Earlier this week, the Bank of England warned the UK financial sector that they are unprepared for cyber-attacks with a spokesperson stating that a major attack would disrupt “everyday” life. As a portion of any country’s critical infrastructure, the financial sector is a target for cyber-criminals and terrorists.
The financial sector boasts some of the most mature security programs in the business world, yet gaps that an attacker can exploit still remain. Vulnerabilities in mobile or web applications used and purchased by financial institutions pose a threat to financial service organizations’ infrastructure. The use of third-party applications and components further compounds the potential vulnerabilities in the application layer of financial services institutions. In fact, over 62% of vendor-supplied applications fail basic security testing, with 90% including at least one of the OWASP Top 10 most critical web application security flaws (Enterprise Testing of the Software Supply Chain).
Attacking suppliers to access the ultimate target is an increasing trend demonstrating particularly by the Target breach which resulted in the loss of more than 110 million customer records. This breach was traced to a third-party vendor.
Financial services organizations need to vet all aspects of their supply chain: the people they have given internal access, the service providers they connect to, and the software they outsource or purchase. Organizations that aren’t performing these activities are accepting a much higher level of risk because attackers have been relentlessly targeting web application vulnerabilities and are starting to target mobile apps with the same vigor.
In the US, the FS-ISAC (Financial Services Information Sharing Analysis Center) recognized this gap and created a set of controls around the use of third-party applications. These were captured in the whitepaper, “Appropriate Software Security Control Types for Third Party Service and Product Providers”.
In addition to ensuring the third-party applications used are secure, there are a few ways these organizations can improve their overall security. The two most common methods for breaching a company is through phishing and web attacks. Endpoint security, especially whitelisting, can help prevent phishing attacks from succeeding in installing malicious software. Websites can be tested for vulnerabilities which can then be remediated. The next best thing is “air gapping”, or not connecting critical systems to the internet. An alternative to this drastic approach is to compartmentalize internal networks. One way to think of this is to image the compartments in a submarine. If the hull is breached the compartment can be sealed off so that the entire ship does not flood.
For financial services institutions to improve their security they must look at their software suppliers and the third-party components used in application development with a critical eye. Only then will they be prepared for the inevitable cyber-attack on their infrastructure.