BT Advise. Knowledge that delivers

BT Assure CyberCyber Threats and the Financial Sector:Is anybody safe?

AbstractThis paper provides an overview of cyber threats to the financial sector in 2011. The threats are viewed from the perspectives of both retail banking and the financial markets. Countermeasures and solutions are not covered; the focus is on the threats themselves, with the aim of raising risk awareness.

The cyber landscape is changing. And not for the better.

The same technology that has revolutionised so many aspects of our lives is proving a fertile breeding ground for unprecedented and unparalleled dangers.

The explosive growth in cyber crime, and the risk of cyber warfare, cannot be underestimated. Or ignored.

Why now?Today the socio-economic health and security of individual countries, even entire regions, is critically dependent on the internet and its technologies. Face-to-face interaction is no longer the norm. The ways in which people live and work, shop and socialise, are now computerised and networked. Personal details, corporate secrets, financial records, and official government data are all increasingly vulnerable.

Cyber attacks can be simple or sophisticated, take unexpected forms and come from unknown sources. They can be aimed at unsuspecting victims or high profile targets. They can start, and stop, without a trace. Not surprisingly, cyber security has become an imperative across public and private organisations. The challenge is to make information accessible while keeping it safe.

Why the financial sector?The financial sector is an attractive cyber target. Not only is it lucrative for criminals, it is seen as symbolic by hostile states. Attacks on this sector also generate the wide media coverage sought by many perpetrators. And the figures are staggering. In one prominent case, Heartland Payment Systems, processors of Visa, MasterCard, American Express and Discover Card transactions in the US, were fined $12.6m after their processing systems were breached.

In March of this year, EMC security firm RSA had to replace some 40 million secureID tokens worldwide, following a hack. In April, two of Sony’s online gaming services were hacked, compromising the confidential data of more than 100 million subscribers. In May, hackers stole personal details from thousands of Citibank customers in the US. In June, the International Monetary Fund (IMF) reported it had fallen prey to a major breach. Who’s next?

Given the frequency, scale and nature of these cyber attacks, and the certainty of more to come, we have chosen the financial sector as the focus of this paper. In particular, we explore the rapidly evolving vulnerabilities affecting retail banking and financial markets.

Threat actors: who they are, what they wantTo better understand the threats, we need to understand who is behind them. Towards that end, we have identified three distinct classes of threat actor: the Cyber Criminal, the Cyber Terrorist, and the Hostile State.

The Cyber Criminal is not only the best known but the most established threat actor in the financial sector. After all, criminals traditionally “follow the money”. While they seek out opportunities for fraud across the entire financial sector, their natural target is the retail bank and its customers. It is therefore in the best interest of Cyber Criminals to keep the banks open and operating, lest they kill the goose that lays the golden egg.

Not so the Cyber Terrorist and Hostile State. Rather than pursue financial gain, these threat actors exploit the anti-symmetric potential of cyber attacks to inflict serious socio-economic disruption. A Cyber Terrorist or Cyber Warfare threat actor is therefore less likely to focus on military or government networks than, say, the financial markets, trading centres and clearing houses, which are easier targets.

Whatever their motivations, many of these actors have the economic and technical resources to do great damage, putting the financial sector very much in the front line. This is the new cyber reality!

2 BT Advise. Cyber Threats and the Financial Sector: Is anybody safe? 3BT Advise. Cyber Threats and the Financial Sector: Is anybody safe?

Threat Actor

Cyber Criminal / organised crime

Cyber Terrorist / non state Actor

Cyber Warfare / Hostile State Actor

Banking

– Individuals and companies

High profile target

Target

Target

Financial Markets

– trading platforms, clearing houses

Target

High profile target

High profile target

Table 1 – Different threat actors have different targets, objectives and focus

Cyber threats: the changing landscape

To compound the problem, many people carelessly use the same password for most if not all their accounts, e.g. online gaming as well as online banking.

Malicious human behaviour presents another vulnerability, often perpetrated by dissatisfied employees with privileged access to finance systems.

What’s more, different banking systems and applications have their own vulnerabilities, both known and unknown, which can be controlled or subverted by malware (malicious software). Some of these systems and applications reside in central data centres, while others, such as ATM systems, are distributed throughout the world.

The interconnecting networks that provide access to these banking systems and their services also have their own vulnerabilities, for example, susceptibility to malicious traffic flows on the internet.

Card payments represent another vulnerable area, as processes are at risk regardless of the type of card used or whether the transaction is made in person or remotely.

Less obvious vulnerabilities stem from interdependencies between the various players in the financial sector. Banks and associated institutions are intricately intertwined, making them particularly susceptible, as was demonstrated by the recent global financial crisis. Clearing houses, for example, are closely linked to the overall operation of the retail banking sector, so attacking the clearing houses leads to a potentially catastrophic failure.

