Financial Services Cybersecurity: Addressing the Horizontal Attack Surface

The financial services industry is a prime target for cybercriminals, yet significant security gaps persist. PwC’s Global State of Information Security® Survey 2017 notes that “41 percent of financial services respondents ranked assessment of security protocols and standards of third-party vendors as the top challenge to information security efforts”.

This is despite the fact that cybersecurity requirements for financial institutions are detailed and specific. Almost all financial services organizations are subject to the Gramm-Leach-Bliley Act (GLBA), requiring information security training, specific policies, scanning and other activities. The Payment Card Industry Data Security Standard (PCI DSS) applies only to companies that process card payments, and the Dodd-Frank Wall Street Reform and Consumer Protection Act was designed to protect consumer financial data. And now, the new General Data Protection Regulation (GDPR) adds another layer of privacy protection by imposing controls on any business that collects the personal data of EU citizens, including imposing the right of individuals to have their data wiped from systems. These new regulations are combined with severe financial penalties for failure to comply. The GDPR takes effect on May 25, 2018.

With industry-specific compliance requirements driving security spending and deployment, it’s natural to assume that best practices for securing access to sensitive data are different from vertical to vertical. However, that assumption may be changing. 

According to findings from Fortinet’s Global Threat Landscape report, much of today’s attack surface is shared across industries. This article describes today’s horizontal attack surface and shares best practices on how security leaders can mitigate network threats.

Cyber Crime Matures and Expands

Financial services organizations are adopting virtualization technology such as virtual private datacenters. They’re moving to the cloud. They’re adopting more and more IoT devices. More smart devices are connecting to the network. As they do so, the threat landscape continues to expand. The upshot is an increased overall potential of attack vectors that adversaries can take advantage of.

As this infrastructure broadens, financial services organizations are losing visibility and control into that infrastructure. Cyber criminals will use these blind spots to their advantage, and their success rate in penetrating the network will be much higher. At the same time, the cyber crime ecosystem is maturing. Crime-as-a-Service infrastructures enable adversaries to operate on a global scale at light speed. Malicious actors are using automation and sophisticated hacking tools that will increase the attack volume.

Three Key Trends

One report found that the median ratio of HTTPS (encrypted) to HTTP (non-encrypted) traffic hit a high mark of nearly 55 percent. This means that a higher percentage of communications are now encrypted. From a privacy perspective, this is great news. However, from a security perspective, organizations – including those in the financial services industry – don’t have visibility into that particular communication channel, which means it could be malicious. Adding to the problem, adversaries are using encrypted communications more and more as well, using what was created as a security measure to hide their activity.  

Encryption is the first important trend discovered in the latest report. The second is an increase in cloud applications. The median number of cloud applications used per organization was 62, which is roughly one-third of all applications detected. As financial services organizations use more and more of these cloud apps, their data is going to reside in the cloud. Again, this creates a loss of visibility into what’s happening to that data.  

The third trend, gleaned from cluster analysis, is that much of the attack surface is shared across all industries. With the exceptions of education and telco, the rest of the industries studied share that same attack surface. The analysis revealed that many of the same attack vectors bridged all regions as well as all industries. This makes it much easier for cyber criminals to leverage their automated tools across the entire attack surface that spans most industries than they would if the attack surfaces were different. The threat problem is truly a global as well as a horizontal problem now.

Best Practices

In light of attack capabilities that transcend traditional boundaries of region and industry, there are several best practices that will help financial services organizations mitigate network threats.

First, organizations must have visibility into the assets that they are responsible for securing. This involves reducing the attack surface, ensuring good vulnerability and patch management processes are in place, and—equally as important—understanding how assets are communicating with each other. It also involves situational awareness: a high degree of visibility into the network paired with a high level of understanding of the threats that the organization is facing.

Second, create a strategy for combatting the automated cybercrime ecosystem. Humans cannot operate at the speed and scale required to overcome automated threats, so organizations must fight automation with automation. That means getting technology controls working together and communicating across all attack vectors.

Finally, organizations will benefit from building relationships with peers outside of the region or the industry they operate in. Threat intelligence and successful mitigation tactics can be exchanged for the good of all.

Evolving the Security Landscape

The financial services industry today faces the same cyber threats as almost every other industry – the attack surface has truly become horizontal. Visibility and control over today’s infrastructures are diminishing as the number of potential attack vectors continues to grow across the expanded network landscape. This improves criminals’ chances of success, but IT finserv professionals can fight back with knowledge of the trends affecting the network and the implementation of sound practices – particularly automation. Going back to basics and expanding relationships beyond traditional boundaries will help create a more secure network.

Original article published in Banking.com and can be found here.

Read more on how to best prepare your organization for the General Data Protection Regulation (GDPR).