CSI Resources

You are here:
close up of the words data protection

Cyber Actors Continue to Exploit Enterprise Vulnerabilities

  • by Steve Sanders
  • Oct 10, 2019

Exposing the Fraud Techniques Currently Favored by Cyber Criminals

Cybercrime isn’t much different from traditional crime. More often than not, the motive is purely financial. That objective drives cyber criminals to continuously evolve their tactics and techniques to ensure they are always making money and increasing their take.

Their gain leads to your loss—financial, operational and reputational. Moreover, it can result in a harsh regulatory enforcement action that further exacerbates such losses. For Equifax, this amounted to a $700 million settlement with the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission.

Financial institutions defending against yesterday’s methods put themselves at greater risk of such loss. Instead, they need to be as nimble in their cyber defenses as their adversaries are in their cyber offense.

How do you get there? To begin, you need to understand the latest cybercrime trends.

Email: The Most Popular Attack Vector

The easiest way to infiltrate a business continues to be through email because it is the primary means of internal and external communication at every enterprise. This ripe feeding ground allows criminals to replicate their attacks again and again across a multitude of organizations.

It also involves the trust of employees, the very people with access to your systems and information. Aaron Boigon, executive vice president and chief information officer at Plumas Bank, explained the logic in our recent FinTech Focus podcast: “Rather than trying to brute force our technology, which is quite sophisticated to protect our networks, it is much easier for them to win over the trust of our employees.”  

Furthermore, just when you get comfortable that you have trained your employees to spot a phishing attempt, cybercriminals adjust their techniques, setting up a constant game of cat and mouse. The only way to win is by staying abreast of their latest tricks. This currently includes the following:

  • Phishing 2.0: Not long ago, employees could be trained to watch out for typos, misspellings and non-native speaking grammar mistakes as signs of phishing. That is no longer the case as there are fewer tell-tale signs. Words are spelled correctly, grammar is sound and logos and brand colors are often identical to the real thing. The criminals have significantly increased the level of sophistication in their traditional phishing attempts, so employees need to exert a higher level of discernment.
  • Lateral phishing: On top of that, cyber criminals are exploiting “lateral phishing.” As CSO Online explains, “Attackers use hijacked accounts they’ve recently compromised to send phishing emails to an array of recipients, ranging from close contacts within the company to partners at other organizations.” Because the email is coming from a known source, the recipient has no reason to suspect anything. Sometimes this technique even fools email protection systems, which further complicates matters.
  • Business Email Compromise (BEC) targets: BEC scams are not new, but cyber criminals are zeroing in on a new, seemingly lucrative, target—corporate executives. Those at the highest level of an organization are likely to have full access to systems and information. Fooling a busy executive with a BEC scam can yield a significant score for fraudsters. Unfortunately, the actual emails in these scams are also getting more sophisticated. ZDNet warns: “Now they’ve stepped up their game, sending BEC emails which don’t only contain a convincing name, but also a spoofed address which mimics that of the company in order to add more authenticity to attacks.”

Malware: The Current Payloads of Choice

While email is the typical point of access, malware is the criminal payload it injects into a target’s systems. Here are the current favorites because they yield big scores for fraudsters:

  • Spyware: This malware secretly observes your activity. It can take the annoying, but relatively harmless, form of adware and cookies, but far more concerning is spyware in the form of keyloggers, stealware and system monitors. The primary goal of destructive spyware is to covertly steal things like passwords or credit card numbers that can be used to commit identity theft and fraud.
  • Ransomware: Just as its name suggests, once installed, this type of malware locks out the authorized user and encrypts the available data to be held for ransom. So far in 2019, school districts and state and local governments have been the favored ransomware target, but financial institutions are still at risk. Cyber actors view smaller institutions as particularly vulnerable and ill-prepared, just as they do less populated municipalities.
  • Cryptojacking/Cryptomining: In its 2019 Threat Report, Defending against today’s critical threats, Cisco called malicious cryptojacking “the most prominent money-making threat scheme of 2018” and a harbinger of things to come. According to the tech giant, “Miners often work in the background without users’ knowledge, stealing their computing power while generating revenue for the attacker.” It is much less conspicuous than ransomware because the only thing the user organization notices is an unexplained drag on system performance. This means miners can continuously earn more money with less chance of being identified or caught than with ransomware. The risk to organizations manifests in increased help desk and IT costs trying to identify and fix the problem.

