9 + Carbon Black” style=”noise” box_color=”#336588″]
Bit9 + Carbon Black is the market leader in next-generation endpoint security. The company expects that by the end of 2015 it will achieve $70M+ in annual revenue, 70 percent growth, 7 million+ software licenses sold, almost 2,000 customers worldwide, partnerships with 60+ leading managed security service providers and incident response companies, and integrations with 30+ leading security technology providers. Bit9 + Carbon Black was voted Best Endpoint Protection by security professionals in the SANS Institute’s Best of 2014 Awards, and a 2015 SANS survey found that Carbon Black is being used or evaluated by 68 percent of IR professionals. Companies of all sizes and industries, including more than 25 of the Fortune 100, use Bit9 + Carbon Black to increase security and compliance.[/su_box]
[su_box title=”About Venafi” style=”noise” box_color=”#336588″]
Venafi is the Immune System for the Internet™ and protects the foundation of all cybersecurity—cryptographic keys and digital certificates—so they can’t be misused by bad guys in attacks. In today’s connected world, cybercriminals want to gain trusted status and remain undetected, which makes keys and certificates a prime target. Unfortunately, most security systems blindly trust keys and certificates. Venafi patrols across the network, on devices, and behind the firewall, constantly assessing which SSL/TLS, SSH, WiFi, VPN and mobile keys and certificates are trusted, protecting those that should be trusted, and fixing or blocking those that are not.
As the market-leading cybersecurity company in Next Generation Trust Protection (NGTP) and a Gartner-recognized Cool Vendor, Venafi delivered the first Trust Protection Platform™ to protect keys and certificates and eliminate blind spots from threats hidden in encrypted traffic. As part of any enterprise infrastructure protection strategy, Venafi TrustAuthority™, Venafi TrustForce™, and Venafi TrustNet™ help organizations regain control over keys and certificates by establishing what is self and trusted on mobile devices, applications, virtual machines and network devices and out in the cloud. Venafi protects Any Key. Any Certificate. Anywhere™. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects your network, your business, and your brand. Venafi Threat Center also provides primary research and threat intelligence for attacks on keys and certificates.
Venafi customers are among the world’s most demanding, security-conscious Global 5000 organizations in financial services, retail, insurance, healthcare, telecommunications, aerospace, manufacturing, and high tech. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners, and Origin Partners.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.