5 big IT threats facing financial institutions in 2015
2014 was a tumultuous year for cybersecurity, with a new headline seemingly every week regarding the latest data breach or newly discovered vulnerability in widely deployed software. With that, the start of a new year can be a great time to look ahead and try to determine what sorts of threats financial institutions and their customers may face in the upcoming 12 months. Below we've compiled a list of five threats we think will see increased importance in the upcoming year.
The past year has brought unprecedented levels of mainstream media attention to a number of zero-day vulnerabilities, including Heartbleed, Shellshock and Poodle. These vulnerabilities have taken advantage of long standing, but previously undiscovered, programming bugs in widely deployed software platforms. Due to the discovery and subsequent successful exploitation of these vulnerabilities, cybercriminals and nefarious nation state actors have begun to take a much closer look at these previously, typically ignored code bases. They have remained relatively unchanged for years, meaning that more similar attacks will be likely in the upcoming year.
The common theme with many of these newly discovered and highly popularized vulnerabilities is that they don't necessarily target Windows-based systems as many other successful attacks in the past have. Instead, they were discovered on software libraries that are present on a large number of networked devices and are often overlooked when developing a security model for a business. Going forward, it will be important that the risks associated with any networked device be taken into consideration when planning your network.
While there has been an influx of attacks aimed at Unix based systems in the past year Windows based systems are still the favored target, and with the 23.8 million installations of Windows Server 2003 (39 percent of the Windows Server installation base)1 facing an end of life date on July 14, 2015, it can be expected that we'll see an influx of attacks against the newly unsupported operating system during the second half of the year. We can also expect continued attacks against remaining XP installations, such as the attack this past year on Home Depot, which targeted point-of-sale devices running Windows XP embedded.
We will continue to see more sophisticated attacks on the most vulnerable part of a financial institution's network, their employees and customers. With multiple layers of protection from IPS devices and firewalls on the perimeter of most networks, attackers rarely attempt to directly attack properly secured networks directly (with the exception of the aforementioned zero-day vulnerabilities). Instead, they focus their efforts on compromising one or more workstations on the bank's internal network or the customer's workstations. From here the path to compromising confidential information is simpler and obtaining even standard user credentials can allow an attacker to run further attacks and escalate their privileges to that of an administrator on the network.
Continued proliferation of social media in the banking environment has greatly increased the amount of information an attacker can gather remotely on individuals within the bank. This information can then be used in creating spear phishing attacks targeted at individual employees who appear to be coming from a co-worker within the bank, but in reality, contains a link to a malicious website or include a malicious attachment disguised as something as innocuous as a spreadsheet. These same spear phishing attacks can be directed towards the bank's banks' customers often appearing to come from the bank itself. With the increase in advanced phishing techniques, solid employee and customer training in how to spot a potentially fraudulent message as well as steps that can be taken to verify the authenticity of a message will be important tools this year.
Credit/debit card theft
Financial institutions and their customers were affected by a multitude of breaches at retailers this past year. Retailers seemed to be compromised on nearly a weekly basis with Home Depot, Jimmy Johns, PF Changs, Michaels and many more (including the continued fallout from the 2013 Target breach) making headlines in 2014. In October 2014, Special Agent Jason Truppi of the FBI was quoted as stating that "In the past 12 months, over 500 million financial records had been stolen,"2 thanks in large part to the breaches listed above. The trend for the next year makes it look as though this is likely to continue, with retailers and other companies still relying on outdated and vulnerable point-of-sale terminals and not taking steps to properly secure their networks until after a breach occurs.
As financially-motivated cybercriminals continue to become more advanced, it will be even more important that networks are properly segmented and kept up to date, a study done by Kaspersky in 2014 estimates that even a small data breach can cost upwards of $720,000.3 Retailers and financial institutions should also look to move to chip-and-pin cards to provide a further layer of security, as these will begin seeing wide scale deployment this upcoming year.
Cryptolocker was a fairly widespread piece of ransomware that made headlines in 2014 and impacted financial institutions and their customers. Instead of covertly infecting a system and attempting to steal confidential information as most malware does, ransomware instead takes the opposite approach, encrypting files and displaying a very visible message on a system demanding payment for decryption. This type of attack has proven to be successful for criminals, with the creator of Cryptolocker receiving over $3 million in ransom payments for encrypted data.4 This year we will likely begin to see ransomware that is able to utilize a victim's credentials stored on their system to access cloud backup sites and encrypt data that is backed up remotely, making recovery without paying a ransom to the cybercriminals much more difficult. Ensuring all critical systems have cold backups that are available for use in a disaster recovery situation will be important in ensuring system recoverability.
One of the most historic attacks we saw this year involved another type of cyberextortion, the recent attacks on Sony by an undisclosed attacker which resulted in them pulling their movie, 'The Interview' from theaters. This was the first time that a large-scale incident of cyberextortion caused a business to take an action with significant monetary repercussions (at least in such a highly publicized way). Expect that other nefarious parties see the success that this relatively simple attack had in shaping the actions of a major corporation and attempt to duplicate their success, be it either for a payment not to release data or to attempt to coerce another party into action.
Attacks on mobile services
With mobile platforms continuing to become more popular for activities such as mobile banking, it's no surprise that attackers have started focusing more efforts on developing malware that targets mobile platforms. Mobile users oftentimes don't use the same level of caution when downloading applications and accepting windows that pop up than they would on a PC, leading to an environment that is easy for an attacker to take advantage of. This coupled with the relative lack of anti-virus solutions available on mobile devices has led to a 112 percent increase in malware samples detected in the past year by McAfee.5
As employees of financial institutions and their customers bring more mobile devices into their respective networks, it is important that proper precautions be taken ensuring that security of devices is addressed as well as management of the types of information transferred to and stored on them. An assessment that covers potential risks and benefits associated with the environment can help ensure that data is adequately protected.
1 Ditching Windows Server 2003 is Necessary if Not Easy
2 Officials warn 500 million financial records hacked
3 IT Security Risks Survey 2014: Business Approach to Managing Data Security Threats
4 Cryptolocker victims to get files back for free
5 2015 Threats Predictions