Minimising the Exposed Cyber Threat Landscape Throughout Global Financial Institutions

Stephanie attended the OECD forum. She is currently studying a Bachelor of Information Technology Network Security at Central Queensland University, alongside her work as a cadet in Computer Forensics at the Australian Taxation Office.

Abstract

Attacks on financial institutions are rampant and set to increase. As technology progresses, the ability to address and mitigate the abundance of possible threats becomes a monumental task. As a result of these attacks on institutions, public confidence has plummeted. Most financial institutions are attempting to address these security concerns however their implementations are not nearly as effective as they could or should be. Each institution has a differing strategy and security focus with policy makers unaware of the multitude of exposed vulnerabilities, both internal and external, which are present.

With financial institutions becoming a popular target for cyberattacks the threat landscape these institutions provide must be strategically assessed and minimised. Through a standardisation framework based on current technical best practises, addressing and governing security implementation may be achieved. However, the impacts of such an overreaching standardisation need to be examined.

Through a holistic approach developing an international governing body and framework that addresses practical implementations and technical practicalities, the threat landscape financial services encompass can be diminished as the security posture coincides with technological advancement.

Policy Recommendations

·       A clear internationally spanning framework outlining detailed technical specifications on compulsory penetration tests, forensics assessments, incident response, encryption methods, breach reporting, secure code reviews, security training, and a database with metrics assigning secure network system implementations.

·       The creation of an international governing body that focuses on financial industry specific cyber security regulations, advanced security research (such as predictive modelling for zero-day threats), breach reporting and security testing.

Introduction

In February 2016 Bangladesh Central Bank lost $81 million US dollars from their account in the Federal Reserve Bank of New York when outdated information security systems drastically failed to mitigate an attack (Arafat, 2016). This was due to the implementation of one vulnerable router and the use of unpatched software on their systems. This was not an isolated incident. Financial institutions remain increasingly vulnerable to cyberattacks and in saying this it may only take one security flaw to provide an attack platform. Although most financial institutions heavily address their own individual security posture there is no governing, compulsory technical standardisation and regulatory framework across all financial institutions (PWC, 2016a). Typically management oversees security policies by referring to external suggested security regulations. However, as cyber security is an ever changing and developing field, technical knowledge throughout management can be limited when implementing policy change. This limit in technical knowledge can leave financial institutions wide open to a vast array of attacks such as malware infections, Distributed denial of service attacks, intrusions, internal threats and even social engineering attacks (PWC, 2016b).

A 2016 study by PWC found financial institutions as a primary target for economic cybercrime with a 45% increase since 2014 (PWC, 2016c). The biggest security weakness financial institutions face is a weak network infrastructure – this includes but is not limited to open FTP and SMB ports, outdated encryption methods and unpatched systems (SecurityScorecard, 2016). These are all very basic vulnerabilities to mitigate however with limited external monitoring, systems remain open to attack. As seen recently with the Wannacrypt ransomware worm outbreak, a simple network misconfiguration such as an open SMB port can have devastating consequences (Troy Hunt, 2017).    

Although suggested regulations exist such as APRA’s PPG 234, financial institutions in Australia and in most countries, generally devise their own security posture based on these broad regulations (APRA, 2010). These stances on security are developed as is deemed viable and necessary so long as they meet the basic and often vague security requirements of a regulated entity. This means that globally financial institutions can implement any equipment or software (whether it has known security vulnerabilities) as well as implement whichever encryption methods they deem secure. Weak encryption ciphers contribute to the four most common vulnerabilities found to affect U.S financial institutions (SecurityScorecard, 2016). This includes the infamous POODLE vulnerability which can be easily patched as needed. Lack of implementing an external governing authority to oversee all implemented systems means the possibility of human error in network configuration as well as internal and external infrastructure is a real and likely possibility. Furthermore, with very limited attention being paid to the security aspects and regulation of RFID and other wireless technologies, IoT devices and cloud computing further platforms are open to attack as their use becomes more prominent within the financial services industry(PWC, 2016b).   

The global economy as a whole will benefit from the reduction of financial institution’s overall threat landscape through the implementation of enforced security standardisation. With the prevention or limiting of cybercrime in the financial sphere, billions of dollars will be protected from external threat actors each year (PWC, 2016c).  

