A bank CEO said recently, "I have great products and great people, but security is top of mind and what keeps me up. You never know if you're going to be targeted. Do I have the right security posture?"
It's a question bank CIOs and CISOs are asking themselves lately. Although some insist that they have always made security a top priority and little has changed, experts say cyberhacktivist attacks and other threats to mobile and online banking security are driving banks to invest more in security technology and to join security information sharing forums like the Financial Services Information Sharing and Analysis Center. Signs are they're getting better at warding off attacks: an FS-ISAC survey shows that while the total number of account takeover attempts reported by financial institutions rose from 87 in 2009 to 314 in 2011, the percentage of cases where transactions were created and funds were sent out of the bank dropped to 32% in 2011 from a high of 70% in 2009. Bank security executives say they are focusing their security efforts on four areas: applications, network monitoring, DDOS and identity/authentication.
VULNERABLE APPLICATIONS
Malware, especially malicious programs targeting mobile apps, is still the largest and fastest-growing type of threat.
One bank CIO who spoke off the record feels that mobile attacks are increasing and consumers are apathetic. "The consumer who is attacked may not care," he says. "They go everywhere with the device, they let other people use it. But if the consumer has a problem with it, it's almost disposable to them. They just start over again or they hit a reset button."
The simple fact that customers spend so much of their lives on their mobile devices makes mobile app security a top priority. "As institutions have invested in protecting data at risk within the institution, which is important, we have to make sure we keep up security processes so mobile devices don't become the weak leak," notes Bill Wansley, senior vice president at Booz Allen.
Most strains of malware are designed to do one thing: swipe a customer's user name, password and other personal information, in the hopes of eventually stealing money from their account.
The most common defense against fraud of this nature is analytics that pore through customer transaction data and find anomalies that indicate out-of-character behavior: a person who normally logs in from Southern California suddenly logging in from Eastern Europe, for example.
Those that target mobile apps tend to find and exploit vulnerabilities in the mobile app code. "I think app layer threats will continue to grow," says a former bank CISO.
Lack of input validation (making an application understand what data it should accept, including syntax and length) and cross-site scripting (a weakness that lets attackers inject client-side script into Web pages viewed by other users) are still the most exploited of the app vulnerabilities. They're also the easiest to identify in static code analysis, the easiest to fix during the development process, and the hardest to detect with technology. Avivah Litan, vice president and distinguished analyst at Gartner, says companies like Arxan and Metaforic offer mobile app wrappers that can obfuscate the mobile app code that the customer downloads to his phone, making it impossible to reverse-engineer.
DENIAL OF SERVICE
In September and October, 12 large financial institutions' online banking sites were hit with distributed denial of service attacks. The Izz ad-Din al-Qassam Cyber Fighters took responsibility, and said that they would keep targeting large U.S. banks until a video called "Innocence of Muslims" is removed from YouTube. (YouTube will not take it down. The company has said the video falls within its guidelines as it is against Islam, but not against Muslim people, and thus not considered "hate speech.")
Online banking functions were affected, generally for brief periods of time. "No real critical or core operational functions were really directly affected by these attacks," says William B. Nelson, president and CEO of the Financial Services - Information Sharing and Analysis Center, Reston, Va. "They didn't have payments collapse or their loan system destroyed, the checking account system worked," Nelson says.
The targeted banks have been working together to share information about the threats and their efforts to defend themselves, helped in part by FS-ISAC. (FS-ISAC also gathers threat and mitigation information from its members and sends out anonymized reports and alerts.)
In spite of the website outages that occurred in the fall, Nelson considers the response to the DDOS attacks "a huge success story." The government is working with the banks and their internet service providers are helping them identify where the threats coming from and doing something about it. "It's been one happy community," he says.
Bank security executives agree they've formed a close network in the face of shared danger. "In the security community, it is not considered a competitive advantage to watch your competitor get tipped over from a DDOS. There's no honor in that, and security folks don't think that way," says the former CISO.
But the incidents have certainly heightened awareness. The attention the DDOS attacks have gotten in the mainstream press has helped large-bank CIOs make the case for spending more on security to their boards. "These DDOS attacks are definitely a big issue," Litan says.
DDOS attacks are fought by repelling all traffic that looks like it's DDOS. But the perpetrators of such attacks know this and try to create variable traffic that will be harder to pattern recognize. Software alone can't detect such changes, generally it's people who have to decide whether or not a stream of traffic is malicious. "If you form a DOS attack in a way that looks like legitimate traffic, by the time you get lots of that legitimate traffic and you start seeing a slowdown, a human will say no, look, we're seeing so many of these, we're going to evaluate this," says the former CISO. "So the technology develops as those events can be repelled with technology and rules, up to the point where the smart attacker develops a pattern that gets through your rules. That's the find-and-fix repetitive cycle. It's more complicated than just a ping."
The disconcerting thing about the distributed denial of service attacks from the Izz ad-Din al-Qassam Cyber Fighters to many security professionals was their size and impact on underlying infrastructure. Banks rely on critical infrastructure that's out of their control; it's operated by telecom providers such as Verizon and AT&T. The latest attacks are said to have streamed 35-40 gigabytes of malicious traffic at banks' web servers, which typically have about a four-gigabyte bandwidth to work with. That means the attacks have to be repelled at the carrier level.
And the attackers appear to have the capability to dynamically change those packets, so that once a bank CISO team identifies one pattern of attack, the attack could change. "It's really easy to write the if/then statement," says a former bank CISO. "Once you write it, you're essentially protected. But there's a reason why there's a lot of ongoing work on these types of responses, that tells me that maybe these attacks morph."
