By Roy Urrico
The pandemic accelerated digital transformation and compelled credit unions and banks to assess and implement new cloud technologies faster than anticipated. Moreover, the hasty emergence of remote employees and services introduced new areas of risk.
Cybersecurity attacks targeting financial institutions experienced a massive uptick due in large part to the COVID-19 responses. Hackers moved to take advantage of the expanded attack surface presented through the shift to a remote workforce connecting institutions’ infrastructure via less secure home networks, explained Mieng Lim, vice president of product management at San Antonio, Texas-based Digital Defense, Inc., a provider of vulnerability and threat management solutions.
“Additionally, smaller banks and credit unions may not have had the security controls and monitoring in place as their attack surface quickly grew,” Lim added. Cybercriminals are also actively exploiting vulnerabilities in widely used cloud-based collaboration applications, improperly secured internet servers and remote desktop protocol tools.
Biggest Threats
The shift to digital also increased staff vulnerability to COVID-19 specific phishing attacks. “The biggest threat to financial institutions is business email compromise (BEC) through socially engineered spear phishing campaigns,” Lim said. That is especially true if the email includes “a link or an infected Word document that releases malware or ransomware that exploits unpatched vulnerabilities in commonly used operating system and banking applications within the network.” Lim suggested cybercriminals regularly target mobile banking apps due to their increased use because of the disruption of physical branch operations.
In addition, the move to the cloud by financial institutions means they must rely on their third-party vendors’ security measures, noted Lim. Couple that with an overreliance on a small number of vendors and it gets easier for attackers to exploit vulnerabilities in the vendor application and make their way into the financial institution’s infrastructure to access customer data.
The abovementioned threats are not new. Lim pointed to the 2020 Verizon Data Breach Investigations Report that claimed cloud assets were involved in about 24% of breaches in 2019 and cloud breaches involved an email or web application server 73% of the time, and 77% involved breached credentials.
Nevertheless, COVID-19 created a more fertile attack environment. Even the Treasury Department Office of Foreign Assets Control (OFAC) took note of how the demand for ransomware payments increased during the COVID-19 pandemic in in their October 1, 2020 ransomware advisory. “Companies that facilitate ransomware payments to cyberactors on behalf of victims, including financial institutions, cyberinsurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
Peer Comparisons
Digital Defense took a deeper dive into some of the cybersecurity metrics by running peer comparison reports on its credit union, bank, and financial services clients to gain greater insight into industry-specific threats and vulnerability preparedness across the financial sector.
The primary security rating metric used in Digital Defense’s reports is something they call “Frontline Security GPA,” which is based on a 4.0 and A-F grading scale. Like a school grade point average, the higher a Security GPA the better that organization’s security posture. The more critical a host, the more it counts toward a Security GPA. Digital Defense also assigns a user-customizable template criticality weighted system based on assets by operational importance (firewalls, primary domain controllers, web servers, etc.).
Among the study’s analytical findings:
· The credit union and bank Security GPAs for external scanning indicated these two groups have made headway improving their external security posture.
· All financial verticals performed above the platform average Security GPA for both their internal (2.72, B-) and external (3.37, B+) vulnerability scanning and remediation efforts.
· The financial services vertical’s 2020 internal GPA (2.81 B-) is noticeably lower than 2019 (3.05 B+).
Digital Defense indicated many variables can impact a decreased Security GPA, especially accounting for the extensive network changes in the financial industry over the past several months. Situations possibly affecting the lower 2020 internal GPA for financial services include a large deployment of hardware, software, or operating systems triggering several high-level vulnerabilities not addressed by organizations going through a technology refresh.
Lim explained that most of Digital Defense’s financial clients’ year-over-year scores exceed platform averages, remain consistent and improved during a time of significant technology changes across the industry. “The data indicates that financial organizations are prioritizing vulnerabilities that have the most impact on their security posture and are putting security first (rather than compliance first) by acting on incidents identified through their vulnerability management program.”
Lim also said, “The bank and credit union Security GPAs for external scanning indicate that these two groups have made headway improving their external security posture by prioritizing high-impact vulnerabilities that put their organizations most at risk.”
Prevention is Best
“Prevention is the best approach. Staying on top of vulnerability management and system patching goes a long way to prevent a malware or ransomware incident,” Lim suggested. Also essential is ongoing security awareness training of remote staff mainly because they are the first line of defense in preventing attacks and need to receive updates on the latest social engineering tactics used by cybercriminals.
Lim also noted that implementation of tighter access control frameworks like Zero Trust are on the rise. A zero-trust network according to Digital Defense, does not trust any user or IP address when connecting to a selected network.
“Adoption will definitely be on the rise due to more distributed users, but the challenge is in implementation. To have a robust zero-trust deployment takes a lot of work, most of it in reworking network segmentation, access controls and establishing new policies,” Lim said. “Some organizations will also need to acquire additional technologies for the build out, which might not be in their budget.”
In July Digital Defense, Inc. announced the release of Frontline Threat Landscape, a feature within the company’s vulnerability management technology that incorporates threat intelligence to prioritize critical vulnerabilities. Accessible within Frontline.Cloud, the company’s proprietary software as a service (SaaS) security assessment platform, the feature leverages machine-based learning to provide threat intelligence data that delivers a more granular determination of risk for vulnerabilities identified in an organization’s network.