Financial companies are constantly under attack from both physical and cyber criminals. While the physical attacks are primarily perpetrated by organised criminals and syndicates, cyber-attacks can be organised or opportunistic.
Of course, the most serious cyber threats facing these companies come from organised crime syndicates that have the time and money to plan and carry out their evil missions. However, financial businesses can never assume their cyber defences are good enough to beat every opportunistic hacker or teenage wannabe who may stumble upon a vulnerability in their security or in the applications the companies use.
However, the risks don’t end there either.In a world increasingly operating remotely, these companies need to consider their supply chain risks as well. In other words, users who access their accounts or work applications from a mobile device or a web browser.Your average user, unfortunately, does not always think of security and they use the same devices for games and other activities, which may compromise their browsers or mobiles.And as Experian can relate, even authorised customers or partners can take advantage and gain access to sensitive information.
Hi-Tech Security Solutions asked a few security experts for their take on what can be done to optimise security without making the process of using financial products cumbersome for the end user. With no end of stories from around the world about security breaches affecting mobile devices, computers, emails servers and even IoT and security technology, what can financial companies and service providers do to ensure that their systems are secure, especially when they have no control over their suppliers’, customers’ and even employees’ habits?
Don’t trust and always verify
Shaun Davis, chief security officer at Netsurit says the first step is to have a security programme in place that allows business to form the foundation of all their relevant security activities. “Without a defined programme, all activities will be unstructured and the business will stay at risk. Where third-party services are required, it is paramount to have a signed operating agreement with the party that entails the relevant security policies and procedures required to allow business engagement.
“There is a security concept called zero trust, what zero trust means is that an organisation should not automatically trust anything inside or outside of their perimeter and will require validation before access will be granted. I would suggest all companies embrace this concept where possible.”
He adds that it is very difficult for an organisation to control environments which do not belong to them, however, what they can do is provide a secure platform where users can access their business services in a secure way.
Echoing these points, Simeon Tassev, QSA & MD at Galix says the reality is that the security landscape has changed and the traditional security controls we once thought to be robust are no longer sufficient.
“With the shift to digital transformation and employees continuing to work from home due to the pandemic, the security perimeters are shifting and companies now have to protect their systems and data by adapting to this reality. The most popular approach for this has been the zero-trust security approach where access is provided only after authentication and authorisation is confirmed. This means that the level of controls is now applied on application and data levels and not only on the perimeter.”
Chester Wisniewski, principal research scientist at Sophos also supports the concept of zero trust. “The current trend is a move toward zero-trust networking or secure access service edge (SASE). This uses a combination of tools like multi-factor authentication, location, device being used to determine the identity of someone accessing sensitive services. All services should strictly verify identity rather than simply trust someone because they are on the LAN or have a simple password.”
Internal risks and mitigation
The stories we hear about breaches and losses always seem to romanticise the dark, underground criminal element that operates in a foreign country and seem to have unbeatable technical skills, but there are less romantic and lower-level attacks that cause just as much harm as professional hackers. Phishing emails are one way to easily get a foot in the cyber door and faking identities so that an email instruction to make a payment looks like it comes from the CEO are more successful than anyone likes to admit.
“Some of these attacks can be stopped by judicious use of multi-factor authentication, others rely on non-computer processes,” explains Wisniewski. For Business Email Compromise attacks that result in money transfers, for example, you can have an internal policy to verify by phone any requests received by email for changes or payments. You can also instruct your financial institution to call back to your finance department to verify any electronically submitted transactions.”
The best defence for companies to address the lower-level attacks is to develop a good security awareness programme and invest in some technologies available to prevent these types of attacks, adds Tassev. “These attacks normally originate from an email system so that will be a good starting point to implement anti-phishing and protection against Business Email Compromise (BEC) attacks.”
He notes that, unfortunately, identity fraud is a common way of defrauding people and the only way to confirm one’s identity is to include some form of biometrics authentication. “A number of banks have already started to implement these kinds of technologies, but we are not there yet.”
For Davis, the first thing that comes to mind is end user awareness training. “There is a term in the security field called human firewalls. Your staff is your last and best line of defence when it comes to the lower level of attacks. Skilling your staff to identify malicious activity will go a long way in protecting against these types of attacks.
“Another very valid requirement is multi-factor authentication, by applying a second level of authentication you will make it a lot harder for a threat actor to compromise credentials.”
Command and control
There are, naturally, an almost endless number of products and solutions sold to deal with the cyber risks all companies face, but installing multiple security products can actually result in blind spots if they are not integrated into the much vaunted integrated, central dashboard that monitors everything. Just as the physical security market wants a single platform to manage everything from alarms to surveillance, access control and perimeter etc., the cyber security world also wants a similar platform to manage their products, from desktop antivirus through to data centre security and network protection and so on.
Unfortunately, there is no silver bullet for a solution that will address all security functions, laments Tassev. Various solutions and vendors can address specific areas of IT security and these need to be considered in the specific context of the business. “Our recommended approach is to start with a security assessment as a baseline, identify any potential gaps specific to the business and then formulate a plan of action to address these gaps and to mitigate any potential risks.”
“You need comprehensive endpoint and server protection, backed by human threat hunters to watch for compromise,” advises Wisniewski. “Devices like IoT devices can’t be directly protected, but by carefully monitoring them, the risk can be reduced and contained in the event of a breach. Tools alone are no longer enough as the complexity of the threat landscape cannot be fully protected through tools alone.”
Summing it up, Davis says, “Due to the nature of security there is not a single solution that will cover all aspects of security, however, by implementing layers of security controls you will be in the best position to protect your organisation. On top of this, you will require a solution that monitors and correlates security events to allow the security team to monitor and investigate any malicious or even suspicious activity.”
The traditional gap between cyber and physical security was based on the perceived extreme differences between the two fields as well as the perception that the cyber guys were the clever ones and the physical security staff were guards or ex police officers. This has changed in our world where almost everything relies on IP networks and technical resources. The direct risks may be different – as in someone scaling a wall versus someone beating a firewall; or someone clicking on a phishing email versus someone opening the door to a person claiming to be from Eskom – but the principles behind security are similar.
Whether it’s a bank or a corner café, security in all its forms starts with an assessment of the internal and external risks and designing a plan to mitigate them, whether you use an electric fence or a firewall, a guard or what they term a ‘white hacker’, risk mitigation only happens when the risks are understood.
For more information contact
• Netsurit,
• Sophos, www.sophos.com
© Technews Publishing (Pty) Ltd. | All Rights Reserved.