Data Security: Who's Winning the Cyber War?
Data security has long been a priority for financial services firms. But a wave of very public cyber attacks by international hacker groups such as Anonymous, combined with an already distrustful public following the financial crisis, has forced financial services firms to step up their network security to prevent data breaches and regain clients' trust. While victims of some of the more notable attacks and data breaches of 2011 were large consumer companies and government agencies - including Sony, PBS, the U.S. Senate, and even the CIA and FBI - security experts say financial services firms, traditionally a popular target of fraudsters, are increasingly a target of criminal hackers.
Citibank, for example, discovered a data breach on May 10, 2011, from a hack attack, the consumer fraud website PrivacyRights.org reported. Two weeks later, Citigroup officials concluded that the data thieves had captured included the names, account numbers and email addresses of about 360,000 customers.
"The reality is that the people who are looking to commit fraud are targeting anybody who has Internet access to applications to allow money to be moved," comments Ben Knieff, Director of Product Marketing at Nice Actimize, a provider of financial crime, risk and compliance solutions. Outside of the retail banking area, hackers could target asset managers, wealth managers, even investors who have access to online assets, relates Knieff.
And, security professionals say, cyber attacks have become relentless -- and more sophisticated than ever. According to reports, hackers can even purchase crime-ware kits on the Internet based on the number of machines they want to infect for as little as $400 to $700.
Lou Steinberg, TD AmeritradeWhile five years ago financial services firms mainly saw hackers using "relatively simplistic methods to target customer accounts, attack patterns have shifted," says Lou Steinberg, CTO at TD Ameritrade. In addition, many hackers, such as Anonymous, now have social agendas, he notes.
Hackers, according to Jason Milletary, technical director for malware analysis on the Dell SecureWorks' Counter Threat Unit (CTU) research team, a provider of security information services to financial firms, use a variety of techniques to distribute malware - malicious code on computer systems designed to steal personal information and passwords or to take control of the machine for distributing spam without the owner's knowledge. They may leverage social engineering (by making an email appear to come from a friend or colleague to entice the user to open the document, for example) to try to get users to reveal passwords. Hackers also look to exploit weaknesses in applications to steal clients' credentials.
"We see an evolution of the malware so they can elude detection," says Milletary. The top malware threat experienced by the 900 financial customers that use Dell Secure Works' intrusion prevention system, he reports, is Black Hole, a type of crime-ware developed in Russia to hack computers via malicious scripts planted on compromised websites.
"Now we see much more sophisticated organized rings that profile us and the other financial services institutions. They try to understand where we might have weaknesses," TD Ameritrade's Steinberg says. "Hackers are playing offense, and we are playing defense."
Keeping Up With the Mobile Threat
As a result, financial services IT department are shoring up their defenses, using security technology more proactively than ever before to protect their clients' assets and corporate secrets. But preventing cybercrime has become more challenging for banks and Wall Street firms as they increasingly offer new products via mobile devices, including Apple's iPad.
"The attack surface has gotten broader and more complex," explains Steinberg, who points out that hackers now can penetrate the perimeter via the web, mobile devices and even voice-over-IP telephony networks. "As banks and online brokers offer bill payment and more new products via mobile devices, that opens up new opportunities for a fraudster to take advantage of," he says.
Chet Wisniewski, SophosTo protect customer data, historically, IT and security departments looked at putting barriers around data, differentiating between what was inside the company versus what should be kept outside. "If data was on laptops and portable devices, it had to be encrypted," says Chet Wisniewski, senior security adviser for security software firm Sophos. "And if it was inside [the firewall], they didn't need to encrypt it because it was in a vault."
With the explosion of the mobile channel, however, that is an artificial approach that no longer works, Wisniewski contends. "As soon as we start carrying out these phones and tablets, there is no inside and outside," he says, noting that employees may be sitting in an airport or a Starbucks while accessing data. Complicating matters further, Wisniewski adds, companies are looking at moving data into the cloud as a cost savings measure, so data is freely moving beyond the enterprise. (For more on mobile device security, see related sidebar, this page.)
Since the boundaries between what's inside the company and what's outside the company are blurred, financial services firms are shifting their approach, according to Wisniewski. Now they seek to determine which data is sensitive and to ensure that it's protected. "Regardless of whether the data is on a PC desktop inside your building or on an iPhone, the approach is, you classify the data as to its importance and make sure it's protected, and that gives you the ability to make it portable," says Wisniewski.
Not all data is the same, adds TD Ameritrade's Steinberg. With so much data, and so many ways to attack it, TD Ameritrade classifies data based on its sensitivity, he says. "Knowing my favorite flavor of ice cream is not the same as knowing my Social Security number, and so different levels of protection get assigned to different levels of information," illustrates Steinberg. "If you try to protect everything, you protect nothing. What we'd rather do is classify our information and assign our best controls - our best protective measure - against the most important, most sensitive data."
The Real-Time Monitoring Imperative
But even after classifying sensitive data, protecting it requires more than firewalls and encryption, argues Lance James, director of intelligence at Vigilant, which provides managed security monitoring services. According to James, firms need what he calls a "holistic approach" to security, which means employing multiple technologies -- not just firewalls, but monitoring. "You want to optimize and monitor because threats change," says James, who works on the company's collective threat intelligence (CTI) product. "We are focusing on what the emerging threats are and building rules and content to monitor all devices on their network," he explains.
"It's definitely a big thing now to have visibility into your network," adds James, acknowledging that "there is no silver bullet" for preventing breaches. While firewalls were the big thing in the 1990s, "Threat intelligence is the biggest thing now," he continues. Offered as software as a service, Vigilant's CTI is used to create rules to help firms identify threats.
How to Protect Employees' Mobile Devices From Cyber Attacks
With many financial services employees conducting business on the go, their smartphones and mobile devices increasingly are targets of cyber attackers.
The CTI feed, James explains, integrates with a company's security event manager (SEM) - also known as a security information and event manager (SIEM) - a tool that centralizes the storage and interpretation of all logs and events from software running on the network. While Vigilant offers its own centralized log management console through which all devices are monitored, it also works with other SEMs, including Hewlett-Packard's top-selling ArcSite SEM, according to James.
Other vendors recommend real-time monitoring of patterns to detect cyber attacks. TD Ameritrade's Steinberg says behavioral solutions, such as device fingerprinting and profiling how clients do business with the firm, have begun to mature. "We can look for patterns that are not typical," he explains. "If a client started wiring money to Kuala Lumpur, and they never sent money before through the wires, that would be unusual, and we would want to do additional authentication profiling how they connect to us, what time of day and from where."
While Steinberg says TD Ameritrade has done quite a bit of work internally to develop fraud-fighting technology - where, he says, the company tends to be "a bit ahead of the curve" - he notes that TD Ameritrade also works with large network carriers and technology providers to improve real-time monitoring. Equally as important, the firm works closely with peers in the financial industry to share data about the threat landscape, Steinberg adds. "We probably trade data about real-time attacks about a dozen times a day," he says, noting that there are a number of groups within financial services that are self organized via mailing lists and phone-call trees as well as various other mechanisms for informally sharing data. In addition, the federal government, namely the FBI, provides the industry with vulnerability and real-time data, Steinberg says.
Given the sophistication of the malware and viruses that are out there, and the speed with which they are evolving, Sophos's Wisniewski reiterates the need for a layered approach to protecting customer assets from cyber crime. "You need many layers in place to stop the bad things before they happen," he says. "By implementing all of these tools, the company has five, six or seven attempts to stop the bad virus from coming in or prevent the user from accessing the fake website."