As outlined in our prior post, Bank IT Security Can (Still) Learn from 2015: Top Takeaways, Part 1, over the past few weeks, a couple significant reports have been published that offer a detailed look at the IT security landscape that emerged in 2015: The 2016 Data Breach Investigations Report (DBIR) and the Internet Security Threat Report (ITSR). Our prior post highlighted three of the most important takeaways. Following are five more for you to peruse.
Banks Employees and Customers Exposed to Attacks on a Number of Fronts
Dynamic, One-Time Use Malware Now the Norm
Dynamic malware is just one of the tools in the cyber criminal’s arsenal, and as these organizations grow more sophisticated, so do their tactics. To evade detection by signature-based defense mechanisms like firewalls and intrusion detection systems, criminals employ kits to constantly change the characteristics of their malware. All told, the ISTR reports that 430 million unique pieces of malware were discovered in 2015, which represented a rise of 36% from the year before. The DBIR reports:
“Analysis of one of our larger datasets showed that 99% of malware hashes are seen for only 58 seconds or less. In fact, most malware was seen only once. This reflects how quickly hackers are modifying their code to avoid detection.”
This dynamic malware is delivered in a number of ways. Malvertising campaigns continued to show up on popular mainstream media sites, and infecting unwitting visitors. The ISTR shows that more than 100 million malware or exploit kit attacks relating to tech support scams were identified, and in many cases these scams sought to inject ransomware onto victims’ devices.
The ISTR showed ransomware increased 35%, with so-called “crypto ransomware”, an approach in which contents of a compromised system are encrypted and held for ransom, having grown to comprise the bulk of these attacks. Further, these ransomware attacks are no longer restricted to Windows-based personal computers but have now been seen on smart phones, Macs, and Linux systems.
Mobile Device and Application Usage Proliferating—Along with Threats
Mobile phone and application usage continues to proliferate around the globe. In 2015, 1.4 billion smartphones were purchased (Source: IDC). These mobile devices are used to power increasingly strategic business applications, as well as banking transactions and retail payments—and so they’re presenting an increasingly appealing target for criminals.
The ISTR stated that, between 2014 and 2015, new mobile vulnerabilities grew by 214%, and the number of Android applications containing malware grew 230%. Many of these malicious applications target banking data. For example, the ISTR details how Symantec, “uncovered a new Android phishing Trojan that tricks users into entering their banking credentials by popping up a fake login page on top of legitimate banking apps.”
Spear Phishing Emails Focused on Financial Services, Getting More Targeted
Email continues to be a channel that supports massive traffic volumes. The ISTR reveals that an average of 190 billion emails were in circulation every day in 2015. Within financial services, more than half (52.1%) of inbound business email traffic was spam. Further, one in every 310 emails contained malware.
Within this context of massive volumes, a growing, highly targeted threat is emerging. ISTR reports that, compared to the prior year, targeted spear phishing email attacks increased 55% in 2015, while they continued to grow more targeted, averaging only 11 recipients per campaign. Further, the financial services sector was the most targeted industry, receiving 34.9% of all spear phishing emails.
Static, Weak Credentials Leaving Banks Exposed
While static credentials have been a problem for security teams for some time, events in 2015 served to dramatically underscore this reality, accounting for well over half of data breaches. The DBIR indicated that “63% of confirmed data breaches involved weak, default or stolen passwords.”
Virtually all phishing attacks targeted credentials. The DBIR reported on 905 phishing attacks, and 829 were targeting credentials, with the second largest category, secrets, only accounting for 62.
Further, credentials are vulnerable to an array of malware-based attacks. For years, IT organizations have been enforcing more rigorous policies around passwords, including mandating the use of special characters, a mix of capital and lower case letters, and so on. While this should be encouraged, much of the malware that’s growing ubiquitous renders these efforts meaningless. For example, the DBIR states that attacks have evolved to feature “prominent malware families like Dyre and Zeus that are designed to (among other bad things) capture keystrokes from an infected device.” No matter how complex a password may be, it’s vulnerable.
It’s Not Just End Users and End Points: Web Applications are Vulnerable
As web application ecosystems continue to grow more complex, and they continue to serve as a means to gain access to sensitive data, they continue to be targeted by cyber criminals and nation states. DBIR statistics show how, fueled by the wide availability of web attack toolkits, the number of attacks on web applications doubled in 2015. In the financial services sector, web application attacks grew from 31% of tactics in 2014 to 82% in 2015.
This increased attention is leading to the continued discovery of zero-day vulnerabilities, which appeared at the rate of one per week on average over the course of 2015, marking a 125% increase over the prior year. Unfortunately, ISTR numbers reveal these targets are poorly defended. According to the ISTR, security vulnerabilities were found in three-quarters of popular web sites.
External Entities Discovering Breaches
When looking at breach discovery trends, numbers in the DBIR paint a discouraging picture. Internal parties are only responsible for under 10% of breaches discovered, with external third parties, external fraud management, and law enforcement all accounting for higher percentage of breaches discovered, and the trend lines show the numbers of internal detection continuing to decline.
These numbers paint a disturbing picture for banks: If breaches are detected by external parties, it will typically be far too late to stop an attack or minimize the damage. These trends underscore the increasing criticality of strong internal fraud management capabilities. To quickly detect and mitigate the risk of breaches, organizations need to establish fraud management capabilities that offer a holistic, unified view of transactions and security layers.
The Lessons from 2015 in a Nutshell
For bank IT security teams, the implications of 2015’s findings are clear cut. It’s not a matter of if, but when credentials, users, and systems will be proven fallible. Therefore, it’s critical for security teams to mitigate the risk of a user mistake or compromised end point.
Where possible, strong multi-factor authentication needs to be employed to replace static passwords. Further, given the vulnerability of end users and their devices, banks have to implement layered security defenses that are built based on the assumption that devices will be compromised, and limit their ability to do harm. Here’s how the DBIR authors summarize the guidance:
“Make it hard to pivot from the user device to other assets in the organization. Protect the rest of your network from compromised desktops and laptops by segmenting the network and implementing strong authentication between the user networks and anything of importance. Static passwords are adorable, but sophisticated attackers don’t just bypass them, they utilize them to advance their attack.”
If you’re interested in learning more about establishing strong, multi-layer security in your digital banking environments, be sure to visit our layered security in banking page.