Hackers are actively attacking some of the largest banks in the nation, U.S. Homeland Security Secretary Janet Napolitano warned this week.
Napolitano declined to go into detail about the types of breaches or what kind of information — if any — had been taken. She brought up her concern about attacks on U.S. financial institutions at a cybersecurity event.
The federal government is aware of the vulnerability of U.S. stock exchanges and other financial institutions, as well as infrastructure and utilities. Napolitano stressed the importance of enacting federal guidelines to protect against cyberwar.
Banks including Wells Fargo, Bank of America and JP Morgan Chase were hit this fall with distributed denial of service attacks. Hackers were also able to empty US$400,000 from a Citibank account in Burlington, Wash., earlier this year. Cybercriminals are increasingly using targeted attacks to go after unassuming consumers and employees, said Michael Murray, managing partner of MAD Security.
“The majority of the attacks right now involve targeted phishing and malware attacks — where the most common attack vector a few years ago was Web applications, the most common attack vector today comes through our people,” Murray told TechNewsWorld. “Spear phishing through email, social media and even IM has been used to cause a large number of breaches in the last two years.”
Stepping Up Preparation
The shutdown of New York’s financial sector caused by Hurricane Sandy is a stark reminder of how much tumult a human-generated disruption also could cause, said Avivah Litan, security analyst at Gartner.
“The fact that the stock market had to close for two days because of a hurricane should be a wake-up call that we are largely unprepared for a major cyberwar,” Litan told TechNewsWorld. “There should be more effective business continuity plans. These are noticeably absent.”
Relatively speaking, though, Web applications and security systems at financial institutions do have greater protection in place than those in other industries — mostly because they need it the most, said Murray.
“In my experience, banks are actually some of the best-defended organizations — due to the regulations we’ve put on financial institutions, they’ve invested more heavily in information security controls than most other segments of the economy,” he observed. “Unfortunately, banks are also the most heavily targeted segment of the economy because, as the old bank robber Willie Sutton said, they’re where the money is.”
President Obama has made cybersecurity a priority, Napolitano noted in her address. She stressed the importance of maintaining that type of attitude in Congress going forward.
With so many laws already in place, though, the more important priority needs to be enforcing them, said Litan.
“There is probably enough regulation already, but regulators need to be smarter in how they examine banks’ preparedness for these massive hacker attacks,” she said. “I don’t see proactive leadership from the government — but I don’t think we need new laws to get that from them. We just need them to execute on the powers they already have.”
Focus on User
Part of the emphasis on enforcement must be raising consumer awareness about cyberattacks beyond the current level of public knowledge, stressed Murray, but the best protection lies within the financial institution.
“The best way to protect is simple: focus on the behavior of our [bank employee] users,” he said. “I’m not talking about traditional awareness programs that just educate users. We need to put behavior-change efforts in place within the organization to make it easier for our users to spot these attacks, more likely that they report them, and to better protect their organizations. We haven’t done a good job of that as an industry yet.”
As hackers use the system to grow more cunning, workers must be aware of and ready to follow security guidelines so a tricky cybercriminal can’t get the best of the system, said Litan.
“The attacks and unavailability of online systems opens the door for social engineering of bank staff by the hackers — for example, call center staff who are overwhelmed with call volume when websites are down — and the protections are only as good as the weakest link,” she pointed out. “Hackers can socially engineer their way into successfully executing an illegitimate wire transfer by manipulating and fooling a sympathetic call center agent.”