Financial firms have long been at the forefront of malware attacks. In fact, a report released this year shows that a full 25 percent of attacks are aimed at businesses in the finance industry. The reasons for “virtual bank robberies” are the same as in-person ones: the potential for a quick, easy payoff.
“Malware has always been interested in banks because that’s where the money is,” notes London-based independent cybersecurity expert and owner of CTU Security, John Carroll. Carroll has done extensive cybersecurity work with financial clients.
Unfortunately, banks have a lot of legacy equipment and programs, which complicates things. This forces them to either make heavy investments in new technology or compromise on old technology.
“What can you do except bring your A-game? Get your fundamentals in place and make sure there are capable staff reacting to issues and continuously improving and optimizing,” advises Carroll.
Carroll goes on to list some key areas that banks need to watch.
Three security vulnerabilities banks face
Legacy systems: Keep in mind that banks operate on a long-time field. In fact, it was banks that first sniffed out the Y2K problem, when in 1970, customers applying for 30-year mortgages were met with confused computers. Banks often hang on to technology for a long time out of necessity and inertia. Which creates a welcoming environment for bad actors.
“More often than not, it’s the old tech that bears the fruit for hackers. That’s why we update — the more time software has been around and accessible, the more time people have to deconstruct and understand where its security begins and ends,” details Carroll.
MSPs that have banks as customers need to not only beef up systems to protect against the latest security threats, but they also need to keep an eye on the rear-view mirror at old systems and make sure any vulnerabilities are shored up.
User education: Smarter MSP is often touting the importance of keeping staff educated and informed about the dangers of phishing. Carroll concurs the importance of this.
“Phishing won’t go away, but we need to make it more palatable to understand some very basic questions to ask, such as: what is the context of this email?” offers Carroll.
If an unknown and unexpected piece of communications reaches a person advising them to take action, they really need to justify what they are doing. When is an untrusted, unknown sender is asking them to do? Are they just asking them to do something trivial like visiting a page, or worse, open a file? Educate your customers employees to ask themselves these questions before taking any actions.
Supply chain attacks: Even a bank that has their own house in order can’t rest easy until the entire ecosystem is secure. MSPs with bank customers need to be mindful of supply-chain attacks.
“Attackers are getting smarter by targeting semi-trusted sources, like the partners of banks that need their services,” notes Carroll. He advises that third-party assessments should be conducted with all deeply rooted services.
“Playbooks should be created for how to deal with a trusted partner compromise,” states Carroll.
A growing role for MSPs
Meanwhile, the opportunity for MSPs is growing at banks. Whether they need an MSP or not seems to depend on size. Larger banks are likely going to have a robust internal IT department, but community banks or a five branch credit union probably wouldn’t have the staff to deal with their systems and security. This is where MSPs can really find opportunities.
Whether it is an MSP or an internal team, security experts need time to “play,” especially when safeguarding crucial data troves of information like those held by banks.
“I’ll say play, but what I mean is explore new tools, techniques, and attacks. This might look like they’re playing on Twitter. If so, let them, because Twitter is so rich with this content,” details Carroll.
Often, the way to innovation in cybersecurity is to “play around” (in a safe online environment, not on your client’s network) and see what works, see what doesn’t, and learn new techniques.
“Depending on the nature of the issue it might be better to have the MSP deal with a bank’s specific issue, especially if it looks like it might be a messy one. However, it really depends on how good the team is, broadly speaking,” states Carroll.
Banks have to look forward and see whether their team, MSP or internal, would make competent subject matter experts if a security incident would be litigated.
“Are you confident they’re following all the correct procedures for the acquisition of data and maintaining integrity for forensic examination? Do you have all the logs and information required, or can you explain right down to the bone why you don’t?” According to Carroll, banks need to be asking these questions when evaluating their security team.
On Carroll’s home turf in the UK, banks are improving, while other experts say the United States still has a ways to go.
“I think banks (in the UK at least) are doing a lot better over the past six years. There will always be issues, but normalizing how they are handled will slowly turn into a general methodology,” predicts Carroll. Meanwhile, banks will continue to be a target.
“Banks are where the money lives! Internet access and computational power are cheap. Different money is worth more in different countries, but we all need it and not all of us have it. Banks provide just another landscape for criminal enterprise to try and flourish, with the benefit of ‘hiding’ online,” says Carroll.
Photo: welcomia / Shutterstock