DEVELOPMENT OF CYBER THREATS AGAINST FINANCIAL INSTITUTIONS – By Troels Oerting, Group CISO and Elena Kvochko, Head of Global Information Security Strategy and Implementation, Barclays

THE DEVELOPMENT OF THE INTERNET

With over 40% of the population online and 14 billion connected devices and services provided via the Internet through dedicated applications and platforms, more and more sensitive information is being transferred into digital form. The rise of cloud computing, mobile technologies, bring your own device and open source software has also provided innumerable channels and new methods to gather and misuse data to perpetrate malicious attacks.

NEW DRIVERS FOR CYBER THREATS

The threat in cyberspace differs radically from geographically-linked crime at a ‘crime scene’. This latter, classical definition of crime is globally shared and within it the protection of the individual citizen is regulated by nation states through police and law enforcement operations that have jurisdiction within national borders.

Cyberspace facilitates new types of crime. First, crime-as-a-service platforms are available to all Internet users. Second, there is no need to travel to perpetrate cybercrime activities. Third, anonymizing tools make attribution very difficult. Finally, the international community has not been able to establish globally recognized norms on the Internet and the various legal instruments are not keeping up with the pace of cybercrime. Lack of international cooperation also prevents investigation of cybercrime. Given these trends, the number of cyber security incidents has surged exponentially in the past five years, peaking at 42.8 million in 2014, up 48% from 2013. The costs and sophistication of these attacks are also on the rise with the cost of cybercrime per company estimated at $15.4 billion per year on average, more than double the cost in 2010, when it was $5.6 billion according to the 2015 Ponemon study. The number of data breaches and the days it takes to recover from an attack also increased to 46 days in 2015, an increase of 30% in the past six years.

The rise in the occurrence and volume of cyber attacks in recent years has caught the attention of global business leaders. While no industry is spared, the financial sector has become the most targeted, with banks being four more times likely to be attacked than other institutions. An IBM report also stated that the vast majority of cyber attacks targeted the financial and insurance sector in 2014 (25.33%), followed by the communications (19.08%) and manufacturing (17.78%) sectors. Many major financial institutions have been targeted by data breaches in recent years. As a result, respondents in the financial sector now view cybercrime as one of their most significant threats.

CYBERCRIME TOOLS AND MOST COMMON ATTACKS

Networks that perpetrate cyber attacks work together and share knowledge on vulnerabilities and the new modus operandi. They utilize big data analysis to enrich credit card data with personally identifiable information, including usernames, dates of birth, addresses, passwords to other entities and answers to security questions, by pulling information from open sources, social media and by using compromised/hacked information obtained from previous data dumps. New attack vectors are created by the Internet of Things. The developments in machine learning technologies enable the harvesting of more data. Cybercrime is not bound by borders, laws, regulation or data protection.

Profit, risk and required investments are taken into account when a cyber threat victim is selected. Cybercrime is high profit, low risk and medium to low investment and will continue to be so until risk or investment increases or profit lowers. It is always difficult to assess the magnitude of cybercrime, but the combined losses of all US armed robberies in 2010 were $451 million. Because the concentration of cash money is being replaced by digital (PC-tablet/ smartphone) online payments or use of credit card/ mobile pay systems, the trend will continue and efforts to steal money, information, identity, intellectual property, or to cause other damage will increase.

The interest in the “lucrative” assets held by banks will increase. As the industry is getting better at protecting its perimeter, platforms and applications, it might see an increase in the use of employees and “insiders” for breach of access and identity controls. Scaling and automation of tools for more targeted attacks will enable the shift from low profit, high turnaround attacks to sophisticated attacks targeted at “crown jewels”.

The financial sector is the backbone of the economy and any attack against it is likely to have a domino effect on all industries and the economic wellbeing of individuals, businesses and entire countries. Financial institutions are also part of national critical infrastructure in many countries. In addition, the financial industry is highly dependent on the mechanism of trust. This is why cyber attacks of any volume which directly target customer information can be devastating to a bank’s reputation and growth prospects.

Attacks on banks are on the rise and attackers are using increasingly sophisticated methods and crafting elaborate mechanisms to break into servers, primarily for financial gain but also to wipe out information and use stolen sensitive data to harm business prospects and make companies less competitive. Cyber attackers use many methods to disrupt systems and commit fraud on financial institutions. Threatmatrix analysed 15 billion transactions in 2015 and reported that it found 21 million fraud attacks and 45 million botnets attacks in the last three months of 2015 alone

Botnets, which have been used to orchestrate DDoS attacks and create widespread SPAM campaigns, are the biggest threat to financial institutions according to ThreatMatrix. Botnets have resulted in losses of millions and this is only likely to increase with the adoption of the internet of things. Cybercriminals also use viruses, worms and trojan horses to target electronic infrastructure essential to the proper functioning of a computer system.

