The financial services industry is falling behind in cyber security - so where should their focus be?
Many of us wonder how, in our past lives, we managed to get by without online banking services. In fact, of all industries, the financial services industry touches most of us in our daily lives. The traditional ways of banking are falling to the wayside as consumer demand increases for more sophisticated services such as mobile payments, mobile banking, P2P finance and even digital currencies. As these technologies keep advancing, banks, securities houses and insurance businesses are further resting their existence on software applications that run on the myriad of devices that consumers use. With increasingly fierce competition from many new entrants into the industry, the time to market for financial software applications is becoming shorter. The shorter development time means that the chances of vulnerabilities appearing in source code increases significantly. How are companies supposed to stay competitive when faced with the threat of these vulnerabilities being exploited by malicious hackers?
Financial Institution Application Security
In 2018 and 2019, security threats such as data breaches have continued to grow exponentially. Both the speed at which hackers are finding more sophisticated ways to exploit code or the sheer size of the damage that can be done in terms of data and cost, pose great challenges to enterprise vulnerability management.
For example, in 2018 in the field of Internet banking, the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) tested 430 financial applications and found 1,005 vulnerabilities of which, 240 were high risk. Of these, plain text/ unencrypted data transmissions accounted for 20.8%, the storage of unencrypted passwords when using Webview accounted for 20% and de-compilation vulnerabilities accounted for 12.9%. These will allow hackers to obtain data that should be secured and even cause the program to function erroneously.
From a business perspective, the risks brought by security loopholes to financial institutions are self-evident. But what most institutions don’t realise is quite how severe the risks are. The “China Banking Network Risk Report” for the Second Quarter of 2018 by Aqzhi.com, found that 53% of banking institutions have security vulnerabilities, many of which are clearly listed in the Common Vulnerabilities and Exposures list which is an open worldwide repository available for public reference. It is not just a failure to find bugs in the source code that is a major problem, it is the failure to look for the bugs in the first place! The US has its fair share of complacency not only in identifying defects in software applications but also security processes in general. One only has to see how a well-resourced organization like Capital One left itself vulnerable to a major data breach in the summer of 2019 and what defensive technologies might have stopped it. It appears that it was a simple yet clear cybersecurity oversight by not being rigorous enough in its security policies.
In addition, the level of the vulnerability threat changes from time to time according to its severity vis a vis other vulnerabilities and volume of times used. The Freebuf ‘Financial Industry Application Security Situation Report 2018’ provides an insight into how these threats have changed since the previous year. The most severe being command line execution, SQL injections and weak passwords. The most commonly used being logical vulnerabilities, command execution and cross site scripting. Note that the web application vulnerabilities are the most severe and common.
Freebuf – Top 10 threatening and top 10 largest vulnerabilities 2018
In theory, any computer system has vulnerabilities. They exist in the hardware, network, operating system, software applications or other system components. Once these vulnerabilities are attacked by viruses or exploited by hackers, they may lead to security risks such as data leakage. With the continuous enrichment of various financial service software applications built, the complexity of software and information systems is increasing, and there are more and more security vulnerabilities hidden in system code or backdoors. Of all industries, the banking industry is one of the most targeted by hackers and these malicious actors will go to extreme lengths to learn about the weaknesses in systems pursuing multiple routes until a vulnerability is identified.
How should financial services organizations respond to these threats?
We see that although all enterprises deploy a large number of security products, such as Endpoint Detection and Response (EDR), Internal Patching Systems (IPS) and more, attackers can easily break through layers of defense, and complex attacks are performed every day. IPS rules can detect and block known attacks but of course patches are only released after attack methods have been identified and a solution provided by the vendor or the community. Defending new attacks is more difficult than ever due to hackers becoming more sophisticated. A single security tool is unable to address the current complex threat landscape of financial institutions.
Almost all financial institutions practitioners agree that in the face of such a severe security situations, security awareness must be strengthened to protect the security of information and property of enterprises and users. They also acknowledge that there is a lack of application security expertise and cost concerns as well as concerns about thinking security first in the software development lifecycle (SDLC). Many financial institutions conduct vulnerability assessments when the software is at testing stage or in extreme cases, after it has been released. According to IBM, identifying vulnerabilities at the testing stage can cost 15 times the cost of remediation than identifying the defect at the coding stage.
Security experts point out that in the face of cyber threats, the most critical and most fundamental measure is to change the financial institution’s existing security policies to include the implementation of the security early in the SDLC. The approach of ‘shift-left’ security design was introduced in software development more than a decade ago. In simple terms, this means that you address security at the earliest point possible in the development of applications. Many security and QA teams only become involved towards the end of the development process. This is a fundamental shift in thinking as the developers should hold accountability for security just as much as the roles assigned to it. The clear message is ‘don’t wait until the testing stage’! Cyber security policies must extend early into the SDLC as well as all other systems of OS, physical network and so on.
Banks are constantly under siege by hackers. We have already emphasized, there is no single method, tool or service that can ensure the absolute safety of any financial services organisation. For anyone to say so would be in complete denial. The goal must be to mitigate risks by taking all actions known and available. This includes the use of all tools, automated or otherwise, that can ensure developers identify defects early in the development process. Such tools can include static code analysis which operates pre-runtime and dynamic code analysis which operates at runtime. This must work in tandem with QA teams that look for defects at the testing stage of the SDLC which also works with all other IT security functions that occur in physical levels of IT such as network security. The ultimate goal must be to reduce the surface area of attack by proactively limiting exposure and this starts with secure coding.