The financial sector encompasses a broad range of businesses providing exceptional value and deep confidence in the world’s economy. Currently the major shift in business is toward providing cost effective ways to improve business output and performance and deliver resilient, innovative products and service with enhanced user experience to meet the customer demands while retaining loyalty and trust. As organizations transcend their services for deriving business value, they are navigating a landscape full of challenges.

Corporate, business and technology innovations to spur growth and cut costs are leading to higher levels of cyber risk. As per PWC’s Global Economic Crime Survey, cybercrimes are one of the most reported economic crimes, with financial institutions being the prime targets. The cyber security landscape, especially for financial institutions, is evolving day by day in volume, sophistication and impact, with multiple advanced attack vectors.

Threats to financial institutions are existential, complex and difficult to manage over the long run. This combined with the complexities (and scale) of specialized applications, diverse technology mapping creates an ecosystem of business full of complex threat vectors which attract multiple cyber adversaries.

Shape

These threat actors exploit weaknesses which primarily arise from:

  • Corporate restructuring (including mergers / acquisitions)
  • New applications and mobility tools
  • New sourcing and supply chain models
  • Embracing latest technologies for increasing efficiency and cost reduction
  • New customer service and sales models

Deloitte found that in the financial services sector, 88% of attacks are successful in less than a day, but only 21% are discovered within a day.

In the past, financial institutions have installed comprehensive threat monitoring solutions for detecting potential destructive attack vectors or frauds which would result in loss of client / investor confidence. This is no longer enough.

Financial institutions today require professionals with such cyber security skill sets, who have clear knowledge of multiple types of threats and who can identify indicators of compromise (IOC) patterns across multiple assets in the organization. This would help the institutions better predict cyber threat campaigns in progress with advanced threat intelligence and monitoring.

Advanced Cyber Security Threats

Intel Security recently released a report in which, as per their analysis, 82% of respondents reported a shortage of cyber security skills, with more than 71% of respondents who reported this shortage in cyber security skills having direct and measurable damage. As per 2016 Financial Industry report by Secure Scorecard, they detected malware in nearly half of the largest 20 US Commercial banks.

Following are the key specific findings which were identified across the financial institutions.

  • Generic Malware was found in 15 out of 20 commercial banks
  • Ponyloader was found in 14 out of 20 commercial banks
  • Vertexnet was found in 9 out of 20 commercial banks
  • Keybase was found in 8 out of 20 commercial banks
  • Malware events were detected across all 20 commercial banks over the past 365 days
  • Over 422 malware events was detected in just one of the commercial banks over the past year
  • A total of 788 malware events were detected in all 20 commercial banks over the past 365 days

Listed below are some of the leading cyber security threat categories which are potential attack vectors for financial institutions:

  • Targeted attacks
  • Drive-by downloads
  • Information Leakage
  • Worms/ Trojans
  • Code Injection Attacks
  • Exploit Kits
  • Botnets
  • Physical damage, Theft
  • Denial of Service
  • Phishing
  • Spam
  • Identity theft / fraud
  • Ransomware / Scareware
  • Data Breaches
  • Watering Hole

Such cyber security events lead to data breaches, and data breaches lead to identity theft, which is then used to hack into accounts of customers. These fraudulent activities cannot be generally detected as they are viewed by the system as authentic transactions. Thus, a lack of effective cyber security skills has left industries open to attacks resulting in reputation damage and data loss.

Cyber adversaries generally gather open source intelligence in order to generate schemes and methodologies for carrying out well-planned attacks in order to achieve their goals. The following flow illustrates an attack sequence pattern generally observed in financial industry captured by security analysts to identify the lifecycle of an attack.

Figure 1 Illustrative flow of Cyber Security attacks

Current threat detection and response capabilities are primarily challenged by:

  • The speed and intensity of attack
  • Significant delays in discovering attacks
  • Longer restoration times per attack

Cyber Security and Threat Intelligence are one of the key major footsteps towards identifying such indicators of compromise and mitigating cyber security threats across the financial sector. Fundamentally, it signifies identifying and analyzing comprehensive traffic to find security outliers. With cyber security experience in the domain and skills gained through cyber security certifications including CISSP the following threat intelligence categories would support to define a coherent threat intelligence model.

  • Vulnerabilities and Exploits
    • Zero-day vulnerabilities
    • Exploit Kits
  • APT campaigns
    • Targeted attack patterns
    • Threat actors involved
    • Threat tactics, tools and malware
    • Vulnerabilities Exploited
    • Geographical region targeted
    • Profiles of the affected victims
  • Cyber Security Incidents
    • Data Breaches
    • Identity and financial thefts
    • Infiltration and Exfiltration attempts
  • Malware activity and Traffic analysis
    • Latest malware proliferation
    • Infected platforms
    • Signatures and Hashes
    • Malware Authors
    • Source code
    • Geographical Expanse
    • Botnet and DDoS activity
    • Command and Control servers
  • Underground Forums and IRC Channels
    • Discussions on hacking, malware
    • Identity data disclosure, doxes
    • Posts on Malware and Exploit kits
    • Sale of Identity and Financial data
    • Emerging Cybercrime-as-a-service groups
  • Social Engineering and Phishing Campaigns
    • Ongoing Phishing and spam campaigns
    • Geographical regions
    • Spear-Phishing Emails
    • Phishing domains

Also, because of the leap-frog nature of new advanced persistent threats (APTs) and countermeasures, cyber security is an ongoing battle that should be seen as part of the cost of doing business with financial institutions.