The Current Security Posture of Financial institutions throughout Australia and Globally

Exploitable vulnerabilities throughout the financial industry are next to common place. Billions of dollars are lost each year from cyberattacks on financial institutions from both internal and external threats, with the Asia-pacific region as the second most affected region in terms of financial economic cybercrime (PWC, 2016b). A U.S 2016 analysis of the financial services industry found that 19% of those financial institutions analysed had at least one CVE (Common vulnerabilities and Exposures) with the majority of these related to SLL misconfiguration (SecurityScorecard, 2016).      

The APRA 2015/2016 Analysis of Financial Institutions throughout Australia determined that over half of financial institutions surveyed admitted to a largely significant cyber security incident in the previous 12 months (APRA, 2016). Of these 21% experienced “high impact” incidents such as APT (advanced persistent threats), DDoS, and access to areas with high privileges (APRA, 2016). Kaspersky lab’s 2016 study spanning over 800 financial institutions globally found that the cost of mitigating a single cyber security incident for an individual financial institution can be as much as $926,000 USD (Kaspersky Lab, 2016). However, this does not include the long-term effects on reputation and public perception damage control.

Financial institutions are less inclined to report intrusions and breaches due to the effect on customer perception when cyberattacks are publically exposed. After breach reporting became mandatory in the US, financial institutions observed a 20% underperformance in share prices compared to the rest of the market (Commonwealth Bank of Australia, 2017). Many countries are attempting to implement mandatory requirements for breach reporting throughout organisations including Australia. Australia’s legislation regarding data breach reporting set to be implemented in February 2018, originally encompassed a broad reference to data breaches including the mandatory reporting of “possible breaches”. However on the sign-off this has been amended to only address the mandatory reporting of “Identifiable data breaches" (Caruana, 2017. Financial bodies have been manipulating their processes, systems and appearance to fall outside the boundaries of these basic compulsory regulatory requirements). Although the regulations may exist entities will always attempt to fall outside of these reporting requirements. Nonetheless, without this sharing of information, other financial bodies are also left vulnerable to attacks that could have been prevented had this information been shared.

Financial institutions rely heavily on security vendors for information on malware incidents. Yet, with differing intelligence provided from different security vendors incidents can occur before information is even shared throughout all potentially vulnerable parties.        

Many proposed regulations of security implementations throughout financial institutions are being attempted, especially in the U.S with the creation of laws such as the Gramm Leach Bliley Act and the FFIEC regulations (New York Department of Financial Services, 2017). The New York State Department of Financial Services regulations which are to be implemented in July 2017 include annual penetration testing and vulnerability assessments, multifactor authentication for personal accessing internal systems and incident response plans such as breach notification (Clarke & Paxton, 2016). These regulations only govern financial institutions in New York and therefore do not span further domestically or internationally.

Specific technical details are scarcely regulated or enforced, likewise with the ever changing advancement of technology it is becoming increasingly difficult to keep ahead of possible threat actors. Therefore, it is important that not only broad policy is developed but also detailed technology specifications are continually developed and researched (Friedman, 2017). Important technical details that financial institutions must take into consideration include vulnerabilities of specific devices (routers, modems, switches, IPS/IDS, servers, operating systems), alongside a metric including the ease of  exploiting these given vulnerabilities as well as the repercussions if the specified vulnerability was to be exploited.  

Barriers for implementing change include the cost of the implementation of new security architecture to abide by regulatory standards set out in the proposed framework. Furthermore the implementation of new infrastructure various systems may have to be offline for some time and backups of data must be made which may be very time intensive and affect customer interactions. 

Recommendations: A new holistic, industry specific approach to cyber security in the financial services industry

A clear internationally spanning framework outlining detailed technical specifications on compulsory penetration tests, forensics assessments, encryption methods, breach reporting, secure code reviews, security training, and a database with metrics assigning secure network system implementations.

A framework in which the primary purpose is to standardise and monitor security implementation across all financial institutions should be implemented. As part of this framework regular compulsory network and web application penetration testing, vulnerability assessments, forensic assessments, internal training, secure code reviews and incident response activities would be implemented. Financial institutions would also need to report all security incidents and breaches globally.

Regular forensics assessments including incident response would assist in determining if a breach has previously occurred, if any backdoors or dormant malware remain on systems or if any artefacts from previously undetected intrusions remain (Australian Cyber Security Centre, 2016). Evidence of cyberattacks in large organisations and institutions are more commonly being found years after the fact whereby annual forensics assessments would vastly decrease this detection time frame (Muncaster, 2015). A decrease in detection time will allow the prevention of ongoing or similar attacks. Furthermore, the implementation of threat hunting teams will be paramount during incident handling in not only detecting an initial intrusion but using methodologies to quarantine entire networks (Lee & Lee, 2017).          

