The financial sector is under constant attack by cyber criminals. In fact, banks are attacked four times more than other industries. Large bank hacks and exploits continually made headlines over 2015 and that trend continues as we progress into Q4 of 2016. What are the major cyber threats facing organizations in the financial and banking sectors, what steps can these organizations take in order to secure their code and what role can source code analysis play in securing banking applications against attackers?
From 2015 – 2016, Financial Hacks Continue
In 2015, Kapersky Lab discovered that at least 100 banks in 30 countries, including Russia, the US, Germany, China, and Ukraine were infiltrated by cyber criminals who phished their targets with malicious email attachments. This massive attack, which had roots going back to 2013, allowed cyber criminals to steal over $1 billion USD by actively exploiting banking computers to both dispense cash from ATMs and transfer funds to their accounts.
In early 2016, ThreatMetrix released their Cybercrime Report released which analyzed over 15 billion transactions over 2015 and identified a record of 21 million fraud attacks and 45 million bot attacks just in the last quarter of 2015. With the continued growth of mobile financial transactions, up 200% in the last quarter of 2015 as compared to the last quarter of 2014, there has never been a more critical time to heighten the security posture of financial web and mobile applications before they are exploited by malicious parties.
In late August 2016, it became apparent that the global banking system was under attack as Society for Worldwide Interbank Financial Telecommunication (SWIFT) SWIFT issued a warning that it was facing ongoing and sustained attacks against its members following major cyber attacks against banks in Bangladesh, Vietnam, the Philippines and Ecuador. In the Bangladesh bank hack, hackers were able to steal over $100 million USD and in Ecuador at least $12 million.
Rather than these hacks being isolated incidents, SWIFT warned that they are just the beginning and that financial institutions need to be ramping up their security as quickly as possible due to the fact that these attacks could have had an “existential” impact on the financial institutions, especially as the cyber criminals almost got away with a transfer of $1 billion. Fortunately, a typo aroused suspicion and the transaction was halted.
The security warning from SWIFT comes just over a month after financial market infrastructures (FMIs) – payment and trade settlement systems – were warned by the European Central Bank’s Governing Council that they should “take action immediately” to bolster their cybersecurity against the constant threats of hackers.
What are the Major Threats Facing the Financial Sector?
Verizon’s 2016 Data Breach Investigations Report (DBIR) explains that of all the threats facing the financial sector, 88% of all these attacks fall into three categories: web app attacks, denial of service and card skimmers. Of these three, web app attacks account for the majority of the incidents at 48%.
According to the Kaspersky Security Bulletin 2015, the banking industry has a long way to go when it comes to security. Key findings include:
- 1,966,324 registered notifications of malware raids on online bank accounts.
- 798,113,087 cyberattacks launched from online resources worldwide.
- 2% user-end computers were compromised at least once during the year.
- Around 24% of the cyberattacks originated from US territory.
- 121,262,075 malicious objects (scripts, exploits, etc) were detected.
How to Prevent Web Attacks Against Your Financial Institution
While some of the attack vectors used to target financial institutions, such as malicious insiders and card skimming cannot be prevented with even the most advanced security software and while web application firewalls (WAFs), or anti-malware software, can’t cover all the sophisticated attacks, there is hope for financial institutions seeking to bolster their security posture.
In addition to employing two-factor authentication and ensuring that a strong patching process is in place for third-party plugins and CMS platforms, it’s essential to ensure that the code at the heart of every banking web application is secure.
Low code integrity also should be a major cause for concern for banking and financial institutions as unmitigated vulnerabilities that make it into production can wreak havoc for not only the organization being hacked, but the entire industry as a whole as demonstrated with the stern warnings issued by SWIFT and the European Central Bank’s Governing Council. In order to stay a step ahead of the hackers, banks need to ensure that their SDLCs are secure and the best way to do this is by implementing a trusted automated source code analysis solution early on in the software development lifecycle (SDLC).
Using a Source Code Analysis Solution to Strengthen Banking Security
Through the implementation of a source code analysis (SCA) solution in their SDLC, banking and financial organizations are able to automate their security scanning and ensure that their code is secure at every developer touchpoint within the SDLC.
Additional benefits of using a source code analysis solution include:
1 – Creation of a secure Software Development Life Cycle (sSDLC) – The automation of the process helps create a safe protocol where security findings are treated just as QA bugs.
2 – Developers are fully involved in the security efforts – With the solution built into their native development environments, developers eventually become security champions.
3 – Great for Agile, DevOps and CICD scenarios – More and more organizations are gravitating towards these setups, making SCA an ideal solution for close to real-time results.
4 – Better ROI – The early detection and remediation of vulnerabilities means safer applications that are tough to exploit and post-release maintenance costs are lowered significantly.
5 – Wide platform and language coverage – Today’s leading SCA solutions offer wide coverage to support complex development environments with multiple frameworks/scripting languages.
Choosing Checkmarx’s CxSAST as your source code analysis solution, not only ensures that your application makes it to production free of security, legal and compliance issues, it also is an investment in the long-term quality and security of your code as it helps enhance and empower developers’ secure coding awareness. The latest release of Checkmarx (8.2) includes AppSec Coach™ which is an integrated in-context eLearning platform that developers can use to sharpen their secure coding skills.
When vulnerabilities are identified in the source code during the security scan, developers are able to quickly click through to an interactive lesson that provides a walkthrough of how that specific vulnerability needs to be remediated– all without leaving the development environment. This AppSec “coaching” will pay off in dividends in the long run as your developers learn what mistakes to avoid in their coding.