Viewpoint paper

Cyber crime is wreaking havoc The financial services sector must be prepared

Table of contents

1 Change with the times

1 Next-generation threats

2 BYOT—an expectation, not a privilege

2 Cyber-attack risks continue to rise

2 New attacks are coming—get prepared

3 Technology used to cope with coming threats

3 Identity is everything

4 Threat detection and attack analysis are evolving

4 Compliance and governance is essential

5 Playing field getting leveled

6 About the author

Viewpoint paper | Cyber crime is wreaking havoc

1

Viewpoint paper | Cyber crime is wreaking havoc

Financial services are getting squeezed by massive social and technological changes, and the need to modernize. Combine that with the growth and sophistication of cyber crime, it’s time to fight back and level the playing field with a strong security policy.

Change with the times

Banking executives are aware of the cyber threats directly impacting financial services, and the erosion of trust that such attacks invariably entail.

They are also aware of the dramatic changes happening in IT infrastructures, and consumer-driven tech trends such as bring your own technology (BYOT); it’s forcing them to rethink much of what they have practiced in the last 20 years.

While these trends are happening now, what follows in the next 10 years is likely to be even more disruptive. Many sectors are already preparing for the future, but is the financial services industry (FSI) in danger of being overwhelmed due to its ingrained technological conservatism—particularly when it comes to security policy?

Next-generation threats

Cyber attacks that steal money, intellectual property, or launch political attacks can destroy trusted relationships with customers and partners, which is your lifeblood.

Banks, understandably, still rely on keeping large parts of their organizations behind firewalls, much as they still prefer gigantic headquarters buildings to give an assurance of trust, reliability, and permanence.

Appearances can be deceptive, and old school defences can give a false sense of reassurance. A continued reliance on centralized, mainframe network architecture reduces flexibility when dealing with next-generation attacks.

At the same time, it puts financial institutions at a disadvantage, trying to adapt to fundamental changes in working practices and consumer behavior—driven by rapidly evolving, always- connected smart devices. By not adapting, they will lose out to rivals that learn how to securely embrace the change for customers and employees, and new innovative FSI sector entrants that have already disrupted their own sectors, such as retail.

2

BYOT—an expectation, not a privilege

In other industry sectors, BYOT is no longer seen as a privilege. It’s becoming a multilayered, multipurpose device of choice that shares business and personal data and functions. This trend will accelerate; devices will become extensions and virtual outposts of the central organization and hubs for personal data clusters now developing. How ready is your organization for this?

The pace of development in smart devices outstrips anything in conventional network architecture or desktop PCs. Financial services will have to accept that employees will use these devices or become potential dinosaurs in a newly competitive, disruptive financial services sector.

Cyber-attack risks continue to rise

Banks and financial institutions have no choice but to adapt to BYOT and other social and technical trends. Cyber attacks are out of their control and will increase exponentially in the next 10 years. The negative cost of each attack will also increase. The Ponemon 2013 Cost of Cyber Crime Study, sponsored by HP, pegs the average annual cost of cyber crime for organizations at $7.2 million in 2013, up 30% from 2012.

That figure has risen every single year the survey has run. Meanwhile, according to a recent report by Booz Allen, a consultancy firm, cyber attacks are the “new normal” for the financial services industry.1

In the United States (U.S.), The Depository Trust Clearing Corporation (DTCC) has named Distributed Denial of Service (DDoS) attacks as one of the three types of attacks that pose a “systemic risk” to the financial system. The organization, which settles the majority of securities transactions in the U.S., said DDoS attacks against financial institutions have dramatically increased in the last 12 months. Such attacks are also often used as a smokescreen for more targeted attacks and to exploit pressured call center staff vulnerable to phishing attacks.2

New attacks are coming—get prepared

Worse is coming. The European Union (EU) sponsored International Cyber Security Protection Alliance (ICSPA) has predicted that 2020 will see cyber criminals using some or all of the following tactics and malicious technologies. Some are based on the very technologies that banks and others are using to lower IT costs, such as cloud and virtualization.

