Whether you are a Principle or Partner, it should come as no surprise that the financial sector is the single most targeted industry when it comes to cyber attacks.
As mentioned in the Global Banking & Finance Review, "As data breaches are now an almost daily occurrence with both large enterprises and SMEs making headlines for compromises to intellectual property, the security of remote workers should be a high priority for any organisation. According to recent research from Apricorn, 48% of surveyed companies said employees are their biggest security risk, and one in ten companies with over 3,000 employees do not have a security strategy."
On September 26, 2018, the Securities and Exchange Commission (SEC) settled claims that Voya Financial Advisors, Inc. (VFA) failed to adequately protect customer information following a six-day cyber attack in 2016. The SEC’s order not only cites violations of the Safeguards Rule under Regulation S-P (a staple of SEC cyber security enforcement actions against broker-dealers and investment advisers), but also is the SEC’s first enforcement action for a violation of the Identity Theft Red Flags Rule under Regulation S-ID, which requires certain SEC registrants to create and implement programs to detect, prevent, and mitigate identity theft. Click here for more details.
Financial institutions face 300% more cyber attacks than any other sector. The threat has gotten so far out of hand that numerous government agencies fear these cyber criminals are the biggest threat to bank stability. According to SEC Chair Mary Jo White, cyber attacks are such a grave concern that they overtake terrorism in the Division of Intelligence’s list of global threats. There is one practice in particular that puts financial institutions at risk of a hack: Working Remote.
In the JP Morgan breach of 2014, 83 million customer records were compromised. That is 83 Million records stolen in just ONE breach. This incident is "the largest theft of customer data" and it all started with one employee working from home.
This attack on JP Morgan should have taught us a number of things according to Claus . First, it should serve as a warning to the power and reach these malware attacks have. Second, it calls attention to what we have been saying for months, "your employees are your weakest link." Third, it proves how easy it is for these attacks to stay under the radar. In the case of JP Morgan, the attack was underway for over a month before they discovered it.
Of the attacks that occur because of unsafe remote connections, 75% stem from having weak passwords. Having an in-depth comprehensive password policy is a must for all companies; especially firms in the financial sector. Another way to defend against these attacks is multi-factor authentication (MFA). MFA is a strategy that adds an extra layer of security by requiring a code (normally retrieved from your cell phone) to be entered along with your password for access. A strong password policy and MFA are vital but they are only part of the solution. You will need to be prepared with backups, shadow copies, and off site disaster recovery as well.
We have put together a checklist to make sure you are as cyber secure as you can be. Check it out here: Financial Services Cyber Security Audit Checklist.
Companies around the globe have identified the convenience of employees bringing their own device (BYOD) to work. In fact, 82% of companies allow the use of personal devices for work, but out of those companies which support BYOD, 50% were breached through an employee’s personal device.
The Verizon RISK Team outlined a typical scenario of how an unregulated BYOD culture can become a grave concern. In its report, it identified an instance where a customer was locked out of his account and getting an error message. An investigation revealed no suspicious activity within the servers, and anti-virus scans came back clean. Furthermore, there were no signs of malware within the local area network (LAN).
The Risk Of Bringing Your Own Device To Work
It wasn’t until investigators looked into the BYOD network that it found their culprit. A faculty member’s personal laptop was infected with a virus at home and the virus later spread to the company network when the device was connected at the office.
A further review revealed that the BYOD and guest networks shared the same network equipment and Network Address Translation (NAT) with the corporate traffic. This made the company network vulnerable to malware from infected personal devices that are able to make their way past the firewall.
Common BYOD Risks
Common mobile malware includes trojanized apps and malicious links, both of which try to trick users into downloading harmful code to their devices. Third-party app stores, in fact, often contain malware-laced applications that can infect devices and gain access to their sensitive data.
A recent article in Forbes states Cyber Attackers Rely On Human Error
"Hackers rely only partly on their security-penetration skills. The other thing they need? Regular people making mistakes. "An analysis of threats faced by organizations in the first quarter of 2017 reveals that cyber attackers still rely heavily on user interaction," says Bo Yuan, Ph.D., professor and chair of the department of computing security at Rochester Institute of Technology.
Without a stringent BYOD protocol, company networks become vulnerable the minute an infected device is hooked up at the workplace."
Public IP addresses should never be shared with unknown devices. Company networks need to be configured so that traffic from personal devices is sent out through a separate interface. BYOD security also comes down to best safety practices within the staff. All employees should be trained on how to handle their own personal devices, including:
"BYOD makes it difficult to distinguish between personal data and corporate data because they are both kept on the same device. So, if the device is lost, the corporate data will be accessed by any individual who gets the device.
