Cyber Resiliency - Closing the Gaps in Vendor-Bank Security
As we approach the next decade, data integrity and cyber security have risen to the top of financial institutions’ list of mission-critical initiatives. With instances of government-backed hackers and other unscrupulous individuals seizing and exploiting customer data on the rise, it is crucial to ensure a bank or credit union’s resiliency to cyber-attacks and network intrusions is stronger than ever. Particularly, closing the potential gaps in the interwoven relationships between financial institutions and their third- and fourth-party vendors has emerged as a critical step in this process.
At its core, cyber resiliency can be defined as an organization's ability to not only withstand various cyber-attacks and threats, but also its plans and capacity for resuming operations with minimal impact or disruption in the event of an actual attack. For banks and credit unions, the priority of cyber resiliency is safeguarding customer and member data (as well the FI’s own) and internal systems from cyber threats, while establishing strong contingency plans that allow for fast, efficient responses should an attack occur. Too often, institutions can be lulled into simply checking a box from a compliance standpoint, but in best practice, they must have an effective response plan in place to address an occurrence and to be prepared for any future cyber events. As part of their planning, financial institutions need to understand how these cyber-attacks can impact their customers -- and ultimately their bottom lines. By studying other reported, similar attacks and infiltrations, banks and credit unions can gain valuable insights for becoming more resistant to phishing attacks, DNS breaches, and potential exploits within their vendor/security frameworks. Armed with these “lessons learned” and a committed focus on vigilance, FIs will have a better perspective and a much clearer picture as they to look for any gaps in their own vendor relationships.
When evaluating potential vulnerabilities, it is important to note that hackers do not look solely at the bank or credit union for an attack vector, but they also look at those institutions’ third- or even fourth-party vendors. It is important to consider these soft spots from a hacker’s point-of-view. Hackers recognize the challenge associated with breaching a bank or credit union directly so instead look to the institution’s vendors as an easier pathway to achieve a breach. Recently, Banco de Chile provided a sobering example of this kind of vendor loophole exploitation, as the hackers were able to attack the bank through a third-party DNS server that the bank itself had not considered as a part of its attack vector. Hackers were able to take over the DNS server through vulnerabilities that could have easily been addressed, and then redirect bank customers to a fake website under their control to harvest valid credentials for the electronic banking application.
What information are these individuals trying to access through their intrusion attempts? Typically, DDA account information, credit card information, loan account information, social security numbers, and other sensitive customer data are all on the table in these attacks. Something important, but often overlooked, is that the institution’s size is not particularly relevant for a hacker. Their target could be a small community bank or credit union in a rural area, or the main data center of a large, international institution. Increasingly, hackers primarily care about the availability and ease of access through an institution’s system and/or vendors. In the Banco de Chile case, the hackers who were able to breach the DNS were not specifically targeting the bank. It may very well have started with a phishing email that determined which institutions had connections with a given vendor’s services, and from there they simply focused on the path of least resistance to the bank with the largest gap in security. Often, once a bank or credit union is chosen, malware is sent through to the target institution, and the door is propped open allowing the hacker direct access moving forward. They now essentially have free rein to all the information within the institution.
Mandiant (now FireEye), a forensic data company that traces hacking instances back to their source, released its APT1 report in 2013 that provided some sobering insights into just how pervasive this issue could be. In one case, the company traced the source of the intrusion back to a military installation in China manned with over 1,000 people onsite. What makes this truly concerning is that the report also suggests there are hundreds, potentially thousands, of these installations across the country. With China’s reported workforce estimated to be over 700 million and the U.S. containing approximately 7,000 to 8,000 banks, it is not difficult to extrapolate the potential threat to....-->
As we approach the next decade, data integrity and cyber security have risen to the top of financial institutions’ list of mission-critical initiatives. With instances of government-backed hackers and other unscrupulous individuals seizing and exploiting customer data on the rise, it is crucial to ensure a bank or credit union’s resiliency to cyber-attacks and network intrusions is stronger than ever. Particularly, closing the potential gaps in the interwoven relationships between financial institutions and their third- and fourth-party vendors has emerged as a critical step in this process.
At its core, cyber resiliency can be defined as an organization's ability to not only withstand various cyber-attacks and t...