In February 2013, a group of cybercriminals stole $45 million from ATMs across the globe; as a recent IBM Security Intelligence piece points out, financial institutions are among the most popular network attack victims worldwide. How can financial firms of any size make sure their network isn't next? Here are four suggestions:
Monitor Attack Surfaces
Banks and other financial institutions must now monitor for dedicated denial of service (DDOS) attacks on their networks. While the Federal Financial Institutions Examination Council (FFIEC) doesn’t list specific technologies that must be used for detection, companies that refuse to meet the standards could find themselves financially responsible for service disruptions or data breaches.
To avoid these kinds of repercussions, financial enterprises must invest in monitoring tools that can detect threats in real time, report the results and take corrective action. This task is made more difficult thanks to the increasing adoption of both public and private clouds — look for an “as-a-service” solutions capable of monitoring both local stacks and data stored off premises.
In some cases, even the threat of network breaches can cause problems. Consider the recent Heartbleed bug, caused by a flaw in OpenSSL. When affected servers were queried as part of the toolkit's standard “heartbeat” function, it was possible to obtain more than 60,000 bytes of supposedly secure information simply by inflating the size of the heartbeat request.
While traditional banks and financial offices were largely immune to this bug thanks to enhanced security measures, it's likely attackers will use this Internet scare as a launch pad for “phishing” attacks. It works like this: Would-be thieves send out authentic-looking emails to consumers, claiming they're from a trusted financial company that has been compromised by Heartbleed. Users are directed to fake sites and told to enter personal information, leading to a breach and the erroneous conclusion that a secure network was compromised. Financial institutions can help mitigate this problem by proactively contacting clients with details about existing security measures and letting them know not to trust any “dire warning” emails.
As a SANS Institute paper points out, it's also important for companies running a secure financial network to think small when it comes to security. This starts with things like WHOIS functionality, which allows members of the public to obtain domain registration details when an IP address is assigned. Even if a company avoids any mention of financial service in their domain name, WHOIS information provides registration data including corporation names and addresses. This makes any ties to the financial sector clear, and the network a high-priority target. It's often worthwhile, therefore, to opt in for WHOIS privacy protection.
Upgrade When Warranted
While there's no reason to upgrade software or firmware deployments that are still supported and working without issue, all technology eventually comes to the end of its lifecycle. Such is the case for Windows XP — as of April 8, 2014, Microsoft officially withdrew their support and advised all XP users to upgrade their operating systems. The problem? According to Fast Company, more than 75 percent of ATMs in the United States still run on XP. Without bug fixes and software support, banks are faced with the prospect of a costly switchover or the possibility of another ATM cash-stealing blitz. The lesson for companies? Upgrade technology before support is completely withdrawn. Ideally, start by deploying new operating systems or server infrastructure in small-scale, controlled conditions; as service and support improves, move over more critical network components.
Financial networks face significant external threats — be prepared with active monitoring, proactive communications, and smaller-scale, phased security upgrades.
John Grady is Senior Manager of Product Marketing at XO Communications