Keeping file-based threats out of bank vaults
While mention of bank robberies will often conjure images of masked criminals and high-speed car chases, most modern instances of the crime are being conducted from behind computer screens. In addition to the lure of stealing cash, these criminals are going after banks for valuables such as the personal data of customers, details of mergers and acquisitions between companies and the private tax information of corporations, data is fast becoming an incredibly valuable commodity in its own right, writes Greg Sim
These hackers, whether criminal or state-sponsored, have the ability to bring down any bank’s operations with as little as a single email. Through manipulating file data, an unassuming attachment could be hiding a malicious set of instructions or payload which often, in highly targeted attacks, is shown to be resident for in excess of 200 days drip feeding data out of the enterprise. Typically, the hacker will have done their research through employees’ LinkedIn or Facebook profiles and metadata obtained from documents on the company’s website. This information is used to find an entry point from which they can turn an employee into an accessory without their knowledge.
Cyber-crime is recognised as a serious threat in the banking industry. The Bank of England’s latest Systemic Risk survey saw 46 per cent of participants list it as a main concern, a significant increase over the 10 per cent in 2014. Unfortunately, the Bank’s response – planning cyber-security tests for every couple of years – does little to alleviate worries over the growing threat of cyber-crime, which is estimated to cost £36 billion annually in the UK.
Awareness of the threat is growing due to a number of recent scandals, such as the TalkTalk hack which resulted in the details of tens of thousands of customers being stolen. Despite the higher-profile of cyber-security, there is still little understanding of how cyber-criminals operate and the best ways to face them.
Banks must become aware that policies allowing the free exchange of documents carry a significant amount of risk, considering 94 per cent of successful cyber-attacks utilised emailed documents.
The Bank of England must be prepared to lead the charge by advocating a total overhaul of how cyber-security is handled and in particular how policy can applied to manage document flow without impacting business continuity. A wise step would be to raise awareness of the obsolescence of conventional perimeter security and to establish standards for banking communications in regards to the file types most commonly used by hackers.
The Bank must also require financial institutions to identify the vulnerable points in their daily exchange of documents such as their supply chain and customer exchanges, with the goal of ultimately eradicating them.
Relying on expensive perimeter security methods such as email virus scanning, firewalls and sandbox technology, which deal only with known threats and lack the ability to screen out the new methods of attack are a thing of the past and will always be behind the innovative approach of the cyber-criminal.
For example, a hacker could use metadata obtained from a number of avenues, such as a file that has not been cleaned of metadata on the banks website, data leaked from an inadequately protected source in the supply chain or from the free flowing files traversing into and out of the banking systems to identify intelligence such as user ID’s, software versions, server paths and even employee reference data. Armed with this insider information, they could then forge an email to an employee, fooling them into opening a link that would download a zero day exploit. With this in mind, it is essential that organisations stem the flow of data leakage that is literally pouring from poor internal processes and management, thereby limiting the data hackers can add to their arsenal.
Whilst this sounds like science fiction it is a 24 x 7 activity where the hacker only needs to be successful once to breach the defences, while banks must constantly be on guard for new criminal techniques.
A breach could spell disaster for a bank, destroying consumer confidence and resulting in downgraded credit ratings as customers move their money elsewhere. In this post-financial crisis climate, it takes very little for consumers, partners and suppliers to lose trust in a bank following a security breach.
Keeping up with cyber-criminals
New practices have the ability to achieve 100 per cent effectiveness against file-based threats, by changing the paradigm of looking for bad to only allowing only the “known good” into and out of the network.
Solutions based on file regeneration permits only clean versions of files into a company’s system, using the manufacturer’s standards to assess and rebuild the file in real time. Considering the mass volume of unstructured data involved in banking, this presents a substantial advantage. This technology identifies threats by comparing unstructured and unknown files with set standards, while security methods seeking viruses and malware are only searching for known threats, causing them to lag behind criminal innovations.
The new European General Data Protection Regulation, coming into effect next year, is increasing the urgency to address file-based security. The new law will create steep penalties for businesses that fail to protect private data. Additionally, banks may be publicly named following a data breach as a matter of public influence, effectively destroying their reputation.
By implementing the right solution for file-based threats, companies can gain instant access to all reporting and policies, providing clear evidence of compliance. With advanced analytics and reporting built into this technology, companies can take back control and tweak their cyber-security policy in accordance to the most common threats.
While the open exchange of documents is key for the banking sector, the protection of this freedom is reliant on those in charge recognising that the current lines of defence don’t live up to the threat presented by cyber-crime.