Staff education is critical to financial institutions' cybersecurity efforts, as the most common way hackers break into a network is to steal valid login credentials, according to Nick Roberts, technical research and marketing manager for DefenseStorm, and 93% of phishing emails include ransomware.
The bulk of attacks come from hackers in China, Russia, North Korea and Ukraine, Roberts said on a webinar on Tuesday. The most common type of attacks include phishing, "a major source of consternation and difficulty" for firms, Roberts said, and malware, which is "still another popular attack sector."
|Outdated machines
Misconfigured and outdated machines are also a threat. "Obviously, updating machines and making sure they're running the most recent version of software is important, but hackers also understand they can build a database of machines that are outdated and misconfigured," Roberts said. "If you're not updating those machines or you're not configuring them properly, they're going to be exploited."
Michael Oldright, security engineer at DefenseStorm, suggested firms with limited resources to devote to updating their technology infrastructure segregate outdated systems on their own VLAN or network segment. Whitelisting can also help identify specific systems that have been tested and are known to be safe.
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) disables buffer overflow attacks, Oldright suggested, "but it can be kind of difficult to implement. You have to do a lot of testing [and] it can cause some problems for applications."
Firms may also need to limit internet access on outdated machines, and increase patch updates and logging frequency, he said.
|Hackers scan networks for vulnerabilities
Attacks don't need to be sophisticated, Roberts said. A so-called zero-day attack is when a hacker exploits a previously unknown hole in a target's software before the vendor can fix it. "We don't need a complicated zero-day to get access to the network or to get access to your bank," he said. "In fact, even just physical access is easy still; getting access to a financial institution and walking in by impersonating a repairman."
Some small financial institutions may feel like their size protects them from hackers, but Roberts said "that is categorically untrue." Hackers are scanning networks for vulnerabilities, regardless of where they are located or how many assets they can potentially access.
Firms should audit user logins and service accounts to delete accounts from former or temporary workers. (Photo: Shutterstock)
Traditionally, firms used signature-detection tools, such as antivirus and anti-malware tools, threat matching, block lists, intrusion defense and prevention systems, and reputation-based signature detection to identify threats.
These tools rely on events that have already happened and been reported to block threats, and on their own are inadequate. "Today's landscape requires much more than a signature-based approach to detection," Roberts said.
"The effectiveness of these signature-based detection methods depends on how often the cyber criminal is evolving their approach from something that is known to unknown," he added.
|New tools for detection
New tools for detection include anomalous activity detection, which builds a baseline of user activity and looks for events outside of normal activity.
For example, say an employee who typically works from 8 to 5 appears to log in to the network at 3 a.m. Roberts said, "Why is Steve logged in at 3 in the morning? Does somebody have access to his credentials or is Steve logged in at 3 in the morning because he's at the office downloading files to a USB drive because he's stealing data from the network?"
Daily tasks should include reviewing activity for new incidents and abnormal data flows, Oldright suggested. Firms need a way to quickly escalate issues when they're identified.
After finding a threat, firms should block the IP address on the firewall and isolate the host, but this is also a good time to educate users, Oldright said.
|Steps for prevention
Steps for prevention include internal penetration tests, restricting access to certain administrators, and monitoring guest and wireless networks. Firms should have the same policies that go on their production networks on guest networks, and monitor them for breaches, Oldright said.
Firms should also audit user logins and service accounts to delete accounts from former or temporary workers, including any test or demo accounts that may have been set up for new software.
Finally, firms should conduct regular scans for vulnerabilities. "If you haven't already done so, you want to implement a vulnerability management program," Oldright said, such as Nessus or Pwnie Express. He recommended conducting weekly scans and downloading patches as they become available.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.