Gaetano Ziri, Software Engineer at Auriga, discusses how financial institutions are up to 300 times more likely to suffer a ransomware attack, and advises on how to prevent this.
Remote working resulted in the increase of distributed endpoints, from laptops to smartphones to Internet of Things (IoT) devices, which pose a constant security risk to both individuals and financial institutions – these act as ideal “entry points” for cybercriminals. They send phishing emails or malicious attachments to bank employees, targeting any device that can be manipulated to gain access to the entire network. Endpoints are the first point of a cyber-attack and create an attack surface for further malicious activities. Financial institutions must therefore be aware of and implement preventative measures against these potential cyber risks, as they are prime targets for a litany of attacks including ransomware due to the vast quantities of confidential data relating to its customers and employees. In effect, ransomware blocks access to infected endpoint resources unless the ransom is paid.
In fact, the offensive against the financial sector has intensified in the last year because of the pandemic. Palo Alto Networks’ research arm, Unit 42, revealed that cybercriminals across USA, Canada, and Europe are making and demanding more money than ever. There has been a 171% year-over-year increase in the average ransom paid for organizations from US$115,123 in 2019 to $312,493 in 2020. With the highest ransom paid by an organization doubling from $5mn (2019) to $10mn (2020). Between 2015 and 2019, the highest ransomware demand was $15mn, but this figure jumped to $30 million last year. Both the European Central Bank and the International Monetary Fund (IMF) have noted this increase in cyber-attacks aimed at financial institutions. Even if no serious security breaches have been opened, the losses of the institutions already amount to several million euros in the last year alone.
Standalone solutions aren’t enough
To circumvent such attacks, financial institutions must act now and enhance their operational resilience. Ransomware has evolved into a ‘service offering’ known as Ransomware-as-a-Service (RaaS) that enables cybercriminals, that are unfamiliar with malware development, to outsource this skill and deploy an attack with relative ease. Essentially, it is a subscription-based model that enables affiliates to use already-developed tools to carry out attacks. Unfortunately, there are still too many financial institutions relying on standalone solutions, instead of consolidating several. A variety of protection mechanisms on a single platform are now essential including:
- Application whitelisting: this layer prevents the execution of malware or unauthorized software by defining a whitelist of processes that can be executed on the ATM
- Full encryption of all hard disks and media: without this protection mechanism, cybercriminals can steal hardware or reconstruct products through reverse engineering, which allows them to inject malware onto the hard disk and then replace it at another bank branch.
- File system integrity protection: this prevents any attempt to modify a critical file for anyone unless the process of software updates is already predefined.
- Hardware protection: it prevents the connection of fraudulent hardware and blocks devices that are not included in the whitelist.
- Firewall and use of best practices to prevent network attacks.
Building a wall of protection
Network segmentation is a good defense strategy to prevent network-based attacks on ATMs, it divides the corporate network into different areas that are only partially networked or not networked at all. It is mission-critical to ensure that only legitimate traffic is allowed through to critical resources. In this case, the ATM network should be separated from the rest of the corporate IT network, reducing the risk to this part of the environment. While network segmentation is not a new concept, it is rising in popularity and gaining traction among banks. The trend is to segment internal networks to prevent extraneous traffic.
Other effective solutions include artificial intelligence and machine learning, which are playing an increasing role in cybersecurity to detect attacks at an early stage. Various security tools analyze data from millions of cyber incidents and use it to determine potential threats. With network traffic analysis, an employee account behaving strangely (from clicking on a potential phishing email or a new variant of malware) can be more easily identified. Emerging issues are immediately detected and blocked by AI and ML, stopping the cyber-attack in its track before it can even negatively impact business operations.
Machine learning tools are valuable for fraud prevention, and most experts would agree that it has become essential for mitigating cybercrime. On a high level, detecting fraud is about learning the difference between normal spending behaviors and unusual, fraudulent purchases. With machine learning, the technology can analyze all available data and educate itself on the difference between an honest transaction and a fraudulent one.
Financial institutions can also consider whitelisting to allow controlled access to system resources. For example, if a customer provides personal information during a video call or remote consultation, the USB ports of the operator’s workstation should be locked to prevent the video file from being stored on an external device.
Organizations must find new ways to use their existing resources more effectively. This can be done in several ways:
- Automating more processes to identify and respond to issues in real time before they impact business operations.
- Equalizing workloads based on broader threat analysis, with a particular focus on, for example, data leaks or introduced malware.
- Breaking down silos by introducing advanced self-service platforms.
- Consolidating activities, for example through an effective cybersecurity strategy with proactive device monitoring to maintain service availability.
- Don’t pay the ransom: Rubrik’s Zero Trust Data Management
- Ransomware surges in, and the data floods out
- Build these five habits to reduce the risk of ransomware
- Kaspersky’s top six tips to avoid ransomware attacks
To increase the cybersecurity of ATMs, assisted self-service terminals of a bank, and endpoints one should not rely solely on standard anti-virus and anti-malware programs, but also look towards advanced technology. Financial institutions should invest in comprehensive, channel-integrating end-to-end solutions, this way, the ATM no longer counts as a separate silo but part of an omnichannel. This ensures all centralized ATM security operations are on a single platform, with minimal impact on device performance. When financial institutions address the threat situation and adapt their processes, they make a valuable contribution that ultimately protects not only the financial institution but also customers from harm. Cybersecurity is a long-term investment and organizations must continue to teach customers and employees how to identify potential threats through training, education, and awareness programs.