The financial services sector is arguably the most advanced private sector for intelligence gathering, security information sharing, and investment in cyber security controls. For those of us who have been involved in cyber security for the last few years, we have the experienced periods of high threat activity, such as the al-Qassam Cyber Fighters and Operation Ababil, as well as periods of relative calm.
But how can banks, insurance companies, and others in the financial industry continue to justify their increasing investment in cyber security during long periods of relative calm?
Like many sectors, the financial industry monitors cyber threats and publishes an overall cyber threat level. The levels are defined as:
- Guarded - Routine Operations/General Threat Environment
- Elevated - General or Directed Threat
- High - Credible Threat or Significant Sector Threat has Occurred
- Severe - Credible Intel of Imminent Cyber Threat or Sector Incident
The threat level for the sector is generally at the "Guarded" level, with short periods of "Elevated" or "High". While I agree that the situation today is Guarded, with no general or directed threat to justify an Elevated level, there are a number of factors that raise concern in the finance sector:
1) Unprecedented level of attack activity:
As shown in the Akamai Q4 2015 State of the Internet Security Report, the number of attacks is increasing dramatically. Each dot on the chart below represents a DDoS attack that Akamai mitigated for a customer. This two year look back makes it very obvious that the the level of attack activity has grown tremendously.
2) Sustained, multi-vector attacks:
Over half of the attacks that Akamai mitigates now include multiple vectors. For example, an attack against a customer may start as a SYN flood, switch to a DNS attack, and then change again to Layer 7 GET flood. In Q4, 56% of all DDoS attacks were multiple vector attacks, up from 42% in Q4 2014. Attacks such as these suggest increased sophistication of the attackers, and require multiple mitigation strategies.
3) Evolving compromising of core banking systems:
The banking industry had now experienced a new and disturbing trend of attacks again core systems and payment services. Examples include:
- ATM roll back bank robbery - Kaspersky Labs reported a heist against a Russian bank in which the thieves gained control of back end systems to "roll back" account balances, as accomplices withdrew cash from ATMs.
- Hackers steal $100M from Bangladesh Bank - Criminals have moved up the food chain significantly, and are now able to send spoofed interbank transfer requests directly to central banks.
- Another Hack Stole $12 Million - Banco del Austro, or BDA, in Ecuador, lost over $12M in another falsified bank transfer.
Conclusion: "Guarded" today is different that "Guarded" of yesterday
As depicted in the diagram below, although the industry remains mainly at a Guarded threat level, the associated level of risk continues to increase year after year. In this example, a bank that invested and built out security controls to fully mitigate an Elevated threat level in 2013 may not even have sufficient controls to cover themselves at a Guarded level in 2016. If you have not reviewed your security controls for two or three years, you likely have an accumulated deficit and higher level of risk exposure given today's threats.
Regular, monthly threat briefs and summaries to executives and board members may be one technique to help keep your company committed to maintaining the proper level of security controls, and to keep the investment dollars flowing. But don't just talk cyber: translate cyber incidents and war stories into a discussion of risk. Security information sharing isn't just for security professionals, it's also for the executives ultimately responsible for the security of the firm.
Rich Bolstridge is Chief Strategist, Financial Services at Akamai Technologies