From the brazen $15 million cyberattack in Mexico on the SPEI payment messaging system to the ATM cash-out scheme in India that cost over $10 million, the financial industry suffered several high-profile cyber events in 2018. And despite continued success with proven methods like phishing and ransomware, cyber criminals persist in looking for new ways to breach security.
In fact, the biggest worry on the minds of financial services IT leaders for the last five years has been dealing with the evolution of internal and external cyber threats, according to research from Forrester. That evolution was the subject of CSI’s recent Semi-Annual Cybersecurity Update that I hosted with guest speaker Jeff Pollard, vice president and principal analyst from Forrester.
As we explored in the webinar, here are five cyber challenges that could be making headlines in 2019:
Security Breaches? There’s an App for That
In the last couple of years, Pollard says cyber criminals began changing the way they attempt to get inside IT environments. Instead of depending on users to help them gain access using collateral like phishing emails, attackers started directly hitting the infrastructure that hosts applications through SQL injection, cross-site scripting and other methods.
“Applications have become the primary way that attackers get inside our environments,” Pollard says. “Either software vulnerabilities in the infrastructure that the applications reside on, or the applications themselves, every line of code represents a new risk to your organization.”
The applications that face attacks are the ones that generate revenue, and because of this, Pollard says application development and application security are now receiving board-level attention, and boards actually have a fiduciary responsibility to be concerned about application security.
Bottom Line: Don’t stop monitoring and preparing for phishing attacks; the threat still exists. But motivated hackers going after applications are changing the attacks your institution could face in the next 12 months.
Not All Clouds Have Silver Linings
Utilizing cloud services can help financial institutions reduce expenses, boost system uptime and enjoy a slew of other benefits. But the migration to the cloud has not come without a few hiccups.
In 2017, Verizon confirmed that a misconfigured security setting on a cloud server, due to “human error,” exposed the data of more than 6 million of its customers.
Pollard says the Verizon incident is a reminder that cloud users must be cognizant of their provider’s storage server settings, making sure that they are set to private.
“Since cloud is becoming the standard, this is a huge responsibility,” Pollard says. “Incidents are only going to increase as developers spin up environments on the fly using container services.”
Bottom Line: The cloud enables data storage across several locations, which only increases risk and the scope of data that security leaders are responsible for. Make sure that data isn’t facing the public.
Are You a Good Bot or a Bad Bot?
Bots, which are automated programs that complete tasks online, are everywhere. There are good bots and there are bad bots. Financial institutions frequently use bots to enhance customer service, while bad bots are capable of committing digital ad fraud to the tune of millions of dollars per day.
Pollard says malicious bots are one of the biggest challenges financial services firms deal with. And as financial institutions increase efforts to connect and interact with customers through digital methods, they must understand exactly how the bots they employ work—and what their intentions are.
“It’s important to understand if something’s automated or if it’s a human,” Pollard says. “And if something is automated, is there a good bot or bad bot behind it? The financial services industry bears the brunt of this problem a lot more than other industries.”
Bottom Line: There are good bots and bad bots, and bad bots can attack your institution directly, or through a variety of indirect methods. Keep a close eye on the bots you use.
The Wrong Stuff
So what happens to data stolen during a breach like the previously mentioned Verizon incident? In many cases, compromised usernames, email addresses and passwords end up in the hands of cyber attackers, who then use that information to bombard websites, servers, etc., to try to gain access. This practice is known as credential stuffing.
Credential stuffing is different than a brute force attack, because in a credential stuffing attempt, attackers are using usernames and passwords that are known to have been good at some point, rather than randomly guessing credentials.
Pollard says credential stuffing is an emerging threat that will only get worse as the number of data breaches increases.
“We’re in the age of machine learning now, and I don’t think it’s going to be too long before someone effectively uses machine learning to guess what the next five passwords could be based on the previous 10 passwords,” Pollard says. “Then suddenly, it’s not password guessing. It’s prediction.”
Bottom Line: Don’t reuse passwords. Ever. Also, two-factor authentication should be implemented whenever possible to help combat credential stuffing.
Aggregation Can Be Aggravating
As data aggregation leads to bigger revenue, companies are trying to figure out how to capitalize on the data they collect—while governments try to figure out how to regulate it.
In May 2018, we saw the General Data Protection Regulation (GDPR) take effect in the European Union. That same month, Vermont became the first state to enact a law regulating data brokers. And in June 2018, California passed the California Consumer Protection Act (CCPA), which is considered the most comprehensive privacy law in the United States.
The element that ties these laws together is that they are jurisdictional in nature, meaning they pertain to the people with which a company does business, rather than the location where the company resides. Pollard says this jurisdictional model of regulation will become the norm going forward, and financial institutions will have to be diligent to stay on top of rapidly changing data regulation.
“As we see more and more states passing laws about privacy, we’re going to end up with a very complicated and fragmented landscape,” Pollard says. “This will make audits challenging, notification challenging, etc. And this will continue as long as there isn’t any federal oversight.”
Bottom Line: It doesn’t matter if your financial institution is located in a state where privacy laws don’t apply, because you may be conducting business with someone in a state that is covered by the law or regulation. You should become familiar with these laws now and start making preparations to address these emerging privacy requirements.
These cyber challenges drive home the point that keeping your financial institution safe and compliant is an ever-changing and complicated task. So is your institution evolving to keep up with it? To learn more about these cybersecurity issues, watch our Semi-Annual Cybersecurity Update on-demand.
Steve Sanders is vice president of Internal Audit for CSI. In his role, he oversees the evaluation and mitigation of risks associated with IT, financial and operational systems. Steve is a CISA, CRISC, CRMA, and CTGA, and he speaks regularly on information security, cybersecurity, IT and IT audit topics.