IT security is a key priority for financial organizations, which realize the serious potential implications of today’s Web-borne threats on their business and on the integrity of their customers’ private information. These sophisticated threats, including the growing phenomenon of targeted attacks aimed at stealing identities or compromising confidential information from a particular system or computer, represent a major challenge as they are nearly impossible to detect using traditional security tools.
Moreover, in terms of regulatory compliance, financial organizations need to be able to prove that they have implemented security measures aimed at protecting data from being stolen, destroyed, or altered via malicious external attacks.
Based on the results of Deloitte Touche Tohmatsu Global Security Survey (June 2006), 72 percent of financial organizations estimated their annual damage from security breaches in the range of $1 million, while 2 percent estimated the damage at over $5 million. Some 82 percent of organizations surveyed experienced security breaches including viruses/worms, phishing/pharming, spyware and social engineering. This is despite the fact that virtually all of these organizations deploy perimeter protection, such as anti-virus software (99 percent) and firewalls (96 percent).
The “silent threat”
The dramatic increase in Web-borne threats, such as spyware, has become a chief concern for network administrators. As technologies continue to develop at a rapid pace and hackers are motivated by monetary gain, attacks are becoming more clever and stealthier in order to avoid detection. Familiar with the workings of traditional security systems such as firewall, anti-virus, and intrusion prevention/detection products, hackers are crafting malicious code and targeted attacks to outsmart such systems.
Today’s sophisticated Web-based threats propagate through silent installations and drive-by downloads, often without end-user awareness. Emerging trends and advanced techniques, such as pharming, remote access Trojans, botnets, and rootkits, as well as targeted attacks, are among the methods being used by hackers to take control of victim computers. Silent Web-based threats can infect networks long before a signature-based anti-virus solution can be updated or a software patch can be installed.
There is big money behind these and other new threats, all of which are based on malicious code.
Spyware/adware is estimated to generate annual revenues in the billions of dollars. Hackers are selling new exploits to criminals rather than disclosing them to vendors who could then release patches. Spyware and trojan SDKs are available for sale, with warranties stipulating that if the vulnerability is patched by the vendor, the hacker will provide a new, unknown one free of charge.
As financial institutions increasingly depend on the Internet for public-facing applications, employee browsing, Web mail and other everyday business activities, their networks and valuable information assets are exposed to these threats on a daily basis.
Magnitude of the threat
Finjan’s Vital Security Web Appliance scanned all content downloaded over a two-week period. The log files were then analyzed by experts from Finjan’s malicious code research center. The results show that over this period, there were a total of 67,916 security policy breaches, of which spyware accounted for 67 percent while behavior-based violations (i.e., malicious scripts and malicious active content) constituted a further 32 percent.
Finjan’s security audit affirms that the most prevalent security threat for financial institutions is spyware. An overwhelming two-thirds of all security policy violations recorded during this audit were related to spyware downloads, attempts to access spyware Web sites or attempts to access Web sites that hide executable spyware.
In light of the results of these security audits, the question should no longer be whether malicious Web-borne content is a real threat, but rather what financial institutions should do to secure their information assets from this significant threat.
Magic Quadrant (Gartner, February 2005) also highlights the need for new solutions to deal with these types of threats: “Traditional signature-based antivirus products can no longer protect companies from malicious code attacks. Vendors must execute product and business strategies to meet the new market requirements for broader malicious code protection.”
Significant business risk
Banks and financial services companies increasingly leverage the Web to improve customer service, reduce costs and increase productivity. Although the Web provides significant business benefits, increased access to the Web augments security risks and creates the need for control over employees’ Web browsing.
Vulnerabilities in browsers or operating systems, as well as spyware and trojans, can compromise private information — from customer account details to Social Security numbers. Theft or manipulation of this private data can have significant business implications, leading to regulatory or legal action, revenue or profit impact, and loss of trust from customers and business partners.
Banks, credit card companies, insurance firms, and other financial services providers are obligated to protect customer account information and must ensure compliance with regulatory requirements such as the Gramm-Leach-Bliley Act, the European Union Data Protection Directive, Sarbanes-Oxley or the Basel II accord.
As Web-based attacks continue to evolve swiftly, financial organizations require the ability to scan for potential violations on an ongoing basis in order to secure public-facing applications or internal Web browsing. They require Web security solutions that are able to define and enforce a tight security policy, using tools that can proactively identify and block malicious and/or inappropriate content, mitigating the risk and liability associated with theft of intellectual property, confidential information, and customer privacy.
As demonstrated in security audits and confirmed by recent industry reports, spyware and malicious behavior represent the vast majority of security incidents in financial organizations. While reactive security technologies can be effective at detecting known viruses and malicious websites, they were not built to combat the vast majority of today’s dynamic Web-based threats, comprised mainly of spyware and other types of malicious code. As Web technologies continue to evolve, hackers will continue to develop new ways of spreading malicious attacks and exploiting newly discovered vulnerabilities.
In order to address these new types of threats, and to ensure compliance with regulatory requirements, financial organizations have started to upgrade their security strategies. Security-conscious organizations recognize the need for intelligent, proactive security solutions, in particular behavior-based analysis, on top of their traditional security infrastructures.
Such a layered approach allows them to continue to benefit from their existing perimeter security, while adding an additional proactive layer to safeguard sensitive data from unknown and emerging Web threats. These solutions will allow financial organizations to take full advantage of the Web as a business tool while reducing operational risk associated with security vulnerabilities that can threaten their business continuity.
Yuval Ben-Itzhak is chief technology officer at Finjan Inc., a provider of proactive security solutions based in San Jose, Calif. For more information, visit www.finjan.com.
© Copyright BankNews, November 2006