In this interview with Help Net Security, HUB Head of Security Products Ido Helshtock talks about bank security, the most common vulnerabilities, and what banks can do to protect themselves and their customers’ assets.
As banks increasingly embrace digital transformation, they are becoming more vulnerable to cyber attacks. What makes them vulnerable?
The banking and financial industry has always been lagging behind in adopting new technologies due to complex concerns about security, privacy, and legal and regulatory compliance. While the major players in the space have been too big to drive rapid digital transformation, the emergence of agile startups and changing user habits has led to the adoption of digital banking.
Unfortunately, moving to online banking presents a larger attack surface for cybercriminals to exploit and attack. Traditional banks already require huge resources and time to implement and maintain digital banking services. This makes it a slow target that cannot immediately respond to new vulnerabilities.
Another weakness is the large workforce that has access to sensitive information that is vulnerable to phishing attacks. Lost, stolen or insufficiently protected credentials have led to many breaches and are still a problem today. In addition, implementing security protocols to thousands of employees at different levels is very difficult, and cybersecurity training is often ineffective or forgotten.
All of these factors contribute to banks becoming vulnerable targets for cybercriminals. A real good example is the 2019 Capital One attack. This shows how moving to the cloud can open up new attack vectors.
What assets and use cases do cybercriminals find most interesting and useful when it comes to attacking banks?
Every organization has a backlog of vulnerabilities that need to be fixed, usually identified by severity and urgency, and an endless list that grows daily as new exploits are discovered. Banks are no exception. Cybercriminals often look for overlooked security flaws or misconfigurations because they realize that these systems are too large to be fully protected at all times.
Generally, the assets of interest are personal information, credit card information, and other consumer information. Capital One was the victim of an attack called Server-Side Request Forgery (SSRF). This attack exploited a misconfigured open source web application firewall on AWS with too many privileges. This is an already known attack method, and speculation has ended that the new zero-day exploit and Captial One costing $80 million in regulatory fines are over.
What can banks do to counter these cyber threats?
It is good to think that investing in cyber security services and technologies will solve the problem, but it is more complex and there is no silver bullet. Just as a portfolio requires an investment strategy, spending on cybersecurity needs to be guided by plans that produce effective and impactful results. You need a comprehensive approach to address specific weaknesses and flaws in your system. Otherwise, cybersecurity will not improve as expected and can be considered a cost center. These initiatives may be more specific for some banks, but there are general improvements that can be made entirely in response to current cybersecurity trends.
Banks can focus on appointing and expanding security teams, so that responsibilities are evenly distributed and bandwidth is created for other cybersecurity initiatives. Never forget a lesson where they can continually provide more cybersecurity training to their employees. At the infrastructure level, you can not only do banking, but you can also make other improvements that can implement technologies to make remote work more secure.
Secret computing is gaining attention for the purpose of protecting digital assets during transactions and remote collaboration through software that works alongside specialized hardware such as Hardware Security Modules (HSMs). You can also extend your protection to other sensitive information such as privacy and personal data.
Does the bank have an in-house security solution or is it better to contact a cybersecurity provider instead? What is the difference between the two?
The choice between an internal security solution or a cybersecurity provider is actually ‘depending on the situation’. Banks may need solutions designed for very specific use cases. This is best provided by an in-house solution that allows you to create exactly what you need. However, designing a cybersecurity solution entirely in-house for all use cases is simply not efficient or effective. The resources and funds to do this should be spent on cybersecurity providers instead.
Purchasing solutions from vendors is usually much cheaper and faster, as it also comes with access to a technical support team that can provide training and documentation for security and IT teams. For example, HSMs require a large amount of design and manufacturing work, so it is best for banks to find a provider that meets their needs to supply the HSM.
Overall, both options benefit, allowing vendors to quickly provide and implement solutions while further customizing their in-house technology to their own challenges. However, every organization needs a core in-house cybersecurity team to help them make informed decisions when sourcing the right technology from trusted vendors and suppliers.
What do you think will be the future of banking security? What is their main focus?
In the near future, banking security will focus on implementing sensitive computing to accommodate the transition to cloud technology and remote work. Transaction protection, identity management, and digital asset protection not only have a significant impact on cyber security, but also impact the efficiency of employees who can operate without fear of phishing or middle-man attacks.
The persistence of remote work makes this an important component, along with new types of assets such as cryptocurrencies being adopted and increased privacy regulations. On the other hand, ransomware is expected to remain a challenge, along with the greater threat from quantum computing that has the potential to defeat modern encryption systems.