Internal audits and endpoint security systems won’t protect banks against increasingly dangerous and numerous cyber terrorists, say security experts.

“These international crime syndicates operate in the same way any business does,” said Caroline Paddle, director at Skybox Security, in an email. “Ultimately, they want to achieve ROI on their hacking attempts. Therefore, they are going to direct their efforts towards institutions where they have the most to gain – of course, this immediately puts banks in the firing line.

“While an occasional audit across the entire hybrid network might have once sufficed, it’s now imperative that financial institutions have ongoing visibility of all their vulnerabilities. It’s simply not enough to collect all vulnerability data anymore: banks need to establish centralized data repositories that can be used to inform context-driven vulnerability and threat intelligence.”

March research from Kaspersky Lab puts the number of endpoints attacked by banking Trojans in 2018 at 889,452 – an increase of 15.9% from 2017. 24.1% of those attacked with banking malware were corporate users, a 4% rise, while users in Russia, Germany, India, US and China were the most frequently targeted. The cybercriminal groups behind two of the most damaging Trojans used in 2018 – Asacub and Hqwar – were found to have been working on their respective viruses for up to three years. 2018 also saw a targeted campaign by criminals on financial targets: the DarkVishnya operation in Eastern Europe, in which eight banks were attacked via devices smuggled into their branch buildings and connected to internal networks.

“Despite a lot of investment, banks are still struggling with the fundamentals, like firewall remediation and vulnerability management. They need to find ways to close the security management gap and gain visibility of their fragmented environments to stave off the imminent criminal threat.”

For Andrej Kawalec, director of strategy and technology at Optiv, ransomware remains the greatest danger to financial services firms. “Ransomware has the opportunity to be the most disruptive threat, not from the ransom and extortion, but primarily from the devasting impact caused to the IT infrastructure and brand reputation,” he said in an email.

“As organizations are often reticent to paying a ransom and are advised against doing so, the destruction caused to the organization’s IT is immense. As we’ve seen with the Petya attacks, big operational firms have been taken offline by ransomware, impacting their services to customers. This, in turn, is the biggest threat posed to financial services – if the organization is susceptible to ransomware, the trust and resilience of the company is then called into question. Afterall, the reason you put money into a bank is because you think its kept safe, if this is no longer the case, then why would you stay a customer?”

Attack evolution

In an annual letter to shareholders shared last week, JP Morgan Chase CEO Jamie Dimon called cybersecurity “the biggest threat to the US financial system.” The letter noted how the bank spends $600m a year maintaining its defences against cyberattack and employs 3,000 security professionals. A December 2018 report from Thales E-Security found that 84% of senior security officers at US banks plan to spend more on preventing damaging attacks.

“Wherever organizations have a complex infrastructure platform, designed to allow movement of finance, the nature of it lends itself to being attacked at numerous points,” said Kawalec. “Researching and successfully attacking large complex global infrastructures like financial services demands a very well-funded adversary with highly sophisticated methods and that’s exactly what we’re seeing the cybercrime industry evolve into.”

“New forms of malware and ransomware are created every single day,” said Paddle. “Without continual testing, any plans in place will become out-of-date incredibly quickly. If organizations don't properly monitor and test their cybersecurity incident response plan, they might as well not have one at all. To combat the vulnerability flood, while also strengthening defences and ensuring continuous compliance, financial institutions need to take a different approach to cybersecurity, one that systematically reduces their risk of cyber-attack and can contain incidents quickly if they do occur. It all starts with visibility.”