By: Ashish Thapar, Executive Consulting Partner & Head, Professional Services, Verizon Enterprise Solutions, Asia
The Verizon 2015 Data Breach Investigations Report (DBIR) shows that any data security incident can be classified into one of nine patterns. Just three of these categories account for two thirds of all incidents in the finance industry, with DoS and crimeware making up half of all attacks.
Denial of service
DoS attacks account for 32% of incidents in the finance industry. DoS attacks continue to grow in size and frequency. Unlike other attack types, which expose sensitive data like payment card details, intellectual property or health records, DoS attacks are primarily about disruption.
They are not only used to crash websites, but can be used to bring down critical systems such as online banking, quoting, and policy management trading platforms, as well as internal systems that use the internet. In addition, the loss of productivity and time spent on remediation can set your business back days, if not weeks, in the wake of such an attack.
What can you do?
Have a mitigation plan: Ensure your policies include dealing with larger attacks and brief key operations staff on the best course of action should an incident occur. Have a solid, comprehensive strategy that details what your organization should do in the event that your initial anti-DoS service fails. • Make sure it works: Don’t wait for a breach to occur to discover that there are gaps or failures in your plan. Test it and update it regularly as your infrastructure and processes change and as new DoS techniques emerge.
Separate data: Don’t allow less important systems to act as a gateway to more important ones. Segregate critical systems on different network circuits.
In the finance industry, we classified 16% of all attacks as crimeware in the 2015 DBIR, up from 4% in last year’s report.
Crimeware includes all uses of malware, including phishing and web-based activities such as malicious downloads. These incidents vary in intent and design, but are typically financially motivated.
What can you do?
Expect malware: Be prepared by monitoring executable files or programs that have been introduced into your IT environment and use anti-virus and intelligence feeds to deal with items identified as malicious.
Monitor traffic: Identify command-and-control traffic from malware to known malware servers by using network monitoring.
Enable two-factor authentication: Credentials account for 30% of stolen data. However, by implementing two-factor authentication, you can help prevent this information from being used to cause damage.
Educate staff: Simple procedures and best practices can be implemented, including training staff not to click on links or open attachments in emails from unknown senders, or enter their credentials on untrusted websites.
Web app attacks
More than 14% of incidents in the finance industry fall into the web app attacks pattern. This is when attackers use stolen credentials or exploit vulnerabilities in web apps — such as content management systems (CMS) or e-commerce platforms.
What can you do?
Implement quality assurance: Tighten controls around posting documents to websites and regularly scan public-facing sites for sensitive data. Put in place simple sampling processes to ensure envelope addresses and contents match when sending out large mailings.
Consider Data Loss Prevention (DLP): DLP products can catch broken internal processes, and detect or block sensitive information being sent by email.
Train your staff: Training staff on how to dispose of sensitive data and assets can have a real impact on reducing security incidents. Documents and computers can’t just be thrown away.
The finance sector is slow to detect incidents and breaches compared to other industries covered in our report. 30% of breaches were discovered within days, while 38% remained undiscovered for months or longer. Rarely do finance organizations detect breaches themselves — they’re often notified by law enforcement or other third parties, such as card companies. This is especially likely when the attack involves the use of legitimate customer credentials to conduct fraudulent transactions. The danger in taking so long to identify an incident is that attackers have unhindered access to systems and can spend more time searching for information and data of value.