When fabled bank robber Willie Sutton was captured in 1934, the FBI agents who caught him asked why he robbed banks. He famously replied “Because that’s where the money is!”
Today, banks routinely turn much of that money into information that can be more quickly moved digitally from bank to bank and elsewhere. Since information only makes more money when it’s in motion, that information is kept moving, faster and faster. And every time it moves it is under the threat that someone will attempt to steal it, corrupt it, or destroy it.
“Only the Paranoid Survive”
Gottfried Leibbrandt, CEO of the Swift financial transfer network that banks use to exchange funds internationally is in the sole business of moving financial information. After a recent series of attempted cyber-attacks, Leibbrandt did what government agencies do. He implemented regulatory standards that all banks using his network had to maintain compliance with. Being a believer in “belt-and-suspenders” security, Leibbrandt looked inward to keep his own house in secure order.
“We are also investing in our own security,” Leibbrandt said.”We have not been breached, as far as we are aware — and I always add the ‘as far as we are aware’ because I truly believe that in cyber only the paranoid survive.”
Growth Strategies May Put Banks at Greater Risk
Legacy systems continue to provide challenges to Cybersecurity defenses. As banks continue to grow through acquisition, legacy systems from the acquired organization—and the vulnerabilities that come with them—can remain in place for years. Financial institutions should take an IT department’s perspective into account more heavily on any M&A targets, looking at, in addition to other factors, ease of integration, infrastructure compatibility, scope of merging architecture, and the target’s security posture.
SecurityScorecard Results for Top 20 US Banks
In a 2016 study, SecurityScorecard detected malware in nearly half of the largest 20 US Commercial banks.
Among the top 20 U.S. commercial banks, 17 of them have an IP Reputation grade of ‘B’ or below.
Specific Issues:
- Generic Malware was found in 15 out of 20 commercial banks
- Ponyloader was found in 14 out of 20 commercial banks
- Vertexnet was found in 9 out of 20 commercial banks
- Keybase was found in 8 out of 20 commercial banks
- We detected malware events in all 20 commercial banks over the past 365 days.
- Over 422 malware events over the past year were detected in just one of the commercial banks.
- A total of 788 malware events were detected in all 20 commercial banks over the past 365 days.
SecurityScorecard analyzed 361 international companies breached between June 2015 and April 2016. More than 10 percent were financial services organizations.
Regulatory Compliance is Not Enough
Leibbrandt clearly recognized that maintaining compliance with government regulations like the Gramm-Leach-Bliley (GLB) Act, PCI-DSS, Sarbanes-Oxley and others is insufficient, and dangerously vulnerable. The difference between government regulations and the security threats banks face every day is that the regulatory acts are updated and re-released periodically. Development of new security exploits is constant. It never stops. Regulatory compliance doesn’t mean your environment is secure, and even if it did on day one, it would be outdated on day two.
Multi-Layer Security Approach
Just as people install multiple locks on their doors, banks must institute multiple layers of security. While the actual value is in the financial data coursing through and between financial networks, the networks themselves must be reinforced with better Intrusion Prevention Systems (IPS). The rules and policies governing firewalls must be understood and complied with by all involved institutions. Users and client access devices must be evaluated before allowed to connect. Banks who have not yet appointed a Chief Information Security Officer (CISO) are putting themselves at significant risk.
Multi-Factor Authentication
There are many ways to augment authentication beyond the classic ID and password. Multi-factor tokens generating a random number every sixty seconds have been in use for years. The user enters the random number along with their password to gain network access. Fingerprints, facial recognition, even retinal scan devices, too. Some services send a passcode to a user’s registered smartphone that they must enter before connecting.
Customer online banking has long been very vulnerable. Many accounts have been compromised with simple human engineering. An attacker calls to say he’s forgotten his password. He has obtained the account number probably from a credit card slip. He’s found the user’s zip code and social security number using internet search. The customer service rep asks for these before they can reset the password. Having received them, the thief now has the password and the actual account holder no longer does.
Persistent Encryption
For all of the Intrusion Prevention, Authorization, Security Incident and Event Management (SIEM), Firewalls, Anti-Malware, and other provisions banks can install on their network, at the end of the day it is still all about the data. Attackers may get through all of the other provisions, but there’s still one last line of defense that can still stop them: persistent encryption. Most every system encrypts data in transit. What travels the network wires from place to place, network to network, is pure gibberish without the decryption key. When it arrives at its destination, the data is decrypted, processed, and stored. And that’s where the greatest mistake may be made. Data, especially financial data, must be encrypted when at rest in storage. This is the first place most attackers will go to appropriate data. Without the proper decryption key all they will find on your storage volumes in garbage, completely unusable. By encrypting your data at rest in storage and protecting the decryption keys properly, even the most cunning attacker will fail.
Bank on Synoptek
Many financials organizations trust Synoptek to design, implement, and maintain their data and network security. Talk to Synoptek today about how to determine whether your bank’s security will protect your stakeholders, depositors and other customers. Learn More about Synoptek’s Managed IT Security Services.