The bank robbers of the past used guns and getaway cars to commit crime, but modern-day bank robbers have at their disposal a tool far more capable of inflicting widespread damage: Computers. And although criminals are, to be sure, still after the money, now they’re also after something arguably as valuable: Big Data.
As the release of the so-called Panama Papers recently demonstrated, financial institutions are top targets for those seeking to leak or otherwise compromise sensitive data, be it for politically-driven public shaming campaigns or financial gain. While it’s true that all business sectors are vulnerable to attacks by cyber-criminals, security breaches at financial firms tend to wreak the most havoc in terms of media attention and governmental inquiries, given the public’s expectation that these institutions represent the “safest of the safe” when it comes to data security.
But for banks and other financial firms, safeguarding financial data from security breaches is as complex an endeavor as it is crucial. The data itself is highly diverse, ranging from customer financials and account information to cardholder data, transactions and non-public personal information. Banking and financial institutions also need to secure the storage, transit and use of this sensitive data across business applications, including online banking and electronic communications. Furthemore, almost all the Big Data generated or used by banking and financial services is formally regulated, whether by PCI-DSS requirements for credit card information or even the U.S. Patriot Act.
Although these large, consolidated datasets can provide enormous strategic and competitive value for CFOs looking to enter into new markets or offer new financial products, they also provide a tempting target for cyber criminals. Financial institutions must continually balance their need to secure this data to ensure minimum risk while also maximizing return — a reality that highlights the need for CFOs, and not just CTOs, to take an interest in the protection of Big Data.
Complicating matters is the nature of the typical finance IT environment, which mixes new and legacy systems and applications across vast networks of branch offices, call centers and web portals. The increasingly global nature of the financial services industry makes it necessary to comprehensively address international data security and privacy regulations. Security solutions are often put in place at points along the way, but many of the traditional checkpoint security solutions that are deployed increase both management costs and complexity, and leave gaps between systems and applications that are highly vulnerable to attack.
At the application level, for instance, firms in the finance sector must contend with the weakest link in the security chain: Users and their devices. In a 2012 attack dubbed “Eurograbber,” cyber criminals in Europe stole upwards of 36 million Euros from corporate and personal bank accounts by first tricking customers into installing malware on their PCs and then their mobile phones. The hackers subsequently bypassed the banks’ two-factor authentication and used the corresponding transaction authentication number (TAN), to make transfers of between 500 and 250,000 Euros from the victims’ accounts, meanwhile gaining access to the customers’ sensitive personal and financial information. This scenario, and others like it, underscores the importance of reminding finance customers to be vigilant about ensuring their computers and other devices are equipped with all possible security layers, and ensuring that security software is kept up-to-date.
Service level attacks on financial firms often come in the form of a so-called “drive-by download attack,” in which a hacker, posing as a bank’s customer service representative, sends an email or otherwise tricks a customer into visiting a website that has been compromised and designed to look identical or very similar to legitimate banking websites. The user’s computer is then infected with unwanted — and invisible — software that exploits exposed security flaws in the user’s web browser and operating system. Once the hacker gains control of the user’s computer and turns it into a zombie or ‘bot, the hacker then has access to all manner of personal or financial information. These stealth attacks are difficult to prevent because, like application level attacks, they also require educating users about possible threats and directing them to online “blacklists” of malicious users.
The recently discovered Metel crimeware package provides some insight into the growing level of threat to banks and other financial firms at the transactional level. Metel hackers usually infect banking systems from within by exploiting vulnerabilities in web browsers or by tricking employees into execute malicious files attached to spear-phishing emails. The criminals then burrow further into the network by using legitimate security and administrative software to compromise other PCs and ultimately try to gain control over PCs used by call center operators or IT support, which typically have access to money transactions and sensitive data. These types of attacks are a threat to both data security and a firm’s bottom line. One of Metel’s most powerful components allowed criminals to withdraw nearly unlimited sums of money from ATMs belonging to another bank and then repeatedly resetting their card balances and bypassing the threshold that would normally freeze the card. In 2015, a bank in Russia lost millions of rubles in a single night after being attacked by Metel. Two other groups of cyber criminals — GCMan and Carbanak — also used spear-phishing to target dozens of banking and other financial systems directly by worming their way inside their networks and “spying” on the firms’ transactions and other business dealings from afar, providing them a direct window into the firms’ Big Data holdings.
From an infrastructure standpoint, the growing threat associated with rootkits and other malicious infiltrations of code means that financial institutions must consider security from the level of the file system to the database and beyond, while still allowing for common policy control and management infrastructure of both data-in-use and data-at-rest.. A robust and yet efficient system for safeguarding data requires that a bank or firm’s big-data initiatives — as well as traditional data centers, virtual environments, or cloud infrastructure — is supported by common policy control and agents to ensure there are no gaps in security or Achilles’ heels in terms of data protection.
As the software platforms supporting Big Data move to mainstream use within the finance sector, managing data security — while also maintaining access to the data where needed — requires continuous diagnostics and monitoring. The customizable, template-driven RoundWorld Big Data 360-degree tool can provide a top-level down look at systems and practices while also taking into account critical banking and financial services compliance requirements.
or contact us directly today.
Public Information Officer