Penetration tests should have definitive chronological specification on all areas to be tested and include a test of customer facing systems as well as internal infrastructure and systems. Currently many financial institutions around the world outsource the penetration testing and vulnerability assessment process (White & Adhikari, 2017). This means what is tested is based upon what the contracted company deems necessary. Often contracted companies do not conduct a broad test but rather seek to gain administrator privileges of the system without doing an in depth analysis of all possible points of attack. This is because time is often a limiting factor in the penetration testing process (InfoSec Institute, 2016). Regardless of the multitude of ways to gain this, only a small number of ways are often identified and reported narrowing the visibility of the overall threat landscape. A simple vulnerability assessment is usually conducted internally by IT staff running vulnerability assessment tools such as Nessus. These vulnerability assessment tools conduct a very basic scan of the target system and do not give any realistic information pertaining to the real-world exploitability of the network infrastructure (Olson, 2010). A global industry specific standardisation of testing will enable a full, comprehensive and definitive approach to this important and often underutilised security implementation.

Below is a table which displays individual policy regulations and technical details that should be addressed for each policy point.

Screen Shot 2018-04-18 at 3.12.05 PM.png

 

Disadvantages of this approach include the outlay from financial institutions when updating infrastructure to comply with the new framework specifications. If financial institutions have the same technical infrastructure there is a possibility of the exposure of unknown vulnerabilities by internal threat actors. Additionally, with the skills shortage in the information security workforce as it is in the current economic climate, difficulties will lay in employing and retaining skilled and experienced security practitioners to regulate and govern specifications within this framework (Friedman, S. 2017).   

The creation of an international governing body that focuses on cyber security regulations, research, breach reporting and security testing for financial institutions.

A governing body specialised in security implementation in financial institutions should be created to govern and ensure all security implementations based on the proposed framework are enforced. Considerations must also be taken into account that these regulations must be compulsory in the broadest sense to include as many financial institutions as possible. This will be a separate entity to the APRA, be globally reaching and would be beneficial in that all technical implementations from a practical standpoint, are considered and therefore intensely monitored for vulnerabilities by an overseeing governing authority.

Research and development would benefit from focusing on industry specific threat intelligence including the financial services industry’s exposure of zero day attacks. Additionally, advanced research should be developed in a specific format such as the use of cognitive intelligence for predicative modelling in security threats for the financial services industry (Jaganathan, Cherurveettil & Sivashanmugam, 2015). This would catalyse the prevention of attacks before they become a problem. If financial institutions had a governing authority to work on research for their own environments (as opposed to using security vendors broadly specialising across all industries) recommendations and implementations could be industry specific as opposed to the distribution of broad threat intelligence in which key industry specific security concerns are not addressed [18].

In this way as technology advances and throughout information sharing, advancement of the security posture of the financial services industry as a whole. In turn this would minimise the exposed attack surface of financial institutions. Furthermore this has the potential to cut costs, cheaper than engaging with high price security vendors. 

The below table outlines some key areas of focus for an industry specific security focused entity.

Screen Shot 2018-04-18 at 3.12.11 PM.png

 

Although ambitious, the idea of an international governing body for security throughout financial intuitions should be taken into consideration. Further feasibility studies need to be conducted determining the financial, social and economic impacts of such an undertaking.  

Conclusion

Globally, financial institutions remain at risk to cyber threats and as technology advances security implementations are not keeping up with these threats. Although regulations are continuing to be implemented many disregard technical specifications and avoid research into new areas of information security. Industries leave security requirements in the hands of expensive security vendors that do not provide an overreaching innovative industry specific approach. Through holistic cyber security development addressing the whole industry, financial institutions can face technological advancement through practical implementations that may provide the opportunity to adjust security posture throughout the industry as well as minimise the exposed threat landscape. By continually updating industry specific technical security specifications and developing security research in this way, attacks will become less frequent. Further research should be done in the financial and economic feasibility and rewards of creating industry specific cybersecurity regulatory bodies focused on research and development of security implementations.            

References

Asim Kurt, 2015, ‘Effectiveness of Cyber Security Regulations in the US Financial Sector: A Case Study’, Carnegie Mellon University, [Online] viewed: http://www.contrib.andrew.cmu.edu/~asimk/ResearchThesis.pdf

Arafat K. (2016). After Hackers Steal $81 Million, What Now For Bangladesh Central Bank?.  Forbes, [Online] Viewed: https://www.forbes.com/sites/arafatkabir/2016/03/16/after-hackers-steal-81-million-what-now-for-bangladesh-central-bank/#188c01a62156

Australian Cyber Security Centre, 2016, ‘2016 Threat Report’, [Online viewed: ]https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf

Australian Prudential Regulation Authority (APRA), 2010 ‘Prudential guide – PPG 234 Management of security risk in information and information technology’.

