Money matters – IBM talks data breaches in the financial sector
Tim Compston sits down with Limor Kessem, Executive Security Advisor at IBM Security and Alan Jenkins, who is IBM Security’s Associate Partner for FSS (Financial Services Sector), UK and Ireland, for a round table discussion on the cyber threat to the financial world.
There is little doubt that large-scale data breaches can cause considerable operational and reputational damage where financial institutions are concerned. When I speak to Limor Kessem and Alan Jenkins it is fresh from leafing through the latest research contained in IBM X-Force’s thought provoking ‘Managed Security Services Report 2016’. One of the figures which stands out amongst the IBM X-Force data spotlighted in the document is the fact that, worryingly, nearly 20 million financial records were breached in 2015.
In terms of records compromised by the industry sector, according to IBM’s X-Force research, finance ranked fifth overall, this represents a two-place drop from its third place ranking in 2014. A major contributor to the finance industry’s changed position year-on-year – and a decrease in records compromised for 2015 – was that the 2014 numbers accounted for the largest recorded financial breach in the last five years so it will be interesting to see how things play out as 2016 figures are analysed. Geographically, the United States is the leading country when it comes to where both the victims and originators of financial institution attacks are located.
Drilling down into the specifics of the attacks that financial institutions like banks are having to endure, IBM Security’s Executive Security Advisor, Limor Kessem, tells me that what has been a visible trend lately is cyber criminals seeking to target banks at the enterprise level: “So that is breaching employee endpoints, internal systems, and service channels in order to coordinate larger digital heists.” Kessem goes on to say that in recent research it was revealed that the Carbanak [hacker] group is targeting bank employees, and bank executives, in order to ‘spear phish’ them and abuse their user privileges to facilitate more complex attacks on banks.
Alan Jenkins agrees that the sophistication of cyber attackers is on an upward trajectory: “Their capability has moved on so they are much more focused on going after where the money is and that definitely draws them towards the banks but, as the US health insurance market saw last year, they are also starting to see value in, let’s call it, the ‘big data’ to use that buzz word.” Jenkins goes on to say that cyber attackers are starting to see value in more than just someone’s personal identity and, to some extent, more than just their personal bank statement: “This is an interesting factor that particularly in the insurance market they are just starting to wake up to,” concludes Jenkins.
Pressed on whether the main threat the financial services sector faces today in terms of data breaches is from external hacking attacks, or closer to home from dishonest or careless employees stealing and mishandling data from within, Kessem responds that it is not as simple as that. In fact, she contends, there are well publicised dangers posed by both, each in a different manner: “We cannot use an ‘either or’ approach here to determine which is more dangerous. Banks have controls in place to root out rogue employees and they must have proper knowledge and security in place to stop the evolving nature of external adversaries,” says Kessem.
With regards to whether banks have a strong appreciation of the external dangers that are out there, and if they are taking steps to enhance their cybersecurity, Kessem replies in the affirmative, believing that they are definitely switched on to most of the risks: “Depending on their security policies and security culture, banks that operate in what’s considered to be an advanced threat landscape do invest in: new technology, in keeping up-to-date about threats and modus operandi, and in human intelligence about the crimes that target them.”
On the value of picking-up on data breaches as soon as possible, Alan Jenkins, IBM Security’s Associate Partner for FSS (Financial Services Sector) (UK & Ireland), believes that time is of the essence here: “Earlier detection, which allows you to respond sooner, is absolutely an advantage. In an ideal world you are getting into the prevention piece so that it doesn’t happen in the first place but I think that there is an increasing recognition that perimeter-based defences are no longer good enough because they don’t go into the application and the data space enough. That is leading to a re-allocation of spending in a sense from firewalls and into web application firewalls so there has been a change of emphasis.”
Returning to some more of the threat specifics, identified by IBM’s X-Force research, the top two attack vectors targeting the financial sector during 2015 were, interestingly enough, malicious attachments/links delivering malware and the infamous Shellshock vulnerability, first discovered back in 2014. When combined these two tactics made up a massive 38 percent of attacks targeting the financial sector in 2015. Whereas, as we know, historically Denial of Service (DoS) attacks have tended to sit at the top of the financial services cyberattack pyramid, IBM managed service data reveals a changing picture with DoS attacks dropping down to third in the rankings for last year. IBM data also suggests that hackers are, increasingly, focused on stealing money directly from the finance industry rather than stealing data or becoming involved in sabotage. This, according to IBM’s X-Force team is underlined by the fact that extortion tactics or currency theft increased 55 percent year-on-year.
Securing the transaction
For his part, Alan Jenkins reckons that banks have now woken up to the risks that are out there from cyberattacks, potentially, targeting their third party supply chain and also, crucially, in their customer chain: “We have had a lot of success with IBM Security Trusteer Rapport, for example, to help banks and their customers ensure that their end point devices or, rather, the transaction they are doing, when they undertake their online banking, is secure.” He adds that the sheer variety of ‘endpoints’, like tablet devices and smartphones, makes the challenge very difficult when you look at the chain of events as a whole so, in his view, securing the transaction really becomes a pivotal element in the cybersecurity equation.
Rounding off our discussion, talk turns to the importance of striking the right balance between making accounts easy to access online for bank customers and ensuring they are as secure as possible, IBM’s Limor Kessem has an interesting take on the utility – or otherwise – of biometrics, which is much in vogue at the moment: “Personally I think that as long as biometrics is stored in a database it only has the same value as a password – it can be stolen and used by a criminal. Additional security can help, although many times banks are hesitant to impact user experience and convenience too much.” For Kessem what has proven to be very effective is ‘invisible’ security on the banks’ servers: “This protects customers but doesn’t affect the way they access their accounts.”