October 2017

Risks from external and internal threats have evolved and cybercriminals have become increasingly sophisticated. How is the financial services industry keeping its head above water? The answer lies in empowering the frontline, says Brendan Goode

On 12 May 2017, the WannaCry ransomware hit the news headlines when large corporates such as Spain’s Telefónica and the UK’s National Health Service were infected. The network infection vector, EternalBlue, exploited a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. Organisations that had not installed a specific March 2017 Microsoft security update were affected by the attack.

While Deutsche Bank and other banks were not impacted, the fact that it happened at all underlines the scale of the threat and serves as a reminder that as business has digitalised, it has become more vulnerable. Cybercrime is now estimated to cost the global economy more than US$400bn a year and is expected to rise to US$2.1trn by 2019. i

US$400bn a year 

 Current cost of cybercrime (Lloyds of London)


After Bangladesh

A particular wake-up call for the banking sector was the attempt to steal US$951m from Bangladesh’s central bank in February 2016 via 35 different money orders. US$81m was lifted before being blocked – a spelling error in a recipient account sounded the alert. Malware had been inserted into the bank’s computer systems that observed legitimate transactions before generating its own fake, fraudulent transactions, which were then executed via the global financial messaging system. Following this event, the Society for World Interbank Financial Telecommunication (SWIFT), an organisation whose financial messaging network is used to send and receive information about financial transactions in a standardised and secure environment, reacted promptly and decisively to find a way they can help the community that uses its network be better positioned for security. CEO Gottfried Liebrandt unveiled a Customer Security Programme in a keynote address at the 14th annual European Financial Services Conference in Brussels on 24 May 2016. Today, this programme works with its customers, with a focus on protecting and securing local environments, preventing and detecting fraud in commercial relationships, and continuously sharing information and preparing to defend against future cyber threats.

“There will be a before and after Bangladesh… this is a big deal and goes to the heart of banking,” Liebrandt said. He called for the industry to work together with SWIFT “to reinforce the security of our entire financial system”. He challenged the banks: “SWIFT is not all-powerful, we are not a regulator, and we are not a policeman; success here depends on all the stakeholders in and around the industry. The security of our network remains our key priority; the security of their own environments has to remain (and for some become) banks’ priority.

“Many breaches are already preventable with good practices.”


The evolving landscape

The financial services industry is a highly attractive target for cybercriminals, be they individuals, organisations or even linked to nation-states. The primary motivation to attack is to make money, and cybercriminals invest heavily in developing capabilities to enable this. This can be seen in the evolution of attacks from ‘script kiddie’ attacks to well-planned cyberheists in 2016 that incorporated sophisticated custom malware, persistence, counter-forensics and money-laundering techniques. Tighter direct relationships between systems, stronger indirect relationships arising from the activities of large financial institutions in multiple systems and broader commonalities such as the use of common third-party service providers such as SWIFT and real-time gross settlement systems (RTGS) have, says a World Economic Forum white paper (October 2016) “led to a complex web of interconnections”. ii

Attack sophistication is still growing. Perpetrators are increasingly well trained, highly professional and equipped with all relevant resources such as computing capacity, exploitation and masking tools. In response, the financial industry has to keep the right balance between security and the need for allowing the market to operate. This is a continuous challenge – many transactions are processed in real time and manually inspecting each one is not a feasible option.

While there is no 100% security, many breaches are already preventable with good practices. Ronald Dick, Chief of the National Infrastructure Protection Centre (NIPC) said that 80% of the issues the NIPC responds to could have been prevented if system administrators had been able to download a patch and repair their systems. Studies from cybersecurity product provider Symantec show that more than a third of data breaches are caused by negligence or human error.

“There will be a before and after Bangladesh... this is a big deal and goes to the heart of banking.”


Gottfried Liebrandt, CEO, SWIFT


Kill Chain of attacks and Defense in Depth

Organisations can better prepare and protect themselves by creating layers of security, sometimes referred to as ‘Defense in Depth’. The intent is to not rely on a single solution or approach to security, but instead reduce the potential effectiveness of an attack by attempting to disrupt a threat actor at different stages during an attack. Threat actors carefully plan out their attacks, often studying the victim and their environment. When successful, they will reuse the techniques again and sometimes make them available on the black market. Approaches such as ‘Defense in Depth’ are meant to reduce the effectiveness of these attacks and make them less appealing to use.

Figure 1 sets out a summary of a typical cyber attack structure called the ‘Kill Chain’, overlaid with controls at each point. The Kill Chain describes the phases of a successful cyber attack, from ‘Reconnaissance’ to ‘Action on Objectives’. The overlaid controls provide a representation of how security can be layered in ‘Defense in Depth’ throughout IT systems to deter, detect and disrupt the attacker from accomplishing its goals. To mitigate threats, controls should be implemented strategically at each stage of the Kill Chain – so even if one control fails to stop the attacker, the next control can successfully mitigate an attack.

User awareness

The first target of an attack is often still the end user. All too often, human error represents the weakest link in many IT systems and threat actors continue to target these users through phishing and spam campaigns as way of gaining initial entry into an organisation. These tactics continue to be successful and many advanced cyberattacks have used them to gain a foothold into an organisation. In response, significant efforts and attention have been placed by governments, security groups, media and private sector organisations to raise awareness.

However, even as defences and awareness have improved, threat actors have adapted their techniques and increased their sophistication. To continue improving defences against these attacks, companies must continue to invest in raising user awareness and begin to transform users into becoming the company’s strongest link by making them an active part of an organisation’s defences. iii

Some successful user awareness programmes try to drive a ‘do this’ rather than a ‘don’t do this’ approach. If a user sees something suspicious they should send it to the Information Security Specialists straightaway, so they can get it analysed – sometimes a user will be the first person to encounter a threat. Even if a malware campaign gets past the anti-virus products on the first day, its effectiveness can be significantly reduced or mitigated the second day if users are vigilant. Through doing this, the users can become an important part of the security lifecycle.

No boundaries

Another issue is that the bad guys are not limited by jurisdictional boundaries and in fact they use this to their advantage.

Attacks are often launched in jurisdictions with weaker cyber laws and often against a target in another country. This should not deter an organisation’s ability to defend against the threat, but it does complicate law enforcement actions once attribution is established.

To improve collaboration, Deutsche Bank cooperates with other members of the financial industry, the technology sector, regulators and law enforcement across the globe to support the collective effort to combat cybercrime. The bank is actively involved in global and regional sharing initiatives such as the FS-ISAC, the Cyber Defence Alliance in the UK and the Cyber Security Sharing & Analytics in Germany, to name just a few. Through these relationships, we strive to improve overall awareness of ongoing threats and to be better prepared to more quickly respond when there are attempted large breaches.

As we move forward, the financial industry may need to continue to evolve its defences to safeguard its environment and to protect their assets. However, this cannot be done in isolation. There needs to be a collective effort to combat cybercrime. We all need to maintain good security hygiene and to continue to educate our users to make them the strongest link.

Brendan Goode is Deutsche Bank’s Head of Information Security Operations and the Regional Chief Information Security Officer for the UK and Ireland


_________________________________________

i See http://bit.ly/2vLCEq3 at forbes.com
ii See http://bit.ly/2vPqvkE at weforum.org
iii See Janine Durbin’s practical points on cybersecurity management at http://bit.ly/2vBeFcH

You might be interested in

This website uses cookies in order to improve user experience. If you close this box or continue browsing, we will assume you agree with this. For more information about the cookies we use or to find out how you can disable cookies, click here.