The continued expansion of the e-financial movement has become a panacea for any conditions that attempt to slow further proliferation of cybercrime and related economic attacks. Most of the crimes that exploit the vulnerabilities inherent to the Internet today are not new – fraud, theft, impersonation, denial of service and related extortion demands have all plagued the financial services industry for years. However, the widespread use of the Web and other emerging technologies to carry out these activities has exposed everyone involved to crimes of greater dimensions, in terms of both depth and scope. Open network technologies allow for faster, more widely distributed business, but create a fertile environment for crimes of significant magnitude and complexity to be committed, rapidly. As such, more nations and financial institutions need to understand the true risks driven as well as the options that the many technologies involved offer that can help provide some form of protection. The highly diverse range of cyber-attacks currently being directed at elements of the financial sector, hereon identified as Financial Sector Threats, have been identified as the most omnipresent form of criminal activity propagated across our electronic infrastructure, according to authorities including the World Bank, United States Secret Service (USSS) and Federal Bureau of Investigation (FBI). Respective of this reality, it has become paramount to the protection of both the economic and national security interests of the United States that our nation’s leaders rapidly achieve a higher level of cyber-situational awareness, and effectively prioritize strategic mitigation of confirmed vulnerabilities known to reside across the financial sector today. Over the past decade, cyber-attacks have realized explosive advancement in their complexity, diversity and overall volume evolving into powerful weapons in the realm of economic markets with the capability to destroy critical databases, interrupt underlying services and impart catastrophic financial damage to a vast array of different constituencies – all in an incredibly short timeframe. According to a 2010 report issued by the Federal Deposit Insurance Corporation (FDIC), over $700 million in losses were sustained by financial institutions in the first quarter of 2010 alone. Source: FINCEN, Suspicious Activity Reports 200-2009. In the overview of 2009 Suspicious Activity Reports (SARs) filed to the Financial Crimes Enforcement Network (FinCEN), located within the U.S. Treasury Department, financial sector security experts found that of the 56,000 instances of fraudulent wire or funds transfers occurring since 1997, more than half have occurred in the past two years – in parallel to the record growth of Financial Sector Threats themselves. Countless other reports published in recent years across the financial and IT security sectors reinforce the seemingly unstoppable encroachment of dedicated cyber-attacks leveraged on and across our highly mission-critical, interconnected financial systems. For example, Check & Automated Clearing House (ACH) fraud are rising at very high rates, and people that have money-moving rights are being targeted. This is causing both small to mid-size financial companies and their customers to experience material financial losses. In order to address this issue, the level of integrity that is part of the ACH and check life cycles themselves needs to be addressed. In a July 23, 2010 interview, Michael B. Benardo, chief of the Federal Deposit Insurance Corp.'s Cyber Fraud and Financial Crimes Section, noted the following three top fraud threats of concern to the FDIC: 1. Malware and Botnets 2. Phishing 3. Data Breaches According to the FDIC and FINCEN, computer intrusions and wire transfer fraud have metastasized noticeably in the past year alone. Maintaining trust and confidence in the safety and soundness of e-financial assets has become ever more challenging. Thus, in the face of blended and staged attacks, managing technology risk is possible only through continuous monitoring of enterprise level risk metrics per the effectiveness of your security controls. Understanding your financial institution’s susceptibility to compromise is fundamental to successfully managing 21st century operational and systemic risk. In order to ensure electronic safety and soundness Financial Institutions should:
- Conduct regular penetration testing of their infrastructure as well as third party shared service provider systems.
- Utilize the “Twenty Critical Controls”
- Educate the executive team and board so they understand the systemic issues that are being dealt with and what they need to do.
- Move towards digital time stamping of transactional data
- Utilize two-factor authentication
- Implement wireless security solutions
- Assess the web applications for OWASP Top 10 vulnerabilities before deploying to e-financial environment.
Digital provenance can be achieved if we respect our adversary’s tactics. Tom Kellermann, Vice President of Security Awareness .