Internet of Things: The Looming Danger

In our recent podcast interview with Dan Collins, security technical solutions architect at Cisco, he predicted that the Internet of Things (IoT) will be the “next frontier from a security perspective.”

According to Collins, the risk stems from the fact that IoT devices are becoming more prevalent in business processes in banks, hospitals and manufacturing firms. He notes that these devices often don’t get patched because they are performing business-critical functions without end users, and organizations do not want or think to take them offline for an update. This leaves such IoT devices vulnerable to malicious attacks, which can introduce malware into the entire network. 

Defending Against These Cybersecurity Threats

Awareness is the first step toward protecting your organization. The second step is adopting an appropriate cybersecurity framework for your institution’s size and risk profile. This strategic tool is meant to deliberately inform your cybersecurity decision making.

By now, financial institutions should at least be using the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT). However, given cybersecurity complexity, even most smaller banks should consider graduating to something more sophisticated. Two comprehensive but deployable options are the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) and the ISO 27001 Cybersecurity Framework.

In concert with your cybersecurity framework of choice, it is important to adopt a set of cybersecurity controls, such as the Center for Internet Security (CIS) Top 20 Controls.

Using an appropriate cybersecurity framework and set of controls should help to achieve a layered cybersecurity approach, which Cisco’s 2019 Threat Report notes is vital in today’s atmosphere. Here are some of the key tactical aspects of such an approach that will specifically help shield against the latest fraud techniques:

  • Employee cybersecurity awareness training: Once a year is no longer adequate. Continuous awareness campaigns throughout the year that deal with the latest threats is the best way to keep your employees on guard against phishing and other types of social engineering.
  • Social engineering testing: At Plumas Bank, Boigon says spot testing has proven more effective than one big annual test that employees had learned to anticipate. Custom-tailored phishing campaigns have helped the California bank raise awareness and deliver specific messages to employees, such as not using their work email for personal e-commerce activity.
  • Network security: Make sure you have appropriate technology in place to detect malicious files or unusual activity. Segmenting your networks also limits the damage from a malicious attack.
  • Malware detection: Cisco’s report emphasizes that in the event malware is successfully installed on a device or network, you need technology that “can track unknown files, block known malicious files, and prevent the execution of malware on endpoints and network appliances.”
  • Secure Internet gateway: Employee training should include discussions about how to spot and avoid malicious Internet sites. This should be backed up by technology that identifies and stops inadvertent or deliberate attempts to connect to such sites.
  • Email security: Cisco also notes the importance of deploying technology that blocks malicious and spam emails from ever getting through to your employees’ inboxes.
  • Vulnerability patching: Establish and follow a process and schedule for fixing vulnerabilities as soon as possible after they are identified. Business critical and enterprise-wide systems, including those run on IoT devices, should receive the highest priority, but this is important for any hardware or software used in your environment.

One last piece of the cybersecurity puzzle is your customers. Our 2019 Consumer Cybersecurity Poll revealed that the overwhelming majority of American consumers are concerned about cybersecurity (92 percent) and would participate in a cybersecurity awareness program sponsored by their financial institution (74 percent).

Hosting such a program is a huge opportunity for banks because cyber-savvy customers—those who create strong, unique passwords and take advantage of multi-factor authentication—add one more important layer of protection to your cybersecurity defenses.   

Steve Sanders is vice president of Internal Audit for CSI. In his role, he oversees the evaluation and mitigation of risks associated with IT, financial and operational systems. Steve is a CISA, CRISC, CRMA, and CTGA, and he speaks regularly on information security, cybersecurity, IT and IT audit topics.