Tips for handling security threats in the financial sector
By Lior Arbel, CTO, Performanta Limited

Keeping Intellectual Property (IP) and confidential information safe is a business critical part of a modern company’s IT infrastructure. However, with more and more alarming revelations of IP theft and data breaches surfacing in the financial sector in recent months, CIOs have never been under more pressure to keep their companies business critical IP safe.

The scale of the problem is identified in a recent department of Business, Innovation and Skills commissioned reporti on Information Security breaches in 2013 which found that 78% of large organisations were attacked by an unauthorised outsider in the past year. Combine that research with a KPMG reportii published last year which found that the financial sector is one of the five worst sectors for number of security incidents and it paints a bleak image.

Legacy security solutions are no longer working. The important question of how we monitor, manage and control outgoing as well as incoming data has become all the more relevant. Especially as the fallout of a breach is not limited to just reputational damage, it can also result in the company being fined large sums of money, as Zurich Insurance UK can testify to after receiving a £2.3m fine for losing customer data in 2010.

Data breaches of this kind are often predicated by common attack methods such as bribery of employees, spear phishing of specific executives or whole departments and Zero-Day exploits. Whilst the most important part of defending against such data breach attacks is always detection; we have pulled together some recommended steps to ensure a successful approach to protecting your confidential data.

1. User profiling
Detecting attacks is difficult but automated solutions can now be put in place to identify malicious behaviour within a network. Employees ‘typical’ behaviour can be analysed and profiles created so that any irregular activity or deviations inside the network can be identified. According to the annual Verizon breach reportiii 14 per cent of all breaches occurred due to internal actors who would be caught trying to access important files outside of their profile.

If a user profile indicates that an employee regularly accesses certain network areas and a certain amount of files every day and suddenly this behaviour changes, this raises a red flag on the security of their account or actions. This approach can aid companies in discovering activity which could indicate an insider threat or an external attack. For example if a trader attempts to access credit card limits you may have a problem.

2. Handling malicious links
A common tactic for hacking into an organisation is to create spear phishing attacks, those attacks usually use malicious links embedded in an email. Spear phishing emails attempt to target a specific people within a company and are another method for hackers to gain access to the system. Spear phishing attackers always evolve and are trying to find new ways to by-pass security defences.

For example they now realize that many solutions only check links inside emails when they arrive into the system. By delaying the loading of the attack on the website by a few minutes or hours, they can avoid detection and gain access to a company’s data.

Dynamic threats such as spear phishing target confidential data (normally intellectual property) and are a common and efficient tool for hackers. However, these can be actively prevented by employing real time web analytics, as well as isolating and sandboxing suspicious emails for further study. In addition, the importance of educating employees to spot phishing attacks as they happen cannot be understated. The Verizon reportiv effectively quantifies the threat by pointing out that the probability of getting one successful phishing link click is above 80 per cent if you send over eight emails. An educated workforce helps reduce this, and securing your system lowers the threat further.

3. Tracking outgoing data
Far too many companies concentrate their energy on protecting themselves from incoming malicious attacks and consider that adequate for security. Tracking outgoing data is also critical. If, for instance, you have an internal leak that is helping criminals tamper with ATMs on the outside, the attack could begin from within at a moment’s notice. Therefore, it is important to point out that even if an attacker succeeds in getting into your network, they still have to take that data out and systems can be put in place to detect this.

An effective Data Loss Prevention (DLP) solution can track and expose data leaving the network and record where it goes. In addition, if data is categorised and separate networks and levels of access are established, then it is possible to not only track what data is moving where but also who is doing the moving and potentially block unauthorized distribution of data. DLP solutions are now required by the SANS20 Critical Security Controlsv and recommended by the FSAvi because they have proven to be an effective method of monitoring for and responding to data breaches.

4. An emergency plan
When management of a company has come to understand that regardless of how secure their system is there may be an incident where a breach occurs, it is critical that they implement a contingency plan.

A designated response team, which includes management, IT, legal, business, marketing/PR and other critical departments, needs to be established so that the company can respond to a data breach in a quick and focused manner. Pre-set actions and best practice guidelines will need to be put in place to allow business continuity and prevent the potential internal ‘blame game’ which will surely happen if a response program do not exist.

Once the DLP system is managed properly, in the event of a data breach, the destination of your data and the source of the leak can be discovered allowing company’s the chance to patch and mend the problem or begin legal recourse.

5. Conclusion
After the recent news stories of banks being hacked, fraudulent ATM cards and tampered credit limits, the financial sector is right to be on its guard. The Bank of England has now joined the other institutions who admit that cyber security is almost as threatening to them as a Euro currency crisis. Every financial company regardless of size has sensitive IP information and should put in place measures to guarantee its information is monitored and secured. By following some of this advice you move from an unknown possible risk to an understandable and quantifiable solution.

Lior Arbel is the CTO of Performanta Limited. Performanta is a specialist information security firm, securing enterprise clients from the latest modern security threats