Need for skilled cyber security resources

Financial institutions, primarily banks, are the prime targets amongst all corporations that handle sensitive data, since financial data is most sought after by hackers. As cyber risks grow across this sector, the supply of qualified cyber security professionals is stretched thin among corporations, governments and hacking organizations.

The demand growth for cyber security professionals has been so high and from so many varied sources that the number of qualified professionals available cannot satisfy it. Corporations are recruiting certified cyber professionals to prevent (or conduct) corporate espionage and hacking and to enable the companies’ cyber security measures.

Developed countries have put a lot of resources into state sponsored cyber security and cyber warfare. They are also attracting the best of the talent, owing to the complexity of the security measures needed. Accountancy and consultancy firms have also joined in, as they set up IT advisory services, the recruitment of experienced and certified cyber security professionals into a consulting or advisory role is paramount.

Classic Example: Breach at Barclays Bank

  • The attack on Barclays is a reminder that, despite heavy investment in IT risk management, banks are still very vulnerable to cyber-attacks. In the breach, the attackers got customer’s personally identifiable information and personal health information such as their names, phone numbers, passport numbers, mortgages, savings, medical information etc.
  • Data breach had put Barclays under investigation by the Financial Conduct Authority (FCA) and the Information Commissioner’s Office, which has the potential to impose fines on organizations for failing to protect private data.

Importance of CISSP in financial sector 

The CISSP is one of the most eminent cyber security certification which covers the subject matter in multiple information security topics. The examination is based on what (ISC)² terms the Common Body of Knowledge (or CBK). According to (ISC)², “the CISSP CBK is a taxonomy – a collection of topics relevant to information security professionals around the world. The CISSP CBK establishes a common framework of information security terms and principles that allow information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding”.

The latest curriculum of CISSP is divided into eight key domains:

  1. Security and Risk Management
  2. Asset Security
  3. Security Engineering
  4. Communications and Network Security
  5. Identity and Access Management
  6. Security Assessment and Testing
  7. Security Operations
  8. Software Development Security

As high-profile security breaches continue to dominate headlines, companies are doubling down on pay to hire the best certified and the brightest cyber security professionals.

The marketplace is demanding more certifications in the niche of cyber security with the importance of strong project management discipline in securing assets from all the perspective. Getting certified in CISSP is a good indicator that a person has been able to understand the breadth and depth of security concepts, and they are the right person to implement and execute a security project in every other organization.

If anyone’s looking to get ahead in the niche of cyber security, then being certified in CISSP is vital to fuel a successful IT security career.  It makes technology professionals with a couple of years of experience more likely to demonstrate their skills against multiple threat vectors and reduce the impact of the threats to business.

With the emergence of new mediums in business, including mobile, social, cloud big data and analytics, the technologies and processes deployed by business are so tightly coupled with the customers and markets that even any minute security threat can have a magnified impact on businesses.

CISSP and Cyber Security Threats in the Financial Sector

To increase security detection and prevention capabilities across financial business units, organizations must seek to maximize the skill of their employees by leveraging a customized training program and security certification path, as per the role of the security team members from analysts to senior directors. Employers that leverage CISSP as a qualification for a cyber-security manager position can be more confident in the skills of the employee and their understanding of evolving threats and priorities.

CISSP certified professional will have the clarity of concepts and adequate experience to identify the threat landscape for a complex environments across the financial sector. They will be more aware of the security challenges corresponding to various technologies and in a position to identify preventive measures against identified threats.

Having a Certified CISSP assists in having:

  1. Improved IT security operations: CISSP improves in defining and optimizing the security strategy for applications and infrastructure, so users and customers experience less security challenges and incidents – increasing the user experience.
  2. Security Effectiveness: Security response is a competitive differentiator for any business and is strategic to the business. Agile response to security requirements allows organizations to react quickly to incidents in the financial ecosystem.
  3. System Resilience: CISSP helps in planning for security management to avoid prolonged security outages, minimizing service level recovery time.
  4. Optimized Security Operations: CISSP helps to understand and build a Security Operations Center team, which can help to constantly monitor the security risk indicators for the physical infrastructure and maximizing the productivity of all the security solutions and its usage to the environment. It also helps to increase the efficacy of security staff across segregated areas to improve the potential for identifying risks and security improvements across key business zones.

Without the combination of a skilled, certified manager and risk management experience, securing infrastructure, applications and enterprise risk implementations across the businesses are unreliable and generally tend to fail.

How CISSP can be used in the financial sector

CISSP holders can create more specific cyber security strategies and maturity roadmaps for  organizations handling more complex cyber security challenges. Certified cyber security professionals spend generally less time than non-certified professionals and even provide a higher degree of security resolution.

With CISSP, a cyber-security professional can:

  • Evolve and align the Cyber Security Program with the business continuity objectives
  • Manage cyber readiness and preparation processes at all levels of the organization across all security areas
  • Advance cyber security analytics and monitoring solutions to provide the threat analysis and business context to enable rapid response
  • Transcend intelligence, surveillance, and brand monitoring capabilities to reduce exposure and threat profiles
  • Identify and detect breaches and define secure code development parameters to provide focused managed threat solutions
  • Define a strategy around threat response, containment, and eradication – including cyber takedown, recovery, and forensics

Figure 2 Cyber Security Threat Detection Maturity Model

Today financial institutions and businesses are challenged to defend their environment due to lack of cyber security talent. As per the Intel Security key findings, one in three say a shortage of skills makes their organizations more desirable hacking targets. One in four say insufficient cyber security staff strength has damaged their organization’s reputation and led directly to the loss of proprietary data through cyber-attack. A robust security strategy requires a skilled workforce and CISSP adds value to the overall equation, especially for financial institutions.

 

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide

Ryan
Fahey

View more articles from Ryan