mailing list archives
Interpreting Cyber Risk Trends
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 10 Jul 2014 19:56:02 -0600
There's no scarcity of metrics on the cyber threats facing financial
institutions. Software and hardware vendors and many consulting firms often
publish reports from their data or experiences. Reviewing these reports can
take hours, and with time as the scarcest of resources, administrators need
to be able to zero in on the most relevant information.
Below is a cross section of important points from some of the most popular
and widely regarded studies. We've also taken a deeper dive into each issue
in an effort to highlight how these trends translate into the banking
Continued mobile threats
HP's Cyber Risk Report (registration required) focuses on applications and
has information on the mobile threat landscape that is particularly
applicable to FIs increasing their mobile banking footprint. Among other
findings, the report revealed that, "nearly 46 percent of iOS and Android
applications analyzed use encryption improperly."
Unfortunately, administrators are growing weary when it comes to mobile
device security. Predictions in 2013 about rampant malware threats haven't
really materialized. But that doesn't mean the financial sector can get
complacent. Smartphones and tablets are becoming ubiquitous and are used so
casually that it is almost a perfect storm of exposure. Attackers haven't
taken advantage of the weaknesses so far, but we can't be certain they
won't do so in the future. Network managers must recognize the very real
threat mobile device vulnerabilities pose, and they must remain vigilant
when it comes to managing this point of risk.
The mega breach
Symantec's Internet Security Threat Report is known for its focus on all
things web. Among the trends noted in this year's study was the impact of
the "mega breach." The total number of breaches in 2013 climbed 62% from
2012, but the bigger news may have been that eight of last year's breaches
exposed more than 10 million identities each.
For the financial industry, the effects of these massive events go much
deeper. Day-to-day operations are impacted, from the need to monitor huge
numbers of accounts for potential fraud to the issuance of millions of new
payment cards. No matter where the exposure occurred (retailers suffered
the majority of the mega breaches), banks are often the first place
consumers turn for answers about account security. Ongoing identity theft
concerns will surely occupy FIs for many months to come.
Data breach costs
The Ponemon Institute has a strong history of gathering data on financial
damages, and its Cost of Data Breach Study (registration required) is a
valuable tool. Of special interest to FIs will be the findings that several
proactive steps -- having a robust security posture, implementing an
incident response plan, and appointing a CISO -- reduced data breach costs
per record by $14.14, $12.77, and $6.59, respectively. Given the
mega-breach trend, these per-record-breached amounts add up quickly.
Reactive efforts to data exposures are often the focus for banks and credit
unions. Customers are issued new payment cards -- sometimes out of an
abundance of caution, rather than in response to confirmed fraud -- and
account monitoring typically happens after the fact. But the Ponemon study
shows the tangible monetary value behind specific preventive measures.
A combination of findings highlights a particularly dangerous trend. HP's
report includes a ZDI analysis that finds Java is susceptible to nearly
every common software vulnerability. Symantec's report showed an increased
use of "watering hole" attacks, which leverage weaknesses in less secure
sites ultimately to go after more lucrative and highly secure organizations.
These industry-spanning dangers are especially concerning for banks.
Malware, security gaps, watering holes, and Heartbleed-type vulnerabilities
allow hackers to find entry points and use those compromised connections to
sneak past the often robust protections guarding financial networks.
Segmenting and encrypting sensitive data against these attacks should be a
priority for banks, since security weaknesses across the web will be an
Verizon's Data Breach Investigations Report is full of analysis, so much so
that network administrators may not have the time to digest the entire
report. But just a few points in the study can offer FIs enough information
to focus on the areas where they’re most vulnerable.
According to Verizon, 75% of breach incidents in the FI sector over the
past decade involved "web application attacks, distributed denial of
service (DDoS) and card skimming." To make the best use of available
resources, banks should prioritize security efforts in those areas.
Fortunately, measures don’t have to be elaborate or expensive to be
effective. In its 2013 study, Verizon found that 78% of attacks rated "low"
or "very low" in difficulty. (The company did not update that figure in
this year's report. The trend has held true for several years, and we have
no indication this year would be any different.) This means FIs
implementing fundamental, relatively low-cost but relevant security
measures will be ahead of the game in protecting their networks from
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus
on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
- Interpreting Cyber Risk Trends Audrey McNeil (Jul 16)