• Exploitation of Near Field Communication (NFC) technologies, which banks will be using for new services in the future

• Highly distributed denial of service attacks using cloud infrastructures

• A move from device-based to cloud-based botnets, hijacking distributed processing power

• A mature illicit market for virtual items—stolen and counterfeit

• Physical attacks against data centers and Internet exchanges

• Electronic attacks on critical infrastructure, including power supply, transport, and data services

• Micro-criminality, including theft and fraudulent generation of micro payments

• Bio-hacks for multifactor authentication components

• High impact, targeted identity theft and avatar hijack

• Sophisticated reputation manipulation

• Augmented reality misused for attacks and frauds based on social engineering

• Hacks against connected devices with direct physical impact such as wearable technologies

Viewpoint paper | Cyber crime is wreaking havoc

1 boozallen.com/media-center/press-releases/48399320/booz-allen-releases-annual-cyber-security-trends-for-2014

2 Ibid.

The Ponemon 2013 Cost of Cyber Crime Study, sponsored by HP, pegs the average annual cost of cyber crime for organizations at $7.2 million in 2013, up 30% from 2012.

3

Not all these threats will disrupt financial services, but some certainly will, and it’s clear that none would be stopped by contemporary cyber defences.

Banks will want to use NFC to introduce new products and fast payment solutions. How will they protect their customers from aggressive targeted attacks and the use of avatar-based—a highly advanced digital creation assembled from numerous stolen aspects of an individual’s real identity—attacks? Where banks can be fooled into thinking they are dealing with a real customer online, when they’re not. In this next level of identity theft, bank customers find themselves “cloned” online. Right now, it’s unlikely that plans are being put in place to beat such advanced criminal techniques.

Denial-of-service attacks will increase in number and intensity as criminals have seen the fruits of fostering disruption and fear among bank customers. This industrialization of micro-payment fraud will put huge new pressure on staff and security policies to contain multiple account harvesting techniques.

Therefore, unless the banking industry initiates change now, it will be highly vulnerable to the systemic failure that the DTCC fears.

Technology used to cope with coming threats

Neil Passingham, technical solutions director at HP, believes that security is always behind the threat curve. He said, “We need to leverage resources—make the most of Big Data and the cloud for example. CISOs are advised to use present day solutions but what they really want is to be listened to. We need to align serious solutions that secure their business.”

All leading security vendors should heed this statement. Given whole new attack types that will seek out vulnerabilities in tools and infrastructures—and the use of super-connected devices—financial services, like other organizations, need to urgently switch attention to application layers and the data itself.

The organizational perimeter needs to shrink to an absolute minimum core data piece, where data simply cannot be breached. All else can be protected as much or as little as needed by using mature risk assessment controls.

Beyond that, the focus must be on advanced encryption techniques, and security analytics that exploit the power of Big Data. This will turn enterprises from reactive security positions to intelligence-based positions, where risk positions are calculated around hard data readings with attack lines plotted before they can happen.

New forms of identity such as unique personal data clusters will be needed to combat aggressive phishing and fraud attacks. The trend will be toward creating online identities and access models that rely on multifaceted digital profiles based on an individual’s online behavior rather than simple two-factor authorization.

Identity is everything

True identity is the lifeblood of financial services, but the measurement of identity needs to change. Passwords, two-factor, even biometric systems are flawed. Identity as implemented in enterprise applications doesn’t necessarily align with how identity works in the real world.

Systems are being researched and will be brought to market that create complex identity sets based on personal data clusters and an individual’s data history rather than passwords that can be stolen or easily guessed. A “biodata” identity system is more secure than even biometric data such as fingerprint or eye scans, which have been proven not to be failsafe. This is all part of how data analytics, Big Data, and informatics will form the core of next-generation cyber defences.

Viewpoint paper | Cyber crime is wreaking havoc

Unless the banking industry initiates change now, it will be highly vulnerable to the systemic failure that the DTCC fears.

