Traditionally, the financial-services industry (FSI) has been viewed as being more mature than other industries when it comes to planning, preparing for, and preventing cybersecurity incidents. Even for an industry compliant in nascent optional and mandatory cybersecurity regulations, FSI firm must be concerned about cyber-threats that are constantly evolving and shifting, making consistent planning and preparation an ever-present concern.
Financial services C-Suite and board members need to keep existing and emerging cyber-threats highlighted on their radar, given that FSI companies have such valuable data and information to protect and are a prime target for cyber-criminals.
Financial services firms face some unique threats that bear further examination, along with potential mitigation strategies to help deter the evolving methods of cyber-criminals.
ATM “Jackpotting”—There have been reports of ATM “black box”-style attacks in the U.S., in which cyber-criminals attach a hard drive or laptop to the ATM, displacing the current ATM software. Once the ATM is running off the malware-infected hard drive, it can be remotely controlled to dispense cash on demand. While these physical ATM attacks have been happening in Europe and Asia since 2012, they are new to the U.S. as of 2018.
Malware-only ATM Attacks—In addition to the black-box “jackpotting” schemes, which require internal, physical access to internals to the ATM itself, there have also been network-based ATM attacks in other parts of the world since 2016. In general, the attackers were able to gain access to a bank’s internal network through the usual probing mechanisms (spearphishing, social engineering, etc.), and then navigate the bank’s internal networks to deploy malware out to the ATMs. The cyber-criminals could then remotely control the infected ATM to dispense cash on demand. This style of ATM attack has not hit the U.S. yet, but it is an emerging threat financial services’ senior management needs to be aware of. Like the ATM “black box,” it could be a tactic used in the U.S. sooner rather than later.
How to defend
Standalone, kiosk-style ATMs have been the most prone to “black box” style attacks. Making the exterior of the ATM physically harder would offer better protection of the internal components from tampering
To prevent network-based attacks on ATMs, however, network segmentation would be part of a good strategy. It is important to ensure that only legitimate traffic can pass through to critical resources anywhere in your environment. In this case, you want to separate your ATM network from the rest of your corporate IT network, which reduces the risk to that portion of the environment. While the idea of network segmentation for cybersecurity is not new, the adoption of this strategy is starting to pick up and become more prevalent. The trend now is to partition the internal networks and to not trust any traffic but be fully aware of what traffic is flowing through the network, and only allow those applications that are critical for your business.
Another prevalent and evolving—if not fully emerging—threat that needs to be monitored and addressed is end-user PC and laptop vulnerabilities. These are a constant security risk.
The reason these “endpoints” are so important for cybersecurity is they site at the beginning of the vulnerability and compromise. When cyber-criminals send their phishing email or their malicious attachments to a company’s employees, what they are targeting is any device that can be exploited to obtain access to the network. This is the first point of compromise for a cyber-attack, establishing a beachfront for further malicious activities. By being better able to ward off endpoint attacks, financial institutions will prevent more complex threats from progressing. Protecting the endpoints is a core part of the cybersecurity puzzle that your team should be very aware of.
Training and education of employees are a key part of your defense. For instance, employees must be acutely aware of the kind of emails and links they should be wary of. Training about what to look out for and how to respond to malicious attachments or attempts at socially engineering is paramount.
It is important to remember that technology plays a strong role here, as well. Beyond just routine software patching and the standard antivirus software and anti-malware products you are probably already familiar with, there are newer families of next-generation, advanced endpoint-protection products that can help to defend against compromise.
Regulatory trends and compliance
Financial services is one of the more heavily regulated industries, so regulators are paying close attention to cybersecurity overall. It is important to be aware of some changes that are taking place throughout 2018 and beyond.
Last year, for example, New York State enacted its own cybersecurity regulations, with portions phasing in this year and also in 2019. Financial institutions should be aware that there are additional regulations they will need to comply with if doing business in New York State. So far New York and Colorado are the only U.S. states to establish their own cybersecurity regulations.
In Asia, the Hong Kong Monetary Authority (HKMA) has begun their Cyber Security Fortification Initiative (CFI), a multiyear initiative designed to strengthen the security of local banks, Phase 1 began last year, with Phase 2 coming in 2018. This is a three-fold initiative that includes a cyber-resilience assessment framework, a professional development program, and a cyber-intelligence sharing platform.
It behooves executive business leadership of financial-service companies to continue to stay up to date on the emerging cybersecurity trends in Europe and Asia, for they will be a testing ground for the same strategies and tactics that will eventually be used in the U.S. Being aware of emerging state regulations must be high on their radar as well, for common themes across states will inevitably help to inform pending federal regulations, as well.