THE EXTERNAL ATTACK SURFACE: BANKINGS NEXT SECURITY FRONTIER

By Ben Harknett, VP EMEA, RiskIQ

For financial institutions to prosper they need to nurture and maintain a trusted relationship with their clients and evidence a culture of stability. The dawn of the digital age has seen more pressure placed on financial institutions to make sure that trust, security and stability is paramount when customers are interacting with an institution’s digital footprint.

This footprint has been growing at an exponential rate in the banking and finance sector. It’s now common place for consumers to be interacting with banking institutions online, via mobile applications and social media.

In a recent study undertaken at RiskIQ it was revealed that on average, financial institutions have 7,500 digital assets each that are accessible in the open web or in app stores – Of these, over 60% of web assets were hosted on external servers outside the IT department’s control.This is a worrying thought given how consumers trust that every interaction they have with a financial institution should be secure.

The Mobile Banking Movement

The world is becoming ever more mobile and the banking and finance industry are embracing this by allowing customers and employees to engage with their services with greater flexibility regardless of location.

As part of the study, which looked at 35 top banks and financial institutions we uncovered 1,777 mobile applications, an average of to 51 per bank. However, only 6% of these mobile apps were found in the official app stores (Google Play, Apple App Store, Windows Phone Store, etc). The rest were scattered through a secondary tier of app distribution sites, making it difficult or impossible to tell if updates or security patches would reach customers and if they had any foreign tampering along the way.

Of those discovered, 80% of the apps required users to grant them 10 or more permissions, typically in excess of what was needed for app functionality. These permissions often grant unnecessary access to functions such as a user’s contact, email and messaging history or sometimes a recording tool.

In 2014 an average of £6.84 bn a week was transferred in the UK using mobile banking.The risk of these interactions being compromised through rogue or copycat mobile apps  poses a real threat with both financial and brand consequences.

The External Attack Surface

When it comes to information security the most prominent strategy many organisations,regardless of sector, choose to follow remains an in-depth defence approach tied to the belief that the perimeter to be defended is the firm’s firewalls and internal networks.

The growing number of assets hosted outside of an organisation’s firewall present a challenge to this approach as they can no longer be managed from a security perspetive in the same way. Unsurprisingly, this external attack surface is far more expansive than the internal one, often by several orders of magnitude as the interactions between consumers and financial institutions  are increasingly happening on the web, via mobile applications and on social media platforms and organisations are responding by developing new digital assets, many of which reside outside the firewall; on hosted web platforms, in mobile app stores and on social media sites.

It’s often the case that threats against an organisation’s external digital footprint can be segmented by the delivery system used to reach the user and the source of the vulnerabilities. Delivery systems include redirecting or farming websites and web assets, brand spoofing via unauthorised websites, or phishing emails. Common sources of vulnerability included software and communications security flaws, scripting languages, third-party components and libraries, and uncontrolled asset hosting which can lead to an injection of rogue or compromised assets, software bugs, etc.,

When it comes to externally hosted assets we found that 93% of Banks had assets hosted with cloud-based IaaS providers such as Amazon Web Services or Rackspace. While 94% were incorporating code from one or more third-party analytics/ tracking services which could pose a security risk. For example, Gigya was hacked by the Syrian Electronic Army (SEA) in November 2014 using a DNS redirect, leading to the website defacement of a number of well known commercial sites.

As the research shows, the modern banking industry  brings with it more digital exposure and therefore more digital risk. In response, security teams need to develop an effective external threat management programme as a core component of their overall security capability. This means an “outside looking in” approach that strives to protect users of digital channels and the integrity of the digital brand in addition to protecting corporate assets.