Peak 10’s security technology partner, SilverSky, recently issued its 1H 2014 Financial Institution Threat Report. This was the fifth such report since 2012 on its customers’ security experiences and, as such, provides insight into the maturation and growing sophistication of the criminal methods and tactics.
One interesting finding is that among SilverSky’s nearly 1,000 financial services customers in the research base, the percentage experiencing likely or confirmed compromises decreased year-over-year. Whether this reflects a broader IT trend or their customers’ experiences alone is arguable. We think the efficacy and quality of SilverSky’s products and the security awareness of its customers has an uplifting effect on results.
Be that as it may, the threat report illustrates other important points.
Five out of the top 10 threats are different from one year ago: Just when you think you’ve wrestled one threat to the ground, two others pop up behind you. Ransomware, specifically CryptoLocker, made headlines during the year, earning its place as the #1 threat. SilverSky eliminated the threat for its customers and, having had its 15 minutes of fame, this extortionist malware threat appears to be receding. Six months from now when SilverSky compiles its sixth report, CryptoLocker may not even make the top 10.
Decrease in attack sources but greater variety of threats: This could mean that improved security controls are having a culling effect on less sophisticated perpetrators, while the smart ones devise even more sinister ways to steal from you. Again, this could be a result of the “SilverSky effect,” as opposed to a general trend.
Seven of the top 10 most compromised institutions were small or medium-sized: With fewer resources and staffing to go around – even if the percentages of budget and people are equal to that of larger companies – there are still fewer IT investment dollars available for security without stiffing other business requirements. The fact that financial institutions are so heavily regulated means that the dollars available must be stretched that much further.
Sixty-seven percent of large institutions had at least one incident: While small and mid-size institutions were hit more frequently, larger ones continue to be targets. Half of these incidents came from non-U.S. IP addresses. Basically, no one is immune to infections and attacks.
SilverSky’s report concludes with advice and actions to consider:
Recommendations for PCs
Use multi-layered defenses
- Firewalls, web security, IDS/IPS, anti-virus, SIEM, email-targeted attack detection
Safeguard PCs and observe best practices
- Never open suspect email attachments or follow links
- Don’t respond to emails asking for financial information
- Disable and/or uninstall unused services
- Limit “freeware” installations — more can be installed than you might think
Keep software current, especially OS, browser and AV
- Patch, patch, patch! — OS, but also third-party browser plugins
- Minimum browsers: IE 9, FireFox 16, Chrome 25, Safari 5.1
Block Flash and ads in browser or with web security software
- When practical, block access to unclassified sites
- If you must use Flash or Java, turn on auto-update
Servers & Network Recommendations:
Consider server host intrusion detection systems (HIDS)
- Use for key workloads where application binaries are largely static
- Webservers and transactional systems
- Use in combination with application whitelisting technologies
Enforce very strong production server passwords
- Brute-forcing admin or root passwords is popular way in
- Strong passwords help prevent compromises of hosts inside the firewall or require multi-factor authentication
- Change default admin account names as well
Remove unnecessary server components
- Examples: PHP MyAdmin (ZmEu ingress points)
Don’t just trust, verify; scan everything regularly
For balance, invest in a highly skilled, highly trained security event detection and response staff
- Companies lacking budget or expertise should outsource
Set expectations with management
- Prevention cannot be perfect. You will be judged, in part, on how much you can reduce the likelihood of the worst attacks
- Create and test your response plan. The measure of your program is how quickly (and effectively) you respond to compromises that occur due to your residual risks
As the saying goes, it’s hard to keep your head when all about you are losing theirs. Data breaches can have that effect on people. Adhering to best practices in all matters of security is as near to perfection as you will get and, as these recommendations suggest, that can be a challenge in light of everything else IT must do on a daily basis. A trusted partner can alleviate some of that burden, giving you time to focus on what matters most.