If the lost device stores critical data, the individual who finds it can publicize the information or use the data to damage the reputation of the organization."
Technology devices don’t have a corner on weak configurations. System network configurations can be just as weak - especially when it comes to password protection. Weak configurations can be devastating to institutions holding large amounts of (sensitive) data such as financial services firms.
The Verizon Data Breach Investigation Report (DBIR), in fact, reported that four out of five breaches can be traced back to easily guessable passwords (e.g. a ‘123456’ password), and/or the lack of a static authentication system.
Even established institutions are prone to fall short in their efforts to mandate secure password best practices. Poor configurations are responsible for four major modes of attacks, including:
1. SQL Injection
Hackers can use an injection attack to bypass a web application’s authentication and verification mechanisms to access private data.
Malicious code is inserted, or “injected,” into strings that are passed to an SQL server for parsing. This tricks the application into changing data or executing unintended commands - giving attackers full access to a database for the purpose of releasing its information or holding it hostage. An estimated one out of three Web attacks are launched via SQL injections.
To learn more about the danger of SQL injection you might want to read: A Brief SQL Injection History Lesson
2. CMS Compromise
Many institutions rely on some form of content management system (CMS) - WordPress or Joomla, for example - to share, publish and edit content. Unfortunately, these systems may contain vulnerabilities that are often exploited when left unpatched. These openings provide an entry point for attackers to install backdoor programs.
WordPress, despite being the most common CMS, is also one of the most vulnerable. One study revealed that 73% of all WordPress installations had one or more vulnerabilities that could have easily been detected using automated tools.
CMS solutions are inherently vulnerable because of their open frameworks. Many operators also use weak passwords, leaving their system susceptible to brute force attacks.
3. Backdoor Access
“Backdoor” essentially refers to any intrusion tactic that goes unnoticed. Hackers can use backdoor access to install malicious software or record user keystrokes, which gives them what they need to move freely around the unsuspecting victim’s network.
Systems are especially vulnerable to backdoor attacks when networks are accessed by multiple users. Attacks normally occur in stages, and backdoors are often used as a second point of entry or the third command-and-control stage of the attack process.
"Cyberattacks against financial services firms increased by over 70 percent in 2017, which reflects that the financial services sector is currently vulnerable to such attacks, states a recent report from Market Expertz. In the previous year, cyberattacks against the sector had increased by 60 percent.
The global cybersecurity in financial services market is expected to expand at an annual growth rate of 9.81 percent, leading to a global revenue of $42.66 billion by 2023, the report estimates.
Still, a Deloitte survey of 51 CISOs at U.S. financial services institutions in May suggests financial institutions aren’t spending enough to adequately defend against attacks."
4. DNS Tunneling
Domain name system tunneling is a way of encoding the data of other programs in DNS queries and responses. It is used to establish unintended communication channels to a C2 server and enact dataexfiltration.
Since the DNS protocol is not intended for data transfer, it is often overlooked by security monitoring programs. As a result, the infiltration may go unnoticed for some time.
Don't allow a data breach to occur due to weak network configurations. Fairdinkum employs a combination of cutting-edge techniques to keep your network and data safe including security scans and monitoring, penetration tests, and security training to ensure that your data is safe with us.
In today’s digital world, customer data is one of the most valuable currencies. Unfortunately, that makes it an incredibly attractive target for hackers, phishers, and other cyber criminals. In fact, an estimated 158,727 pieces of customer data are stolen every single hour.
It’s not just cyber criminals that leave you vulnerable to data breaches, though. Simple human error can lead to the unintentional release of customer data, and the consequences for your business can be equally devastating.
Forbes reports"Globally, the impact of a data breach on an organization averages $3.86 million, though more serious "mega breaches" can cost hundreds of millions of dollars. IBM's 2018 Cost of a Data Breach study was formulated through interviews with more than 2,200 IT, data protection and compliance professionals from 477 companies and it provides an interesting insight into one of the most serious problems facing companies today.
The potential cost of an incident depends on several factors with the financial impact rising in line with the number of records stolen. On average, each record costs $148 and a breach of 1 million records costs $40 million while a breach of 50 million costs $350 million. The research also found that the efficiency in identifying an incident and the speed of the response has a huge impact on its overall cost. On average, it took companies 197 days to identify a data beach and 69 days to contain it."
At present, federal legislation governing data protection tends to be sector-specific, while state legislation focuses on protecting the data of individual consumers.
It can be hard to keep track of which regulations you need to adhere to, but the basic principle is that you need to take reasonable measures to protect personally identifiable or sensitive information about your customers - think names, addresses, social security numbers, or credit card information, for example.