Australian Prudential Regulation Authority (APRA), 2016, ‘2015/16 Information Paper, Cyber Security Survey Result’, [Online] viewed: http://www.apra.gov.au/AboutAPRA/Documents/Information-Paper-Cyber-Security-2016-v4.pdf

Caruana A. 2017, ‘AusCert2017 – Preparing for Australia’s Mandatory Breach Notification Law , CSO Online, [Online] viewed: https://www.cso.com.au/article/620393/auscert-2017-preparing-australia-mandatory-breach-notification-law/

Commonwealth Bank of Australia, 2017, Reporting Data Breaches – The Impact on Share Prices, [Online] viewed: viewed: https://www.commbank.com.au/guidance/business/reporting-data-breaches---the-impact-on-share-prices-201706.html

Friedman, S. 2017, ‘Taking cyber risk management to the next level Lessons learned from the front lines at financial institutions’, Deloitte University Press, https://dupress.deloitte.com/dup-us-en/topics/cyber-risk/cyber-risk-management-financial-services-industry.html

Helen Clarke & Viva Paxton, 2016, Corrs, [Online] viewed:  http://www.corrs.com.au/thinking/insights/bold-cyber-security-regulations-for-the-financial-services-industry-will-we-see-them-in-australia/

Hoelzer D. 2016, ‘understanding security regulations in the financial services industry’, Vedacode & SANS, [Online] viewed: https://www.sans.org/reading-room/whitepapers/analyst/understanding-security-regulations-financial-services-industry-37027

InfoSec Institute, 2016, ‘Pros and Cons in Penetration Testing Services: The Debate Continues’, [Online] viewed:  http://resources.infosecinstitute.com/pros-and-cons-in-penetration-testing-services-the-debate-continues/

Jaganathan V., Cherurveettil P. & Sivashanmugam P. 2015, ‘Using a Prediction Model to Manage Cyber Security Threats’ The Scientific World Journal, vol. 2015, Article ID 703713, doi:10.1155/2015/703713

Kaspersky Lab, 2016, ‘Cybersecurity in financial institutions 2016 — and what 2017 holds’, [Online] viewed:  https://blog.kaspersky.com/from-the-perils-to-strategies/6682/

Lee R. & Lee R. M. 2017, Hunter Strikes Back: 2017 Threat Hunting Survey, [Online] viewed: https://www.sans.org/reading-room/whitepapers/analyst/hunter-strikes-back-2017-threat-hunting-survey-37760

Muncaster .P, 2015, ‘Hackers Spend 200+ days Inside Systems before Discovery, InfoSecurity Magazine, [Online] viewed: https://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/

New York Department of Financial Services, 2017, ‘Cyber security requirements for Financial institutions, [Online] viewed:  http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf

Olson, C. 2010,’penetration testing financial services industry’, SANS Reading Room white paper [Online] viewed: https://www.sans.org/reading-room/whitepapers/testing/penetration-testing-financial-services-industry-33314

PWC, 2016, ‘Top financial services issues of 2017: Thriving in uncertain times’, pp. 1-30, [Online] viewed: https://www.pwc.com/us/en/financial-services/research-institute/assets/pwc-top-financial-services-issues-2017.pdf

PWC, 2016 ‘Global Economic Cyber Crime Survey: 2016’ pp. 1-56, [Online] Viewed: https://www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf

PWC, 2016, ‘Top Issues Faced by the Financial Services’, [Online] Viewed: Industry’http://www.pwc.com/us/en/financial-services/research-institute/assets/pwc-top-financial-services-issues-2017.pdf

SecurityScorecard, 2016, ‘2016 Financial Industry Cybersecurity Report’, R&D Department, [Online] Viewed: https://cdn2.hubspot.net/hubfs/533449/SecurityScorecard_2016_Financial_Report.pdf

Troy Hunt, 2017, ‘Everything you need to know about the wannacrypt ransomware’, https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/

White, A. & Adhikari, S. 2017, ‘Commonwealth Bank to Outsource Cybersecurity to Save Money’, The Australian [Online] viewed: http://www.theaustralian.com.au/business/financial-services/commonwealth-bank-to-outsource-cybersecurity-to-save-money/news-story/d9b54a73202e36b5fcd527b0b5f2face