Banks struggle to defend against internal attacks
A new study from vulnerability assessment specialist Positive Technologies shows that banks have built up strong defenses against external attacks but still struggle with internal threats.
Whether they use social engineering, vulnerabilities in web applications, or the help of insiders, as soon as attackers access the internal network of a bank, they often find that it's secured no better than companies in other industries.
With access to the internal network of client banks, Positive Technologies testers succeeded in obtaining access to financial applications in 58 percent of cases. At 25 percent of banks, they were able to compromise the workstations used for ATM management -- in other words, these banks fell prey to techniques similar to ones used by Cobalt and other cybercriminal gangs in actual attacks.
Moving money to criminal-controlled accounts via interbank transfers, a favorite method of the Lazarus and MoneyTaker groups, was possible at 17 percent of tested banks. Also 17 percent card processing systems were poorly defended, which would enable attackers to manipulate the balance of card accounts. Such attacks were recorded in early 2017 against banks in Eastern Europe. The Carbanak group, notorious for its ability to attack nearly any bank application, would have been able to steal funds from over half of the tested banks. On average, an attacker able to reach a bank's internal network would need only four steps to obtain access to key banking systems.
Banks do a better job than other companies of protecting their network perimeter. In the last three years, penetration testers could access the internal network at 58 percent of all clients, but only 22 percent of banks, that's still a worrying figure though. The biggest risk is remote access, SSH and Telnet protocols are present on the network perimeter of over half of banks, and protocols for file server access were found at 42 percent of banks.
All banks tested were found to have weak password policy on their internal networks. Weak passwords were set by users on roughly half of systems. In an even larger number of cases, testers encountered default accounts left behind after use for administrative tasks, including installation of databases, web servers, and operating systems.
"The good news is that it's possible to stop an attack and prevent loss of funds at any stage, as long as the attack is detected in time and appropriate measures are taken," says Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies. "Attachments should be scanned in a sandbox, without depending on endpoint antivirus solutions. It's critical to receive and immediately react to alerts with the help of an in-house or contracted 24/7 security operations center."
You can read more about the results on the Positive Technologies website.