Depending on your state and sector, you might be required to do any number of the following:
If you fail to meet your obligations and a data breach occurs, you may face heavy fines and be held liable for damages suffered by your customers. In some sectors and/or jurisdictions, you may even lose your license to conduct business altogether.
Research has found that in the event of a cyber attack, as many as 60% of your customers consider leaving, and around a third actually do, even if they weren’t personally affected.
It makes sense — your customers are trusting you with their most personal of data, and a breach can seriously shake their confidence in your ability to keep that data (and them) safe. Very few businesses can survive the loss of one third of their customers, and chances are yours is one of them.
With legal consequences, public relations damage, and customer decline comes financial loss. Whether you’re paying steep fines or losing out on sales, your business takes a huge monetary hit from a data breach. The cost for an average small business is approaching $150 million, which again, most businesses simply can’t afford.
Even the best-protected and most vigilant companies can fall victim to a data breach, so it’s important to take a proactive approach to keeping your customer data safe and secure. Ultimately, the best way to do this is to get a helping hand from the professionals.
At Fairdinkum, we help businesses like yours to secure their customer data, protect their reputation, and avoid costly legal and financial consequences. You can download Fairdinkum’s free Security Audit Checklist to help you to find your weak spots before cyber attackers do, or contact us now for a free, no-obligation consultation.
While the news sensationalizes cyber threats from bad actors and nation states, the reality is that the largest threats to organizations are their own employees and contractors. Humans are vulnerable and prone to fall victim to schemes aimed at gaining access to company networks. For their part, the hackers are sly and cunning and know how to take advantage of the weak link. When organizations take the initiative to learn about common data breach scenarios, they can better prepare and protect themselves.
The Verizon RISK team recently published a report, the Data Breach Digest, outlining the most common data breach scenarios. Threats can come from within an enterprise - including third-party vendor partnerships - as well as outside of it. Here is an overview of five scenarios the RISK team investigated, all of which demonstrate how data breaches can be caused by manipulation of individuals’ actions and emotions.
In an example of this scenario, a company rival e-mailed a chief design engineer. The e-mail masqueradedas a recruitment device, including an attachment with job openings. However, the attachment installed malicious software that was able to access classified design plans for a new piece of equipment. With these plans in hand, the rival was able to produce a copycat product, and the victim lost intellectual property.
Financial pretexting generally involves manipulating human emotions in order to gain access to highly sensitive financial information.
In this particular case, a banking organization learned that someone had attempted to wire more than $5 million through FedWire. While the attempt failed because of built-in protective measures, the perpetrator managed to gain access to company functions through emailing an employee. This employee, a regional manager, received an email ostensibly from the company’s CIO, complementing her.
She clicked on a hyperlink in the email, which initiated the installation of malicious software. In this case, the software not only scraped data but was also capable of initiating wire transfers through the computer.
Extortion works by demanding that victims pay a ransom in order to recover data, unlock computers and devices, or even gain back control of the network . This form of cyber attack represents a growing threat. For one manufacturing and retail company, an extortion attack began when a member of the IT team received two emails claiming to have several years’ worth of customer transaction data. After validating the threat, the company revamped its e-commerce platform and publicly admitted that two million customer records had been compromised.
Insider attacks are less common, but can be devastating. These attacks rely on trusted employees or contractors who have privileged access to network data.
Verizon reports that the majority (63%) of data breaches over the previous three years involving "insider and privilege misuse" were financially motivated. The majority of other cases involve disgruntled employees and revenge. In one example given, a company in the middle of a buy-out received a tip that a middle manager was accessing and abusing the CEO’s email account.
Ultimately, investigators discovered that the manager was working in concert with an IT administrator to access the CEO’s email account by taking advantage of the spam filter.
Business partners and trusted vendors are essential for business, but unscrupulous partners can be disastrous. One oil and gas company experienced a data breach at the hands of a partner gas station company. Several computer systems at the gas stations were able to access the parent networks, and one employee was ultimately found responsible.
These sobering scenarios suggest that companies must be on alert for data breaches caused by humans - whether accidental or intentional. Here are some steps companies can take to protect themselves:
Bottom line: Keith knows his stuff. He gets things done quickly and efficiently and he gets it right the first time. He has been our primary contact for several years and has always been extremely reliable. We think of him as part of our team here- not just a consultant to our business. I would highly recommend him.
Keith was our primary contact when I was at Lux Research. He was the 'go to' guy for any and all IT things as we had no internal IT department. He was extremely responsive and always did a thorough job in servicing our needs. I would highly recommend Keith for any position based on my experience with him.