2015 Data Breach Investigations Report found that two-thirds of all cyber-attacks against the finance industry over the last year followed just three basic patterns.
- Denial of Service attacks – which are designed to cause disruption or steal data by flooding online systems with data (accounting for 32% of incidents)
- Crimeware – which uses malicious software and phishing techniques to steal data such as passwords that allow them to take money (accounting for 16%)
- Web app attacks where attackers use stolen credentials or exploit vulnerable web apps to steal data (accounting for 14%).
Comment from David Flower, Managing Director Europe, Bit9 + Carbon Black:
“Banks are right to be worried, if a hacker is out to get them then it is only a matter of time, trial and error before they get in. One of the problems banks face is that they are very network focused, when endpoints are increasingly the target. Take JP Morgan Stanley, for example. In that breach, it was an employee device that was attacked, which was then used as a jumping off point to infect the rest of the network and exfiltrate data.
We only see the very tip of the iceberg when it comes to data breaches, but the vast majority slip under the radar unreported. Or worse, they aren’t discovered at all. With new regulation coming in – for example, the EU’s announcement earlier this week that it is recommending a Europe-wide framework for cyber security to protect essential services, like banking – banks are going to have to even more vigilant now that they will be forced to publicly declare any breaches which could have a serious impact on their customer relations and reputations.
Recent data breaches have already damaged trust. We surveyed over 2000 UK consumers earlier this year to see if they felt companies were doing enough to protect their data; the results were quite damning. 81% thought cyber-thieves might already have their data, with 63% being concerned that this meant they were at risk of becoming a cybercrime victim. The public mood is certainly on the side of there being more regulation and transparency and this new ruling does take us one step closer to that. But the research would suggest that the public wants to take things event further: 94% of UK consumers said they believe disclosure laws should go further and make it mandatory for companies to detect breaches and data loss faster.
This is why banks need to ensure they have multifaceted defences that not only prevent threats at the source of intrusion, but which also provide always-on continuous monitoring and recording on each and every endpoint, so that they can detect and respond to threats more quickly.”
Comment from Kevin Bocek, Chief Security Strategist, Venafi:
“Banks are critical to our everyday lives, yet their entire operation relies on digital systems – from payment terminals to mobile apps – so they’re right to prioritise it. This digital world, our entire system of trust on the internet, is based on cryptographic keys and certificates. These allow us to determine what we can and can’t trust; banks, in particular, have thousands of them. If they expire, or worse, are stolen, then chaos ensues. People won’t be paid, people can’t transact or go anywhere, society would literally collapse – keys and certs sit at the foundation of this digital economy.
However, most banks have no idea how many of these keys they have, whether they are still in use, if they have been compromised… it’s a real problem, and hackers know it. Over the past five years we have seen a huge rise in trust-based attacks on Certificate Authorities (CAs) that authenticate digital certs, but we are also seeing more of these keys being sold on the dark web with banks being a primary target. This spells big problems for banks. For a hacker, a digital certificate is a key to the kingdom – they can travel around through encrypted traffic, able to bypass firewalls and IDS systems by being apparently trusted, free to help themselves to whatever they want. The more banks try to protect themselves by encrypting connections, the more they could potentially add to the problem if they have no way to track and understand which of them can and can’t be trusted. Banks need to get a handle on this otherwise they are sitting ducks.”