Risk Management

11:05 AM
Julie Conroy, Aite Group
Julie Conroy, Aite Group
Commentary
50%
50%

Cyber Threats: Multiplying Like Tribbles

As cyber threats grow at a rapid pace, financial firms need to enhance and adapt a multilayered defensive strategy.

Zeus, OddJob, Gozi-Prinimalka, Citadel. These are just a few of the thousands of known threats. The ever-growing variety of malware actively targeting banks and their customers is having a marked impact on the financial services industry. The malware, which consists of sophisticated, evolving pieces of software designed to compromise online credentials, is deployed by international organized criminal rings that are nimble, innovative and constantly transforming their attacks on financial institutions (FIs) and their customers.


Cybercrime On The StreetWall Street & Technology's July/August 2013 digital issue examines the complex world of cybersecurity. As threats from hacktivists, organized criminal rings and state-sponsored online terrorism grow, financial firms need to remain vigilant while continuing to evolve their methods of threat detection. To read more, download our July/August 2013 digital issue now.

Cyber threats are growing at a frightening pace, with more than 150,000 new strains of malware deployed per day. Add to this the increasing effectiveness of distributed denial-of-service attacks, brute-force attacks and the never-ending threat of corporate espionage backed by nation-states, and it all equals a daunting challenge for FI information security professionals.

Layered Approach

In the face of this threat environment, FIs and their customers need to be more vigilant than ever and continue to deploy their own innovative techniques to protect their financial information. Session- and perimeter-based security is no longer sufficient. Regulators advocate multiple layers of security, a strategy that's already in use at many financial institutions. This approach combines a number of complementary technologies that protect against the wide variety of attack vectors. Because the bad guys have proved adept at compromising in-progress Web sessions, security must take a holistic approach, securing not only the session but also the transaction and the network.

Considering the extent to which cybercriminals study their targets and the pace with which the cyber threats are evolving, financial institutions need to be equally responsive in their defensive strategies. And since the bad guys don't need to make business cases to justify their innovations -- while the good guys at the banks generally do -- it's doubly important that FIs place their bets with the most effective technologies as they develop and evolve their layered defense. Here are a few recommendations:

  • Don't put all your eggs in one basket. Cybercriminals have proved adept at bypassing virtually every form of online fraud mitigation and authentication when deployed as a single point solution. To be effective in the war against cybercriminals, FIs need to adopt a layered approach that protects not only the session but also the transaction itself.

  • Multifactor is still a good bet. For application-level security, multifactor authentication is still a safe bet, but the approach has necessarily come a long way from the early days when multifactor authentication simply consisted of a few challenge questions. Now multifactor also implies multiple channels, blending online and mobile communication, and doing so in a secure manner that isn't susceptible to known forms of compromise.

  • Continue to perform ongoing risk assessments. It's important to stay abreast of the latest malware capabilities and understand how current defenses can (or cannot) be effective against them.

  • Include the ability to detect and interdict anomalous transactions. There are often behavioral clues in the fraudulent transaction, whether it's the transaction size, the timing of the transaction or the way in which the site navigation is being performed. This is applicable for client-facing transactions as well as internal ones.

[10 Financial Services Cyber Security Trends for 2013]

The most important thing to remember is that when it comes to cyber threat mitigation, there is no destination. There's little disincentive for the bad guys and a vast pool of funds fueling their innovation. It is incumbent upon financial institutions to be equally nimble and innovative in their efforts to protect themselves and their clients.

Julie Conroy is a research director for Aite Group's Retail Banking practice and covers fraud, data security, anti-money laundering and compliance issues.

More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
Register for Wall Street & Technology Newsletters
Video
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.