finance
monthly
Personal Finance. Money. Investing.
Contribute
Newsletter
Corporate

The Bank of England and the Financial Conduct Authority have informed the financial services sector that they must meet new standards in operational resilience and cybersecurity in the face of a state of near constant cyberattack.

Reflecting on the ‘attack surface’ of the typical financial sector organisation, Dr Simon Wiseman, CTO with UK Cybersecurity firm Deep Secure, looks at the potentially vulnerable areas and suggests ways to mitigate the risks.

 

Guarding the Gateway

Many of the cybersecurity attacks initiated against organisations in the financial services sector start with an exploit or threat concealed in seemingly innocent business content arriving into the corporate network via the email or Web gateway. Whatever the vector and whatever the precise nature of the threat, time and again it is business content – documents, spreadsheets, presentations and images - that are used to conceal the attacker’s intent.

Traditionally, the job of combatting threats concealed in business content arriving at the email and Web gateways have been given to detection-based cybersecurity defences, as typified by anti-virus and anti-malware products. The problem now is that these defences are proving wholly inadequate in the face of increasingly sophisticated cybercriminals. Attackers are now employing against commercial targets the kind of sophisticated zero-day, stealthy exploits that were hitherto the province of nation-state intelligence entities.

Fortunately, new ways of combatting this type of threat are emerging, and one of the most effective is called Content Threat Removal. Content Threat Removal doesn’t attempt to detect the presence of a threat in business content arriving at the gateway. Instead, it assumes that all content is potentially bad. Using a process called content transformation, it intercepts every document and image, extracts only the valid business information from it, discards the original and creates a brand new, threat-free copy to deliver to the intended recipient. The content transformation process can’t be circumvented or evaded because it is not interested in trying to detect anything untoward that the bad guy has hidden in the content. It simply eliminates the risk, even when new forms of attack are devised.

 

Portal Problems

We’re in the age of the self-service portal. Prospects and customers alike are encouraged to upload documents (often in the Adobe Portable Document Format or PDF) in support of everything from personal loans and mortgages to motor insurance applications. The problem is that while the PDF is a versatile and incredibly useful file format, it is also highly complex, easy to subvert and is regularly used by cybercriminals to carry malicious payloads.

A typical response to the threat posed by PDFs uploaded from the Internet or other untrusted sources has been to try and mitigate the risk by scanning them with multiple detection-based anti-virus scanners. The problem as we’ve already noted is that detection-based defences like anti-virus routinely fail to pick up the latest threats and zero-day exploits. Here again, the best way to mitigate this risk is to re-evaluate the security and deploy a technology that doesn’t rely on detection but uses content transformation at the portal boundary to ensure that only PDFs that are completely threat-free are delivered into the network.

The demand for customers to interact with financial service providers by uploading documents via portals is only going to increase, and so is the danger of compromise from malware concealed within those documents. Mitigating this risk to an acceptable level necessitates a rethink of the defences and a willingness to move away from a dependence on detection and towards complete elimination.

 

Combatting the Undetectable Exploit

When is an exploit undetectable? Well, one answer is when there is no evidence of how the valuables were taken - only the certainty that they’ve gone! For all the millions spent on highly sophisticated cybersecurity products, the fact is that undetectable exploits keep on occurring. Although there is little certainty over how this is being achieved, what evidence has been uncovered points to the use of exploits that conceal information in images using a technique called steganography.

Image steganography is the attacker’s dream tool. It can be used to infiltrate malware, exfiltrate large amounts of value and maintain secret command and control (CnC) channels, all concealed in seemingly innocuous images. Images, of course, are everywhere, and from a simple tweet to the corporate logo in an email signature, each one can be subverted using image steganography. No data loss protection tool can detect whether an image is harmless or dangerous because image steganography is undetectable.

In the face of the threat posed by image steganography, organisations can either decide to ignore the risk (many still do) or address it using a transformative approach whereby every image is intercepted at the boundary and re-created anew before being passed to the intended recipient. This approach doesn’t try to detect the exploit; it assumes every image could be compromised and renders them all safe, preventing hidden malware getting in, stopping covert information leaks and blocking stealthy command and control channels.

