Bank IT Security Can (Still) Learn from 2015: Top Takeaways, Part 1

Last updated: 30 June 2016

In the December and JanuaryBank IT Security timeframe, a lot of reviews of the prior year tend to be written. While these efforts can be fun (featuring engaging top-ten lists, year-in-review snapshots, and the like), they often lack depth. The reality is that it can take several months after the end of the year to do more exhaustive compilations and analyses of the year’s statistics and what they mean.

In the past few weeks, a couple significant reports have been published that offer a detailed look at the IT security landscape that emerged in 2015: The 2016 Data Breach Investigations Report (DBIR) and the Internet Security Threat Report (ISTR). For business and bank IT security managers, following are some of the most important takeaways I’ve found when looking back at 2015 and these reports.

Scope of Data Security Breaches: Half a Billion Consumer Records Exposed
In spite of the security tactics being employed, security breaches remain a big problem. According to the ISTR, 429 million identities were exposed in 2015, which represented a jump of 23 percent over 2014. The financial services industry was responsible for more than one-quarter (28 %) of these breaches, accounting for 120 million exposed identities.

What’s worse is that these are the numbers of documented instances. ISTR authors found that the number of companies electing not to report on the full extent of breaches encountered rose by 85 %. When combining the documented breaches and estimates of the number of undisclosed breaches, Symantec puts the total number of personal records compromised at around half a billion.

Persistent, Sophisticated Cyber Criminals Inflicting Massive Damage
Cyber criminals and nation states are well organized, persistent, and ultimately effective. 2015 saw massive breaches across industries, including major news sites, telecommunications companies, universities, hospitality groups, and many others. Victimized organizations spanned the alphabet from American Airlines and Anthem to the US Department of Defense and the US Office of Personnel Management.

Within the financial services industry, one 2015 story of a global criminal ring provides a vivid illustration of the sophisticated and very costly attacks perpetrated on banks. As recounted by the New York Times, criminal groups used an array of advanced techniques in order to gain access to internal systems and even obtain video feeds of internal operations. Over the course of months, these criminals studied internal staff and processes, so they could begin to conduct transfers and even gain control of ATMs and get them to start dispensing cash. All told, more than 100 banks in 30 countries were victimized, and losses were estimated to be between $300 and 900 million.

The recent Bangladesh Bank breach, which we’d discussed in our recent post Bangladesh Bank Breach Lessons: 4 Steps to Cyber-resilience, shows that large-scale thefts continue to plague banks in 2016. This recent attack also serves to underscore the massive stakes, with approximately $80 million stolen over the course of a few days.

The Increasingly Sophisticated Cybercrime Market and the Rise of DDoS Services and IoT-fueled Botnets
While distributed denial of service (DDoS) attacks have been around for decades, they continue to plague organizations and have evolved to become more effective in wreaking havoc. The DBIR calculated a total of 9,630 distinct DDoS campaigns.

A black market in exploits and malware has also emerged. DDoS capabilities are being offered as a service on the black market, with criminals renting out their botnets for anywhere from 10-1,000 dollars per day. The ISTR reports on drive-by download web toolkits that include 24×7 technical support, which can be rented for $100-$700 a week. The ubiquity of these mechanisms is fueling incidents in which multiple tactics are employed simultaneously. For example, the DBIR reports on a case in which criminals hit a company with a DDoS attack in order to distract IT security staff, while in parallel launching a data breach attack.

As the move to the Internet of Things (IoT) continues, criminals are starting to incorporate connected, yet often poorly secured, devices to wage DDoS attacks. For example, internet-connected closed-circuit television (CCTV) cameras have been employed in DDoS attacks. In many cases, these devices proved to have the default passwords in place, which made the compromise simpler. However, these types of attacks further underscore the vulnerabilities presented by static credentials more generally.

What this Means for Bank IT Security
As the numbers above make clear, the threats facing banks are significant—and that’s just part of the story. In our second post in this series, Bank IT Security Can (Still) Learn from 2015: Top Takeaways, Part 2, we’ll look at some other significant takeaways from the prior year, including many key findings that relate to how bank customers and employees are being targeted. Be sure to review this post to get more information on how these threats are evolving. In addition, if you’re interested, read the white paper to learn how layered security can address digital challenges.