Cybercriminals also use other methods to attack financial institutions, such as taking over electronic banking accounts to commit fraud and make electronic money transfers, targeting point of sale terminals with malware and using skimming technology to obtain credit and debit card information and PIN numbers. These threats will likely increase with the adoption of new mobile payment apps and technologies such as Google Wallet. Cybercriminals can also target the computer systems of payment processing centres to steal customer information and thereby make illegal transactions.

Hackers have attacked financial markets by accessing brokerage accounts to obtain trade information, engage in fraudulent securities transactions and even infiltrate entire stock exchanges. In addition, attackers are targeting big data and the cloud.

In future attacks, hackers are likely to increasingly target cloud technologies with more botnets and DDoS attacks. This may be cheaper than infecting actual computer networks and makes these breaches more difficult to resolve because cloud-based devices come with their own set of vulnerabilities. BAE Systems also predicts that in 2016, attackers will target internet of things smart devices, to extract not just large volumes of identification data but also pattern and behavioural data which can be sold on the black market and may be more destructive.

But who is perpetrating these attacks? According to an IBM Security report, more than half (55%) of data breaches are carried out by people inside the network; 31.5% are from malicious insiders such as disgruntled employees who still have access to company networks and either want to disrupt or sell stolen information, and 23.5% are from inadvertent insiders who may mistakenly fall prey to online scams and viruses.

THE COUNTERMEASURES

Cyber attacks can directly affect a company’s reputation and bottom line growth and are not likely to decrease in the near future. Leaders in businesses and financial institutions in particular are quickly realizing that cyber security is not just an IT concern but a boardroom and C-suite executive problem that can affect all aspects of daily business operations. One way companies are choosing to respond to rising data breach threats is by investing more financial, intellectual, technological, and human resources into cyber security protection.

Banks will develop “sentient” security operation centres, which are intelligence-led and are focused on creating high level defence, cyber hygiene, education and awareness. The goal of these efforts is to identify what will have a negative impact, not what already has. Resilience is also key, as in the case of a breach, teams have to operate on “muscle memory”. The industry needs to collaborate much more closely. Presently, a number of information exchange initiatives exist, but they often act as feeds for the already overloaded SIEMs or CISOs. The industry needs trusted cooperation, alliances and staff exchanges that can act as “first responders”. Actionable information can be shared within small trusted networks, as can resources such as red teams and pen testers, to reduce costs and improve collaboration.

Establish a robust security strategy

The first thing companies should focus on is creating a comprehensive and robust cyber security strategy that takes into account the company’s specific infrastructure and works to protect networks and data from malicious attacks. This strategy should also include effective recovery and business continuity strategies in the case of a data breach. The strategy should support the overall business objectives.

Increased spending on cyber security

An important way financial institutions can fight cybercrime is through increased spending on cyber security. In addition to lost data and sometimes damaged reputations, cyber attacks can be harmful to company infrastructure and interrupt business as usual, which can lead to significant loss of revenue and resources. Many companies find it a better investment to fund preventative measures rather than attempt to recover losses.

Hire qualified staff

It is important to hire a highly qualified, competent and efficient IT team which will keep abreast of new developments in cyber security and take the necessary actions to quickly respond to attacks to networks and data. Companies should increase staff as needed to meet security demands. However, there is a worldwide shortage of professionals specializing in cyber security who can cope with advanced attacks and the rapidly evolving threat landscape.

According to Symantec, there will be a need for six million cyber security professionals worldwide by 2019, with an estimated shortage of 1.9 million. By investing in training and professional development of their staff, companies can retain their personnel.

Education and awareness

Employers can help fight data breaches by raising awareness about cybercrime in the workplace and educating employees on the company’s cyber security strategy and existing threats. They should also organize regular training and meetings to keep employees knowledgeable, vigilant and invested in the company’s cyber security and provide employees a platform in which to voice their concerns and questions.

With spear-phishing being one of the top methods hackers use to gain entrance into networks, leaders can help employees understand the importance of authenticating email senders, not sending sensitive information online, patching, using strong passwords, reporting suspicious online activities to IT and following company regulations.