 

A Stronger Screen for SWIFT

Thefts via SWIFT have been under the spotlight. SWIFT, the global provider of secure financial messaging services, is the mechanism by which financial organisations exchange financial messages relating to payments, securities, treasury and trade. Since at least 2013, those that use SWIFT within financial organisations have been targets of concerted attack with many banks across world falling victim and incurring sometimes heavy losses. Many of these exploits have involved gaining access to credentials or exploiting vulnerabilities in ageing network equipment. Addressing these issues is obviously good practice, but there are further steps the organisation can take to build a stronger screen for SWIFT users.

There is some evidence that attempts to target SWIFT users may take the form of so-called ‘sideways attacks’. To elaborate, the initial penetration takes place via email or Web at the boundary into the corporate network. With a beachhead established the criminals can orchestrate a multi-part attack, whereby malware is triggered on the corporate network to distract the security team while the real target, users with access to SWIFT, is hit ‘sideways’  from already compromised workstations internally on the network.

As stated earlier, best practice in combatting this type of activity has to be reviewing the boundary defence (email and Web) and deploying cybersecurity technologies that don’t rely on detection to identify malware carried in documents but instead transform the content. While not the only answer to a stronger screen for SWIFT adopting this approach will ensure that the incoming business content is rendered 100% threat free.

 

Building a Crypto Currency Fortress

It’s really something of a mistake to think that cryptocurrency security is all down to the cryptography. The real security risk you have to consider is how to keep the coins safe when they are in storage. So you have to think about where the coins are held in the same way as you need to think about where conventional cash is kept.

Ultimately, keeping cryptocurrency coins in a properly designed hardware ‘wallet’ that is not connected to the Internet, ensures you have full control over them, but it’s a manual process and not scalable. Allowing the coins to be controlled by a connected system, means that system has to able to repel all current and future cyberattacks. This kind of ‘failure is unthinkable’ protection has previously only been associated with defence and intelligence systems but is becoming increasingly important to online cryptocurrency systems. The providers of these systems are going to have to deploy the latest security mechanisms, guarding the system that hosts the keys to ensure they are not compromised, and trust in the entire eco-system is not undermined.

Organisations in the financial services sector are rightly concerned about the attack surface they present to the attacker. Going forward, they must be prepared to reduce their reliance on detection based cybersecurity defences and adopt new technologies such as content transformation if they are to improve their overall security posture.

Nearly 9 in 10 technology professionals believe blockchain technology will be as transformative for business as the internet has been.

New research from Intrinsic Insights commissioned by BTL Group has revealed that after reduced costs, the main benefits of blockchain technology are greater data security and protection against cyber threats.

At a time that concerns over data are at their highest, blockchain technology is considered a very adept way to provide greater privacy.

“In a world of increasing concerns over the security and integrity of our data, individuals and businesses are realising the inherent benefits that applications built on blockchain technology can provide when keeping people’s data private,” said Dominic McCann, CEO of BTL Group. “This research also illustrates just how many businesses are looking at using blockchain and of those that are yet to explore it, there is a significant proportion looking to do so in the next two years.”

After two years of high profile and successful blockchain projects, learning how blockchain can be developed better, on Monday 23rd April, BTL Group will be test launching Interbit its multiple blockchain platform - a next-generation platform that has unique “chain joining” capability specifically created so that developers and businesses can quickly, easily and securely build applications.

Tackling these issues head-on, after two years of development and investment, Interbit’s unique “chain joining capability” has the capacity to inter-connect many thousands of Interbit blockchains per solution, in completely private, secure and horizontally scalable manner, addressing the shortcomings of.

A token-free blockchain platform, Interbit has been developed for ease of use. Whether users be a global enterprise, business innovator or software developer, the platform has been written in JavaScript to produce a level of simplicity that is efficient for users and requires no need to learn new programming languages or tools.

