The danger within – tackling insider threats in the financial services sector
August 2017 | SPECIAL REPORT: TECHNOLOGY RISK MANAGEMENT
Financier Worldwide Magazine
August 2017 Issue
Recent high profile cyber security attacks have dominated the business agenda. With high profile business and customer data up for grabs, not to mention the opportunity to disrupt or defraud a business, the financial services sector makes a highly tempting target. Just last year Tesco Bank was forced to suspend online banking for a time after customers were hit by thousands of fraudulent transactions – stealing more than £2.5m. More recently, Kaspersky found that a single incident involving a bank’s online banking services could cost $1.75m.
This might explain why SWIFT announced in April that it is bringing in a new real-time payment control service to help more easily detect unusual transactions. Clearly, the threats banks face from external attackers are significant. Yet this is not the only thing they should be focusing on. One of the biggest threats is from people operating inside the organisation. Research by IBM found that 60 percent of all cyber attacks are carried out by insiders, and that the financial services sector is one of the top three industries under attack. So what can firms do about this type of threat?
Obviously, financial services firms are a hugely lucrative target for cyber criminals, given the kind of data they possess and the disruption that can be caused by bringing their systems down. As a result, many organisations have put in place a wide variety of traditional security measures, consisting of tools that are able to deal with external, predictable threats, such as DDoS attacks or malware. However, the problem is that these systems cannot stop less predictable, more random attacks – especially if the attacker is working from within.
Inside jobs are not going out of fashion
To successfully get insider threats under control, financial organisations must understand the risks they face. The most obvious is that insiders have access privileges that external attackers do not. They have legitimate access to the applications, networks, systems and data. Hence, they can potentially compromise, steal, misuse or corrupt sensitive data – sometimes even without intending to, through ignorance, negligence, or just plain carelessness.
Additionally, organisations now rely on IT functions being outsourced to third parties and are consequently finding it harder to gain full visibility, let alone control, over all the systems they use and locations where their data sits. This has led to a situation where there can be a number of potential entry points into a financial institution’s network that are difficult to control, and which another company’s staff could potentially use to access sensitive systems.
It is a real challenge to address every eventuality in which an insider could be acting against an organisation. Since different insiders have differing motives, skill sets, risk profiles and access privileges, the controls put in place to address one scenario may be completely ineffective in another. For instance, IT security teams must choose effective controls to deal with a diverse range of situations that could include: (i) data breaches that are accidental or caused by ignorance – something as simple as sending data to the wrong email address; (ii) breaches that are opportunistic or planned and deliberate; (iii) breaches made possible by incorrectly configured systems; (iv) breaches that result from an administrator circumventing stringent controls; and (v) breaches that result from inappropriate levels of privilege for insiders.
Sometimes, insider threats are viewed as application-level or fraud issues resulting from identity management problems, whereas cyber security refers to more highly technical external attacks. This can mean that institutions fail to counter a targeted, technical and motivated internal actor. The reality is that all these can be damaging, costly and potentially ruinous to an organisation’s reputation – plus the external attacks often include the compromise of an insider’s account or workstation (a ‘weaponised insider’) so the impacts and warning signs can be similar.
Lock the vault door – how to bring insider threats under control
This is not to say that people have not tried to deal with this broad range of insider threats head-on. In the past, the FBI tried to develop a tool that could predict insider behaviour and stop cyber criminals in their tracks before they could successfully do harm. However, the results were not wildly successful. The FBI has since moved to a behavioural baselining methodology to detect anomalous insider activity as it occurs. This monitors how IT users are operating on the system and identifies when that activity might be considered abnormal – they claim that this approach is far more effective. When combined with machine learning and activity profiling, behaviour anomaly detection solutions can quickly detect an indicator of compromise that could signpost a potential malicious insider threat and alert IT security teams, allowing them to take action before it is too late.
There are also other methods that can be applied to reduce the threat from malicious insider activity. For example, access rights should be based on user roles, so that only those employees that have a real need to access a given resource have the ability to do so. If an employee does not need access to customer bank accounts or trade secrets, then their access privileges should not permit it. Separating duties can also prevent subversion or collusion, and avoids implicating personnel in activities in which they had no part. The most useful controls are those that provide evidence to support their operation, which is generated continuously through normal use; such as collection and regular analysis of event logs and system or network activity.
In most cases, victims of insider breaches could have found evidence of data breaches in their log files, if they had looked. For example, if a certain user is accessing a significant number of documents that are not reasonably within their remit, then the alarm would be triggered and the breach responded to quickly. Imagine the problems that this approach could help to avoid by detecting insiders like Jérôme Kerviel, who infamously cost Société Générale an astonishing €4.9bn by abusing his access privileges to IT systems.
At the end of the day, financial organisations must look toward other security measures above and beyond network security systems and signature-based tools and ensure their focus includes the early detection of a broader set of indicators of compromise.
By doing this, and then ensuring they have a completeness of focus on the investigation and verification of risks, financial service organisations will be able to take the appropriate action to deal with any given threats, regardless of the source, motive or nature. Dealing with the problem rather than the symptoms gives businesses a much better chance of finding a threat before it is too late and a damaging breach takes place.
Piers Wilson is head of product management at Huntsman Security. He can be contacted on +44 (0) 845 222 2010 or by email: firstname.lastname@example.org.
© Financier Worldwide