If there is a bring your own device policy, employers should ensure that it is regulated by an effective framework that defines rights and responsibilities and strong security mechanisms for the end devices.

Integrate cyber security into business operations

Businesses should not look at cyber security as a separate entity but should seek to integrate it into business operations and the company’s risk management framework.

Enhance public-private partnerships and reform the legal framework.

IT professionals within the financial sector need to work with regulators to adopt best practices, creating mass awareness educational campaigns to educate the public about cybercrime and how to prevent it. Governments are increasingly making cyber security a priority.

The scope and scale of cybercrime is so significant that banks, technology and manufacturing companies, and the government need to collaborate in order to find sound ways to prevent and recover from cyber threats.

Cure the infection

While it is important for businesses to adopt strong cyber security policies and technology and for governments to have the appropriate regulatory and legal frameworks to fight cybercrime, there must also be a discussion on motivations behind cybercrime. Cybercrime is a human problem facilitated by technology and as mentioned above, a large number of attackers are insiders who once worked for the company in question. Businesses can review their practices in the case of termination so that employees are treated fairly and respectfully and are provided a platform to communicate their grievances so that there is mutual agreement on both sides. This might provide less incentive for an ex-employee to seek retribution through other means.

Hackers invade systems for social and political reasons, and governments should begin to study their motivations, open channels of dialogue and organize conferences and meetings to find solutions to cure the motives behind global cybercrime and find diplomatic and political solutions.

Automated cyber security response

A significant problem in fighting cybercrime is that companies may not have the means and resources to survey systems and detect anomalies in real-time.

Therefore, an increasing number of organizations are turning to automated cyber security to protect their networks, which can detect threats and their causes faster, allowing security personnel to focus on other aspects of network security. Automated cyber security measures can allow for more effective security operations and can help avoid human error and fatigue. They can also effectively handle larger volumes of data and investigate every security alert to uncover hidden causes of attacks. Automated response in cyber security is still in its infancy stage, which can make it complicated and expensive for smaller organizations to adopt, but this will change in the future as an increasing number of companies focus on creating and scaling innovative automated responses that streamline processes and simplify operations, leading to lower costs in the long-term.

Use artificial intelligence and automation to fight cybercrimes

As cyber attacks become more prevalent and complex, many are turning to artificial intelligence as a potential solution. Unlike humans, machines can respond in real-time to threats and may be able to prevent secondary attacks according to research published in the International Journal of Artificial Intelligence & Applications. AI applications can be used to counter cyber attacks by mimicking processes found in human neural networks such as problem-solving, learning and memory. AI is used to proactively prevent and detect cyber attacks, emulate the behaviour of human security analysts and identify attacks in real-time. While AI methods are not yet perfect, they present solutions which can be harnessed to build the resilient cyber security of the future.

CONCLUSIONS

To mitigate cybercrime, it needs to be treated holistically, by establishing solid cyber security measures, hiring the needed experts and educating employees and the general public on threats and cybercrime protection mechanisms. Government, banks and businesses should also enhance their cooperation with a need to focus on alternative ways of fighting cybercrime using automated methods, artificial intelligence and seeking to study the underlying causes of cybercriminal motivation and ways to treat it using traditional and innovative channels. Trust, privacy and security are at the centre of what we do and by investing in security, we invest in the future, to be prepared for the next developments in this space.

This article was initially published in the Cybersecurity Review and has been shared with the FIC Observatory as as part of their partnership with FIC2017.

ABOUT THE AUTHORS

Troels Oerting is the Group Chief Information and Security Officer at Barclays. He has more than 35 years experience in law enforcement – the last 15 in senior management positions in Danish and international police organizations with a focus on ICT security. Troels is the former Director of Danish NCIS, National Crime Squad, SOCA and Director of Operations in the Danish Security Intelligence Service. He was also the Assistant Director in Europol’s IMT Department, Assistant Director in Europol’s Operational Department and the Head of the European Cybercrime Centre (EC3), and acting Head of Europol’s Counter Terrorism and Financial Intelligence Centre.

Elena Kvochko is Head of Global Information Security Strategy and Implementation at Barclays. Previously, she was Manager in Information Technology Industry at the World Economic Forum, where she led global partnership programs on cyber resilience and the internet of things and was responsible for developing relationships with top information technology industry partners. She served as Affiliate Fellow in Cyber Security at Harvard University. Elena is an author of numerous publications and reports and has contributed to Forbes, The New York Times, Harvard Business Review and other media outlets.