Tom Thompson, CTO of BTL Group Ltd. said: “After two years of successfully completed high profile proof of concepts, significant investment and committed development, we are ready to release our Interbit platform for testing and feedback. What we have built is a next generation blockchain platform that allows users to benefit from our chain joining capability by easily and quickly building fast, scalable and secure blockchain applications. Developers can be up and running on an Interbit blockchain within minutes.”

(Source: BTL Group)

The security of banks’ and other financial institutions’ websites has been in the spotlight recently, notably in the case of NatWest bank which was involved in a public discussion regarding its site. Below Jacob Ghanty, Head of Financial Regulation at Kemp Little LLP, discusses the legal implications of website security, along with the potential consequences and of course some solutions to follow up on.

Importance of bank website security

With the diminishment of the physical branch networks that UK banks have maintained traditionally, banks’ online services are a fundamental means through which they deliver core banking services to their customers.

In the case of NatWest, a security expert identified that the bank was not using an encrypted https (Hypertext Transfer Protocol Secure) connection for a customer-facing website (in contrast with its connection for online banking services). The security expert suggested that hackers could redirect site visitors away from NatWest to other sites using similar names. NatWest stated that it would work towards upgrading to https within 48 hours.

Legal obligation to protect customer data

This type of issue is not new and has affected other banks as well. As long ago as 2007, the Information Commissioner’s Office (ICO) named and shamed 11 banks for unacceptable data security practice.

From a data privacy law perspective, under current legislation (the Data Protection Act 1998 (DPA)) organisations are required to have appropriate technical and organisational measures in place to protect data against unauthorised or unlawful processing, and against accidental loss or destruction of or damage to personal data (data security breach). The DPA does not define "appropriate technical and organisational measures" but the interpretive provisions state that, to comply with the seventh data protection principle, data controllers must take into account the state of technical development and the cost of implementing such measures. Moreover, security measures must ensure a level of security appropriate to both: the harm that might result from such a data security breach; and the nature of the personal data to be protected.

From a financial services regulatory perspective, banks are subject to a requirement in the Prudential Regulation Authority Rulebook to: “…establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question. … a firm must have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage maintaining the confidentiality of the data at all times.” Breach of this and related rules (including a requirement to implement adequate systems and controls to monitor and detect financial crime) would leave banks open to disciplinary action.

The importance of an HTTPS connection

Any data sent between a customer’s device and a website that utilises https is encrypted and accordingly unusable by anyone intercepting that data unless they hold the encryption key. Without https protection, hackers could, in principle, alter a bank’s website and re-direct users to a fake or “phishing” website where their data could be stolen. Phishing sites are designed to appear like a bank’s own website to lure customers to disclose their personal data. Many such sites are quite sophisticated (incorporating fake log-in mechanisms, and so on) and present genuine risks to customers’ data.

Legal and financial consequences for banks who fail to protect their customers’ data

From a data privacy law standpoint, the ICO has the power to impose financial penalties on data controllers of up to £500,000 for a serious breach of the data protection principles. For example, in October 2016, the ICO imposed a £400,000 fine on TalkTalk for a breach of the seventh data protection principle.

The EU’s General Data Protection Regulation (GDPR) will take effect from 25 May 2018. The GDPR will impose stricter obligations on data controllers than those that apply under the DPA.  The GDPR will significantly increase maximum fines for data controllers and processors in two tiers, as follows: up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default; and up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects’ rights and international data transfers.

Key next steps for banks to protect financial and customer data

There are several obvious steps that banks can take to protect financial and customer data including carrying out a cyber security audit, maintaining adequate detection capabilities and putting in place recovery and response systems to enable them to carry on in case of an unexpected interruption.

There are number of useful sources of information in this area including: the FCA’s speech in September 2016 on its supervisory approach to cyber security in financial services firms; various ICO guides on information security; the FCA’s Financial Crime Guide; and the FSA’s Thematic Review Report on data security in the financial services sector of April 2008.

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free monthly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every month.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram