Cybersecurity threats to financial services organizations are constantly evolving, and the need for robust security measures to protect customer data and confidential information is more important than ever. According to VMware, in the first half of 2020 there was a 238% surge in cyberattacks against financial institutions. IBM and the Ponemon Institute have also reported that the average cost of a data breach in the financial sector in 2022 year was the second highest out of all industries, averaging $5.97 million.
Based on these statistics, as well as the continued year-after-year trend of increasing cybercrime incidence and sophistication, being in the financial sector means you have to be concerned about the information security side aspect of your business.
This article discusses the following:
- What types of cyber threats financial services companies are facing
- What penetration is and how it plays a role of a key security control to prevent cybercrime
- What regulations existing for the financial services sector require penetration testing
What types of cyber threats do financial services companies currently face?
In today’s digital environment, cyber threats come in many forms, including phishing, ransomware, web-based attacks, and more. We’ve compiled a list of the currently most common cyber threats to the financial services sector below:
> Phishing
Phishing, which is a category of social engineering attacks, is a type of cyber-attack whereby the malicious actors attempt to deceive users into divulging personal information, such as passwords, credit card numbers, or bank account details, to download malware, or to click on a malicious link containing a further attack such as a CSRF payload. The term is derived from “fishing” – the analogy being that attackers use “bait” to try to hook a victim.
Typically, attackers will send emails or messages purporting to be from a legitimate source such as a bank or online payment service. These messages will usually contain a link or attachment that, when clicked, takes the user to a bogus website designed to look identical to the legitimate one. The website will often then prompt the user to enter their personal information, such as their username, password, credit card details, or bank account number. Once the user has entered this information, the attackers can use it to gain access to the user’s accounts or commit identity theft.
Phishing attacks are becoming increasingly sophisticated and difficult to detect. Attackers often use fake email addresses, spoof legitimate website addresses, and use social engineering techniques to make their messages appear more legitimate. They may also use malicious programs such as keyloggers to capture keystrokes and obtain even more information.
Here is an example of a phishing email that is made to look as if it originated from Microsoft:
> Ransomware
Ransomware is a form of malicious software (malware) that is designed to block access to a computer system or its data until a ransom is paid. It is typically spread through phishing emails, malicious downloads, or exploit kits. Once installed, the ransomware encrypts files and data on the system, making them inaccessible. It then displays a message demanding a ransom in order to decrypt and regain access to the data.
Ransomware attacks have become increasingly common and sophisticated over the past several years. In 2019, the number of ransomware attacks rose by 99%, with the average ransom demand increasing to $84,000 in 2019, up from $41,198 in 2018. Ransomware attacks have also become more targeted, with organizations in the healthcare, technology, and financial services sectors being particularly affected.
Ransomware attacks can have a devastating impact on an organization. It can lead to significant financial losses due to the cost of the ransom and the cost of restoring data and systems. It can also damage the organization’s reputation and disrupt operations.
> Web Application Attacks:
A web application attack is a type of attack that targets applications hosted on web servers. It is a malicious attempt to exploit vulnerabilities in an application or its environment, in order to gain access to confidential data, disrupt service, or gain a foothold in the target system. Web application attacks can range from simple SQL injection to sophisticated zero-day exploits.
An attacker can gain access to a web application by exploiting a vulnerability in the application’s code or its environment. According to the annual security report by Akamai, 94% of observed cyber attacks in the financial sector were facilitated by the following four attack vectors all of which are forms of web application attacks:
- SQL Injections (SQLi)
- Cross-Site Scripting (XSS)
- Local FIle Inclusion (LFI)
- OGNL Java Injection
> Denial of Service (DoS) Attacks:
DoS attacks occur when an attacker floods a system with so much traffic that it is unable to respond to legitimate requests. This type of attack can be used to disrupt the operations of a financial services organization, preventing customers from accessing their accounts or making transactions.
> Supply Chain Attacks
Imagine a financial sector company that has built a web application. The financial company itself has a very strong security posture, but it uses a 3rd party for one of the functions in the application as it is much easier to buy rather than build in that situation. The 3rd party is compromised, and the attacker uses them to pivot into the financial company’s systems. This is what a supply chain attack can look like.
A supply chain attack is a type of cyberattack that targets a system’s supply chain by exploiting vulnerable components in the supply chain. The attack is used to gain access to sensitive systems or data, or to introduce malicious code or hardware. Supply chain attacks are becoming increasingly common as attackers look for ways to target businesses and organizations.
A supply chain attack occurs when an attacker exploits a vulnerability in a component of the supply chain in order to gain access to an organization’s systems or data. This can be done by introducing malicious code or hardware into the supply chain, or by compromising an existing component. The attack may target any level of the supply chain, from the manufacturer to the end user.
> Bank Drops
A bank drop attack is a form of cyber attack that involves criminals using fake accounts to gain access to financial systems. It is also known as a “bank roll” attack. The attack works by criminals creating numerous fake accounts that are linked to the same bank. They then use the accounts to transfer money from the bank to their own accounts. The criminals can then use the money for their own personal gain.
The criminals use a variety of methods to create these fake accounts. They may use stolen credit card information or create false identities in order to open the accounts. They may also use malware or phishing techniques to gain access to the financial system.
Once the criminals have gained access to the financial system, they can transfer money from the bank to their own accounts. This is done by transferring the money from the bank to a third-party account. The criminals then use the money to purchase items or services online, cryptocurrencies, or even prepaid cards.
What is penetration testing?
Penetration testing, also known as pen testing or ethical hacking, is a type of security testing that is used to identify weaknesses and vulnerabilities in a computer system or network. The purpose of penetration testing is to identify and report any security flaws that may exist in the system or network in order to protect the system from potential threats and ensure that the system is secure and safe from malicious actors. When performed by skilled professionals, pen testing is capable of detecting vulnerabilities that could lead to the threat vectors discussed above being able to be successfully exploited. By leveraging penetration testing, a business can detect these security issues and fix them before a real attacker comes.
In order to conduct a penetration test, a security professional or team will use various tools and techniques to gain access to the system or network. These tools and techniques are designed to identify any potential weaknesses or vulnerabilities in order to gain access to the system or network. The security professional or team will then analyze the system or network to identify any vulnerabilities and weaknesses, as well as any potential exploits that could be used to gain access. After the analysis is complete, the security professional or team will provide a report of their findings and any potential risks or vulnerabilities that were identified. This report can then be used to implement security measures to protect the system or network from malicious actors.
Penetration testing is an important part of any organization’s security posture. It is a necessary step in ensuring the safety and security of a system or network. Regular penetration testing should be conducted to ensure that the system or network is secure and to identify any potential risks or vulnerabilities that may exist. Penetration testing should be conducted by a qualified and experienced security professional or team in order to ensure that the testing is conducted properly and that the results are accurate and reliable.
What regulations existing for the financial services sector require penetration testing?
Penetration is not only a good control in its own right. It is also mandated for the financial sector by multiple regulations:
FTC GLBA: As of 2022, the Federal Trade Commission (FTC) mandates annual penetration testing for companies subject to the Gramm-Leach-Bliley Act (GLBA). This rule was also expanded to include businesses engaged in “activities incidental to financial activity.”
UCF 00654: A testing program must be created, put into action, and kept up-to-date according to UCF 00654. This includes red team exercises, penetration testing, vulnerability scanning, testing technology and people controls, hiring a third party to carry out these tests, and fixing any issues that arise.
UCF 00655: UCF 00655 advocates performing penetration tests as needed including assessing access controls, security vulnerabilities, application layer testing, segmentation testing, and remediation of findings.
FFIEC Information Technology Handbook: This handbook outlines security protocols for financial institutions and outlines the criteria necessary to gauge the security risks associated with the institution’s information systems.
PCI DSS: All businesses that perform credit card processing must meet PCI’s security and testing criteria.
All in all, not only is penetration testing mandated for the financial sector it is also a good practice to mitigate the major security threats facing the industry today. However not all pen tests are created equal. A pen test performed by highly skilled professionals will have a much higher ROI than one performed by barely qualified individuals (no matter how cheap the later looks at a quick glance). Contact BB-SEC to see how we can provide you with the best ROI on your investment into pentesting services to prevent your business from being breached by bad actors.