4

Threat detection and attack analysis are evolving

Elsewhere, forensics are moving from a method of simply analyzing a cyber attack after the event, to a tool that can profile the cybercriminal and attack methods by building bio data patterns of criminal and malware activity. Such digital forensics will become an integral part of the enterprise in the near future. It can also be used to monitor employee behavior to cope with insider threats and unusual data patterns or financial movements. There are a number of developments in this area. For example, a number of vendors are developing their own threat intelligence services such as a “next-generation” security operation center (SOC) and security intelligence as a service and other “human factors” research to help meet the 2020 cyber challenge. 3,4,5

Conventional signature-based anti-malware solutions cannot cope with 2013 levels of malware production, let alone those predicted for 2020. New anti-malware solutions, which are already appearing, trap malware at a micro visor level, so it can’t enter the organization at any level or point—and the infected file can be safely extracted. New-generation security protocols will adjust, seek out, and quarantine perceived threats before any system is compromised.

Compliance and governance is essential

Unfortunately for security managers in financial services, turning to governments for help in dealing with next-generation threats is likely to end in disappointment.

Instead bodies such as the EU, U.S. Federal Government, and increasingly powerful Middle Eastern and Asian agencies are likely to make financial services work harder to meet new compliance regulations as emphasis will be firmly made on banks’ responsibilities to protect the consumer, bank customers, and partners.

When Islamic hacktivists attacked U.S. banks in early 2012, the response was not sympathy, rather calls from government for greater diligence on the part of the banks themselves.

At the same time, progress on international cooperation to defeat cyber crime and state sponsored cyber attacks on banks and other organizations is limited, and the situation is unlikely to improve anytime soon.

Revelations by whistle-blower Edward Snowden are likely to make governments cooperate less on issues of cyber security. Sadly, Snowden revealed that even allies are willing to use cyber means to spy on each other—hardly the spirit to foster international cooperation against mutual enemies.

Financial services information leaders face the prospect of uncontrolled international cybercrime, and governments concerned with locking down and protecting their own infrastructures from their allies, while responding to public concern about data breaches with tighter governance and higher financial penalties. A failure to invest in data management systems that assist in meeting compliance rules will not be an option.

Complicating the picture, as banks open up and abandon their traditional security posture to be more competitive and efficient, they increase their actual risk of exposure to compliance busting data breaches.

Viewpoint paper | Cyber crime is wreaking havoc

3 en.wikipedia.org/wiki/Data_analysis_techniques_for_fraud_detection

4 eweek.com/small-business/hp-updates-arcsight-portfolio-with-security-analytics/

5 techrepublic.com/blog/it-security/how-user-behavior-monitoring-helps-reduce-risk/

Given that whole new attack types will seek out vulnerabilities in tools and infrastructures—and the use of super-connected devices—financial services need to urgently switch attention to application layers and the data itself.

5

Playing field getting leveled

No doubt the picture for financial services is a hugely challenging one. They are squeezed by massive social and technological changes, and the need to modernize. At the same time, an unprecedented period of growth and sophistication of cyber crime is predicted. And there will be further legislative pressure in a globalized market.

At the same time, vendors and the information security industry are fighting back with a level of innovation that has been absent for too long. Advances in Big Data analytics, intelligent anti-malware techniques, digital forensics, and identity science are emerging, which will start to level the playing field back in favor of a financial services sector that must change itself at the same time.

Learn more athp.com/enterprise/security

Viewpoint paper | Cyber crime is wreaking havoc

Rate this documentShare with colleagues

Sign up for updates hp.com/go/getupdated

About the author

Dan ChaplinDan Chaplin is a strategic consultant for the HP Enterprise Security Services CTO Office, supporting the link between HP security services and challenges in the financial services industry. Having joined HP in 2003 and worked with many of the top financial services providers across EMEA, Chaplin understands the challenges of delivering large scale change in a highly regulated and technically risk-averse environment. He has been heavily involved with HP Managed Security Services, working with clients to understand their security maturity and how they can more efficiently deliver their security operations. Chaplin helps clients understand the benefits and challenges of effective security outsourcing and measuring the success of their investments through proper reporting and service governance.

Viewpoint paper | Cyber crime is wreaking havoc

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

4AA5-1187ENW, March 2014