The New Cyberattack Targets: This Week – Financial Institutions
OK, we all know financial institutions are not a new cyberattack target. Since the first U.S. robbery of the Bank of Pennsylvania at Carpenter’s Hall in 1798 for $162,821, financial institutions have been a target for theft. The technical advancements made in the financial industry have improved the user experience for both the institution and the consumer but have also expedited, expanded and simplified the theft opportunity.
The July 2017 breach of personal information of 143 million consumers through an application vulnerability at Equifax, one of the largest credit bureaus in the U.S., is an example how the criminals have expanded from just targeting physical objects and have set their sights on the digital as well. Details reported from the breach shows that the company operated with little enforcement of government regulations, which led to negligent management of the bureaus’ data security and the blame falling heavily on one IT employee’s shoulders.
Equifax is just the latest in a long line of preventable breaches at financial institutions from credit card processors, to credit bureaus, banks, financial services, holding companies, mortgage companies and more during the past ten years:
2007. What began as an investment-related spam email at TD Ameritrade, an online trading and investing company, ended with a malicious code install that allowed the hacker to steal the personal information of more than 6.3 million customers. Hackers used the stolen email addresses to spearphish TD Ameritrade’s customers. A class action suit followed, and the settlement called for TD Ameritrade to pay affected individuals between $2.5 and $6.5 million, which also included compensation for attorney fees and expenses.
2008. Heartland Payment Systems, a credit card processor, suffered a SQL injection attack that exposed an estimated 130 million credit and debit card numbers. Heartland was ordered to pay $110 million in claims to credit card companies.
2011. A technical vulnerability in Citibank’s online credit card account system allowed hackers to merely insert account numbers into the address bar and using their code replicate this process to steal the personal information of 360,000 credit card holders. Per the Ponemon Institute, the attack cost the bank an estimated $19.4 million in addition to a settlement of $55,000 to the State of Connecticut. The Connecticut Attorney General and security experts agree that the Citibank breach was preventable if the bank had implemented stronger and more effective security controls.
2012. Using SQL injection attacks, the hackers breached the card processing system at Global Payments, Inc. affected 1.5 million card accounts costing the company more than $90 million.
2014. The security team at JPMorgan and Chase neglected to update a network server with two-factor authentication which allowed the hacker access by just using the login credentials for one employee. The breach compromised sensitive financial and personal information of 76 million households and 7 million small businesses costing the bank $1 billion in damages.
2017. Deloitte, a “big four” accounting and business services firm reported that their global email server was compromised through an administrator’s account that only required a single password, instead of the industry standard of a two-factor verification.
As part of a blog series titled, “The New Cyberattack Targets,” Vaultive is exploring the security challenges newly targeted industries face when criminals take aim at their sensitive data in the cloud. The financial sector is the second blog in our series, and although, as the breaches above demonstrate, it’s not a new target, many security experts would argue that rookie mistakes are responsible for many large-scale breaches of the last decade within the industry. These security missteps are reason enough to reexamine the financial market as a new target and discuss how they can enforce successful security today as organizations increasingly find themselves sending data into cloud and hybrid environments.
Isn’t the Cloud Just another Risk?
Businesses today must host services online and use cloud offerings to be relevant and competitive. As seen in many of the breaches listed above, without an effective and strong security program, any IT service can be vulnerable no matter how it’s delivered. However, with a solid security and governance strategy in place, it can be argued that the cloud offers better protection overall than an on-premises infrastructure. The reality is that the scale and specialization (not to mention high stakes) that exist at most cloud providers means they are likely to achieve a far superior security posture for a specific service than an in-house IT team ever can.
However, the two top reasons many financial organizations are reluctant to migrate from on-premises to the cloud are meeting compliance standards and loss of data control. However, with the right technology, process, and procedures in place, financial institutions could significantly improve their security program while reaping the benefits of a cloud infrastructure and be less at risk than they are today.
One of the most challenging aspects of shifting IT infrastructure from on-premises systems to cloud services is assessing the risk that such a move will pose to your organization’s regulatory compliance posture. This challenge is particularly daunting for financial services organizations, which face multiple regulatory requirements, many of which are prescriptive about information security.
Two examples of this include:
- FFIEC/FDIC-regulated organizations, which must submit their IT infrastructure to regular audits and,
- Organizations involved with credit card payment processing, which are subject to the Payment Card Industry Data Security Standard (PCI DSS)
Organizations can easily use cloud encryption to achieve true segregation of duties between the internal IT security team, and the cloud provider supports compliance strategies in these areas by:
- Demonstrating to FFIEC/FDIC regulators that audit scope does not need to extend to cloud providers because the cloud providers cannot access the keys
- Complying with specific guidance in the PCI DSS requirements that state that payment data stored in the cloud should be encrypted using customer-held keys.
Vaultive allows financial institutions to demonstrate complete control over their data regardless of where it is stored because unencrypted data never leaves the organization or can be redacted through data loss protection policies. Additional audit logs allow organizations to maintain visibility beyond the on-premises perimeter. When submitting to an audit, Vaultive customers can provide strong and defensible proof that their cloud data is secure and never left their IT security team’s control.
Vaultive also features a dynamic auditing, monitoring, and reporting engine which can be configured to meet enterprise security requirements and a customer’s relevant compliance standards. With the Vaultive platform, IT security teams can track access to cloud services as well as sensitive data. All resulting logs can be exported to a customer’s preferred security event and incident management (SEIM) tool, enabling centralized visibility.
Loss of Data Control
Another common adoption obstacle for financial is the concern around data privacy, unauthorized access, or secret government data requests due to a cloud service provider’s ability to access their cleartext data.
Vaultive’s patented encryption technology ensures that an organization’s data is encrypted, with keys that they control, before it ever reaches a cloud service. Only authorized users in the customer’s organization can access the data, and it remains encrypted through all stages of its lifecycle, while in transit, at rest, and even while being processed by the cloud service provider. Vaultive’s feature-preserving approach ensures uninterrupted application and platform functionality, while data remains completely segregated from a financial institution’s cloud service provider.
Additionally, the cloud hasn’t completely rewritten the book on security best practices. Several of the methods that have served IT security teams well on premises can be extended to the cloud with Vaultive. With a policy-engine monitoring user interactions with IT-sanctioned cloud services, IT teams can enforce well-proven standards such as privilege management, access controls, automatic or step-up authentication, and more.
The Cloud Path Forward
Managing on-premises networks and servers has proved difficult at best and dangerous at worst for many organizations, and the argument of data exposure in a cloud environment loses weight with every new breach. The path forward for any organization in industries processing sensitive data is to establish a unified set of cloud security and governance controls for business-critical software-as-a-service (SaaS) applications and infrastructure-as-a-service (IaaS) resources. Adding additional encryption, policy, and auditing controls independently of the vendor, and retaining any encryption keys onsite, is a proven way for organizations in high-risk verticals to fully entrust their data to a cloud provider without giving up control over their data and achieve a better security posture overall.
The post The New Cyberattack Targets: This Week – Financial Institutions appeared first on Vaultive.