Banks typically use intrusion detection systems or firewall rules to repel the malicious traffic of DDOS attacks.
The challenge of building a moat around a company's web servers so that DDOS attacks can't harm it, is that the servers are meant to be connected to. "How can you make your customer facing server not customer facing?" the former CISO says. "By its very nature you have a bunch of people knocking on the door." As a bank increases its bandwidth to accommodate the heightened traffic of a denial of service attack, the attackers also increase their output. The bigger the attack, the bigger the pipe needed to repel it.
Litan believes what most banks need is a better DDOS disaster recovery plan. "Banks still have call centers, branches, ATM machines, so they just need to know how to handle these," she says. "People have to know where to go, what to do, what to tell people. It's not the end of the banking system, but it is very disruptive and distracts attention."
For help with DDOS mitigation, banks are relying on companies that provide network traffic analysis, such as Prolexic and Neustar. They also lean on their internet service providers, such as Verizon and AT&T. "The banks are looking at how they can add bandwidth and configure their networks to better withstand a DDOS attack next time," she says.
DATA BREACHES
Lower on the priority list but still important are data breaches. Banks and their telecom carriers are spending a lot of money on security monitoring systems but still only catching a fraction of the breaches. According to Verizon, 15% of breaches get caught, so they're missing 85% of them. "You have to keep pouring resources into these systems," Litan says. One reason the data perimeter is hard to secure is that large banks have silos of data that are hard to manage end to end. Databases, networks, line of business applications are run by different software and people. "A typical bank, especially a large one, has a lot of moving parts," she observes.
Another challenge is a shortage of people with the skills to find and thwart data breaches. "They may have smart people, but it's hard to find PhDs in statistics that know how to monitor security," Litan notes.
Security event management software can help weave data loss prevention with database activity monitoring and application logs, to identify fraud patterns. "The whole idea is to catch unauthorized access, usually internal or external," Litan says. "It may start through an employee who gets escalated privileges or an intruder that's stealing info and going around the apps."
There's also an application for Big Data-style analytics that can bring information siloes together to look for fraud. Palantir, Datica, SAS Institute, and IBM i2 all have offerings of this kind. And open source solutions include Hive Analytics, which uses the Hadoop open source software framework.
IDENTITY/AUTHENTICATION
To improve the process of proving a customer is who he says he is, and therefore blocking fraudsters from using information stolen through malware, biometrics are being actively tested at many large banks, as the previous article attests. Spanish vendor Agnitio provides voice recognition technology that's used within some authentication solutions, such as Victrio's. Nuance is also big in this space.
This is another opportunity for Big Data analytics. Banks can add additional factors to verify the person logging in without requiring anything from them, such as geolocation and device fingerprinting. The key thing is for the bank to do this work behind the scenes. If the bank makes it harder for people to log in, they may go away.
CONSUMER EDUCATION
Security can't all be up to the financial institution, the consumer has to be aware and careful about sharing and using her financial information. "I worry about our society if we depend solely on the benevolence of our financial relationship to protect us," says one industry insider. "If you're doing that, I think you're naive."
Teaching employees and customers to be vigilant, and think before they open an email and click or plug an unknown flash drive into their computer, bank security executives say, is critical.
One of the best examples of consumer security education is U.S. Bank's TMI Tami commercials. TMI Tami was an actress playing a nerdy, lonely, cat-obsessed woman who felt compelled to share personal information, including her passwords, with everyone she met.
PNC Bank recently offered cyber security tips to consumers in a press release. "While multiple layers of cyber security experts work diligently around the clock to protect your bank accounts and personally identifiable information, the most powerful weapon in fighting cyber crime is you," the press release stated. The guidance recommended not using personal information in passwords and PINs, using different passwords for different sites, using spyware on sluggish computers, and using only known Wi-Fi networks.
As always, there's no one answer to security. "There's no silver bullet, there's no perfect security answer, even if you get it the bad guys will come up with a new attack," observes Wansley. "It is a continuous ongoing operation to understand the threat and make sure you've got a comprehensive program that protects you from external as well as internal threats." The internal threats are still the most serious, he believes. "If you've got an insider working on their own or cooperating with an outside group, that's when you really get damage."
FOUR FLAVORS OF CYBER ATTACK
Bill Wansley, senior vice president at Booz Allen, identifies the stages of internet insecurity
1. Data outing. This is an anonymous attack where the perpetrator is just trying to embarrass somebody. "They'll hack into an institution, they'll pull out information and put it out in public, in a site such as Pastebin, where hackers dump their goods," he says. "That's just an embarrassing thing to happen. The Anonymous guys do it to show that they're better than the defense."
2. Data theft. Organized crime gangs are getting amazingly good at stealing data online, Wansley says. "There is substantial financial fraud and financial theft happening, not only in terms of manipulating wire transfers to move money but also theft of credit cards and personally identifiable information associated with credit cards, putting that out in public. Then that has its own black market beyond that."
3. Data disruption. The ongoing DDOS attacks on banks are an example of this kind of attack, which causes disruption but often not much more. "They disrupt your business operation so there's financial impact of the attack and it can be annoying," Wansley says. "We find a lot of those attacks are distractive attacks. In other words, you're focused on the DDOS as I'm shutting down your public web page, but we're doing something else at the same time. You're not watching us penetrate your infrastructure in other ways." The perpetrators could be stealing intellectual property while the security team is focused on blocking malicious web traffic, for example.
4. Data destruction. The biggest example of this is the attack that destroyed all the data on 30,000 computers at Saudi Arabia's national oil company as well as its backup files and disabled its servers. "This is the most serious type of attack," Wansley notes. "Saudi Arabia's national oil company was totally shut down overnight."