When it comes to banking security, there’s no silver bullet
In this interview with Help Net Security, Ido Helshtock, Chief Product Officer at HUB Security, talks about banking security, the most common vulnerabilities, and what banks can do to protect their own as well as their customers’ assets.
As banks start to increasingly embrace digital transformation, they become more susceptible to cyberattacks. What is making them so vulnerable?
The banking and finance industry has traditionally been slow to adopt new technologies because of complex concerns with security, privacy, legal, and regulation compliance. The major players in the space were simply too large to facilitate a quick digital transformation, but the arrival of nimble start-ups and changing user habits have really led them to embrace digital banking.
Unfortunately, the move to online banking presents a larger attack surface for cybercriminals to exploit and attack. It already requires enormous resources and time for traditional banks to implement and maintain digital banking services, this makes them slow-moving targets that are unable to react immediately to new vulnerabilities.
Another weakness is the large workforce with has access to sensitive information that is susceptible to phishing attacks. Lost, stolen, or poorly guarded credentials have led to many breaches and are still a problem today. Furthermore, enforcing security protocols across thousands of employees at different levels is incredibly difficult and cybersecurity training is often ineffective or forgotten in many cases.
All these different factors contribute to banks being a vulnerable target for cybercriminals. A real-life example would be the Capital One attack in 2019, which showcased how the move to cloud technology can open new vectors of attacks.
Which assets and use cases do cybercriminals find most interesting and leverageable when it comes to attacking a bank?
All organizations have a backlog of vulnerabilities to fix, usually prioritized by severity and urgency, a never-ending list that grows each day as new exploits are discovered. Banks are no different, cybercriminals understand that these systems are too big to be fully defended at all times so they often look for security flaws or misconfigurations that are left unnoticed.
Assets that are commonly targeted are personal details, credit card details, and other consumer details. Capital One was victim to an attack known as a Server Side Request Forgery (SSRF) attack, which exploited a misconfigured open-source Web Application Firewall on AWS that had too many permissions. This was already a well-known attack method and it ended speculation that a new zero-day exploit was used as well as costing Captial One $80M in fines from regulators.
What can banks do to tackle these cyber threats?
It would be nice to think that pouring investments into cybersecurity services and technology will solve the problem, but it is more complicated than that and there isn’t a silver bullet. Just as portfolios need an investment strategy, cybersecurity spending must be guided by a plan that produces effective and impactful results. There needs to be a holistic approach that addresses specific weaknesses and flaws within the system, otherwise, cybersecurity might not improve as desired and be seen as cost-center. While these initiatives might be more specific depending on the bank, there are general improvements that can be made across the board in response to current cybersecurity trends.
Banks can focus on hiring and expanding their security team so responsibilities are spread across more equally and create bandwidth for other cybersecurity initiatives. They can offer more cybersecurity training for employees on a consistent basis so the lessons are not forgotten. Other improvements can take place on the infrastructure level where technologies can be implemented to help not just banking services, but remote work more secure.
Confidential computing has gained traction with the aim to protect digital assets during transactions and remote collaboration through specialized hardware such as hardware security modules (HSMs) and software that works together in tandem. It can also extend protection to other sensitive information such as privacy and personal data.
Is it better for a bank to have an in-house security solution or reach out to a cybersecurity provider instead? What’s the difference between the two?
Choosing between an in-house security solution and a cybersecurity provider really boils down to: “it depends”. Sometimes, a bank might need a solution that is designed for a very specific use case and this would be better served by an in-house solution that can create the exact required function. However, designing cybersecurity solutions completely in-house for all use cases is simply not efficient or effective. The resources and funds required to do so would have been better spent on a cybersecurity provider instead.
It is usually cheaper and much faster to buy solutions from vendors since it also comes with access to technical support teams that can provide training and documentation to security and IT teams. For example, HSMs require tremendous work to design and produce so banks are better off finding a provider that can match their needs to supply them.
All in all, both options have their merit, in-house technology can be more customized for unique challenges while vendors can provide and help implement solutions quickly. That said, every organization should have a core internal cybersecurity team that can help make informed decisions in acquiring the right technology from trusted vendors and providers.
What do you think the future of banking security will be? What should be their primary focus?
In the near future, banking security will focus on implementing confidential computing to keep pace with the transition to cloud technology and remote work. Securing transactions, identity management, and protecting digital assets will make dramatic impacts not just on cybersecurity, but on the efficiency of employees who can work without fears of phishing or man-in-the-middle attacks.
The continuation of remote work will make this a critical component, along with new asset types such as cryptocurrencies being adopted, and increasing privacy regulations. On the other hand, ransomware is expected to remain a challenge alongside a bigger looming threat from quantum computing, which holds the potential to defeat modern encryption systems.