Financial Services: Web Application Attacks Increase 38% in H1 2021
During his mid-century career, professional bank robber Willie Sutton got away with about $2 million in stolen cash. Urban legend has it that when a reporter asked Sutton why he robbed banks, he replied, “That’s where the money is.” In later interviews, Sutton denied the quote. Either way, the point is well made and applies to the financial services industry to this day.
While an old-fashioned bank robbery can never be ruled out, stealing money directly from a physical bank is a “last century” approach. Today, the currency cybercriminals seek is personal data, and the attack surfaces are the web applications that customers, partners and employees use to conduct a wide range of financial transactions online.
Don’t get me wrong: financial institutions are always “where the money is”. Financial services hold the dubious title of “most hacked industry”, accounting for 35% of all data breaches. Much to the delight of cybercriminals, the COVID-19 pandemic has led to large-scale growth in online banking, dramatically increasing the volume of sensitive customer data that can be stolen. At Imperva, our research demonstrates how these realities are changing the threat landscape for the financial services industry. As the COVID-19 pandemic dragged on into 2021, Imperva Research Labs reported that between January and May 2021, web application attacks against the financial services industry increased by 38%.
Top 5 Security Threats in Financial Services
Sensitive data breaches
The rise of online banking and wider digitalization within the financial services industry has required most organizations to manage significantly higher volumes and greater complexity of data. This, coupled with the prospect of stricter data privacy laws on the horizon, makes protecting sensitive data an unprecedented challenge.
The rapid pace of change in this industry puts the application of security controls to all data stores at risk, exposing many financial services organizations to increased risk and vulnerability in the event of a data breach. Cybercriminals know this. Attacks against sensitive data are increasing at an alarming rate. Imperva Research Labs reported that over 870 million records were compromised in January 2021 alone. This is more than the total number of compromised records in 2017.
Layer 7, or application layer, DDoS attacks target the upper layer or application layer of the OSI model, which facilitates connections over the Internet Protocol. The goal is to overwhelm server resources by flooding a server with so much traffic in the form of connection requests until it is no longer able to respond. The higher the number of requests per second (RPS), the more intense the attack. Digital Banking Report found that “improving the customer experience in banking” should be the primary goal of financial service providers. Those who invest in mitigating attacks that degrade the customer experience have higher recommend rates, higher share of wallet, and are more likely to up-sell or cross-sell products and services to existing customers. In contrast, when customers are denied access to their online banking services, the reaction is one of outrage; which often leads them to complain on social media platforms, switch providers and damage the bank’s brand.
Imperva Research Labs finds that the number of requests per second (RPS) in Layer 7 DDoS attacks targeting financial services has tripled since April 2021.
In late 2020, Imperva noted a dramatic increase in serious ransomware denial-of-service (RDoS) threats, targeting thousands of major commercial organizations globally, including many in financial services.
RDoS campaigns are distributed denial of service (DDoS) threats based on extortion and motivated by financial gain. Extortionists often exploit the names of well-known threat actor groups in their extortion emails to demand payment in bitcoin to prevent a DDoS attack on the target’s network.
In the first six months of 2021, Imperva Research Labs noticed that these threats were increasing. This year’s attack patterns are very similar to 2020 where:
1. The extortionist sends an email, sometimes with an attack example (which often takes the business offline for a short time).
2. The target receives a week’s notice to settle the payment.
3. The extortionist threatens to return with a massive attack at a scheduled time.
Client-side attacks occur when a website user uploads malicious content and enables a malicious actor to exploit the website by intercepting user sessions, inserting hostile content, and conducting phishing attacks, to to name just a few. In financial services, these attacks focus on skimming payment information by exploiting third-party scripts used by thousands of websites across many industries.
Financial websites rely more on third-party scripts to provide better services to their customers, but due to the high volume of digital transactions dealing with financial assets and other sensitive data, they are a prime target for side attacks. customer. Once credit card details are stolen, the data can be used immediately by cyber criminals to acquire property or sold to other criminals for further exploitation. Either way, it’s a serious risk. Consumers and their financial service providers find out too late.
Supply chain attacks
Since 1999, the Common Vulnerabilities and Exposures (CVE) system has reported more than 150,000 CVEs (zero-day vulnerabilities) in commonly used applications and software components. Of these, more than 11,500 are characterized as critical, although it is commonly believed that the vast majority of software vulnerabilities go unreported. End-to-end processing for all financial services incorporates a complex set of software applications that involve back office, middle office, risk management, business developers, finance and IT. Application Programmable Interfaces (APIs) are at the heart of these applications, allowing them to communicate with each other. APIs often self-document information, such as their implementation and internal structure, which can be used as intelligence to attack the software supply chain. Additional factors such as weak authentication, lack of encryption, flaws in business logic, and insecure endpoints make APIs even more vulnerable to attacks. As financial services organizations partner with other businesses to deliver and receive services, the supply chain attack surface increases and increases the risk of attack.
An underprotected supply chain makes your organization an easy target for cybercriminals who know that vulnerabilities in software applications and APIs are a way for them to infiltrate and compromise your business. Since most of a company’s software is no longer proprietary, attackers will find ways to exploit the many types of software applications a company may use. Since the Sunburst attack in late 2020 and others that followed it, one would naturally expect the priority of supply chain security to rise within organizations, but this is not the case. . This has led regulators to look into the matter. To support this, financial services industry regulators, such as the Monetary Authority of Singapore and the Federal Financial Institutions Examinations Council (FFIEC) in the United States, have issued new guidance addressing the need for chain resilience. supply in the sector. Additionally, in April 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute for Standards and Technology (NIST) released new guidance on defending against various software supply chain risks.
What type of data is stolen?
Imperva Research Labs finds that 74% of data stolen in recent years is personal data. This is generally information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify a person in context.
The widespread theft of personal data is a strong indication that many organizations are not putting sufficient protection in place to secure it. In many cases, the theft of personal data from financial institutions is facilitated because it is regularly shared between systems, people and vendors to complete transactions. As regulations governing data privacy become more stringent, it will be critical for every organization to have the ability to discover, identify, and classify personal data within its data set. Only when an organization knows where personal data is housed and which applications and users are accessing it can it expand the security controls that protect it.
What you can do to mitigate the risks to your organization
The short answer is: first make sure you can see the data, then you can protect it and all the paths. This means protecting the organization’s websites, mobile apps, and APIs from automated attacks without affecting the flow of business-critical traffic. It must also defend against DDoS injections and account takeovers outside of the network core. It also means providing your business applications with comprehensive defense-in-depth with web application firewalls (WAFs), bot management, and runtime and API protection. More importantly, it means having the ability to discover and mark sensitive personal data as well as enrich and correlate the data to provide accurate behavioral analysis for threat prevention and mitigation. This allows you to automate the extension of your security controls to all your data (on-premises and cloud, current and archived) to ensure compliance reporting, governance and security continuity for all sources of data.
The article Financial services: Web application attacks increase by 38% in the first half of 2021 appeared first on Blog.
*** This is a syndicated blog from the Security Bloggers Blog Network written by Terry Ray. Read the original post at: https://www.imperva.com/blog/financial-services-web-application-attacks-grow-by-38-in-first-half-of-2021/