Many vulnerabilities give threat actors a comfortable head start. For example, there are frequently delays in the sharing of information on cyber attacks due to the commercial sensitivities of individual banks. In addition, valuable time can be lost because of the legal system as new legislation inevitably takes longer to implement than the frantic pace of change in cyber space.

Each of these vulnerabilities can be exploited by the various threat actors to launch cyber attacks on the financial sector.

4 BT Advise. Cyber Threats and the Financial Sector: Is anybody safe? 5BT Advise. Cyber Threats and the Financial Sector: Is anybody safe?

Cyber Vulnerabilities in the Financial Sector

Web of Cyber Vulnerabilities - Financial Sector

PC based / internet banking

Mobile Computing /Banking (smart phones etc)

Social Networking (Web2.0)

InterbankNetworks

Applications - Banking, Trading etc (including supply chain)

Human employees(insider threats)

Corporate NetworkData Centres

ATM systems

Human gullibility (customers)

Inter dependencies (between banks, systems market traders, aggregation points - e.g. clearing houses)

Commercial sensitivities / Legislation e.g.incident information silios between banks

PaymentProcessing

There are many sources of cyber vulnerability in the financial sector, as illustrated in Figure 1. One of the most serious is also the most basic: human frailty. Gullibility is increasingly exploited by opportunists as unsuspecting people move into unfamiliar environments like internet-based social networks, and interact in new ways with banking systems through internet and mobile computing.

To provide an insight into the threats, we examine some of the most popular methods deployed. The names may be new, but many are simply “old” crimes deploying the latest technology.

• Phishing is a classic cyber threat that exploits human gullibility via the internet. It typically involves sending emails pretending to be from the user’s bank to named account holders. The email is designed to leverage fear, uncertainty or greed to entice the recipient to visit a realistic but bogus bank website and part with personal information and banking details. For example, a phishing email might state that a user’s online account has been suspended due to a suspected fraudulent transaction and that to reactivate the account, the user must visit the site by clicking on a link which conveniently appears in the email. The bogus site will feature a copy of the bank’s logo and other familiar trappings, so the user won’t necessarily be suspicious when invited to enter confidential details. While capturing this information, the phishing site may also attempt to infect the user’s PC with some form of malicious software, usually spyware.

• Vishing is the result of using voice messages and phishing.

• Smishing is a combination of SMS text messaging and phishing. It exploits human gullibility via mobile computing devices like smartphones. As people use these devices for activities such as mobile banking, they can again be fooled into parting with their personal and banking details. In fact, people are often more trusting of an SMS message than an email that appears to come from their bank, perhaps because they are on the move when receiving the text, and less focused. Malware such as the SpyEye Trojan is a potent example: it phishes online banking users and then sends an SMS message to their mobile phones that claims to be a new digital certificate. It proceeds to obtain Mobile T Transaction Authentication Numbers (mTANs), similar to passwords generated by many European banks, to authorise financial transfers online. For the Cyber Criminal, the complexity and diversity of apps now populating mobile computing devices generate vast opportunities to infect the device, making it vulnerable when used for mobile banking transactions. To put this into perspective, as of July, there were 450,000 apps available for the iPhone and iPad series of smart devices, and the number downloaded has passed the 15 billion mark.

• Malware poses a significant cyber threat. It can not only infect customer systems, it can infiltrate the banking systems themselves. As we have seen, there are many easy routes into users’ computers or mobile smart devices associated with phishing and smishing. When the victim is lured to malicious websites, scripts can exploit vulnerabilities in their devices in order to infect them with malware. A prime example of banking malware is Zeus v2.1. This is a very effective cyber weapon that typically operates as part of a malware network, or botnet. It monitors users’ keystrokes, specifically capturing banking details and sending them back to the botnet controller. There are many such botnets in operation. Malware like Zeus is constantly evolving in terms of sophistication and capabilities. The latest v2.1 exploits cryptographic techniques such as digital signatures to protect its integrity as it updates itself over time.

• Spear phishing is a method by which malware infiltrates banking systems. It involves using social networking sites to gather information on bank employees, especially those who may have privileged access to banking systems. These individuals are then phished or smished using messages supposedly from their corporate HR or Security Managers. The result of a successful spear phishing attack is an infected banking system that can be exploited by the bot controller to effect a wire transfer of substantial funds. Clearing house banks have been hit by this type of attack. Malware can also contaminate banking systems in other ways, e.g. ATM systems and corporate systems often have USB ports, allowing employees to use USB sticks that may well be infected, either unwittingly or deliberately.

Malware that steals significant amounts of customer information from a bank’s system is also a major problem. The Cyber Criminal can market this data to other criminals or organised gangs to exploit, whereas those wishing to discredit the bank can simply publish customer details on the web causing considerable damage to the bank’s reputation.

• Distributed denial of service (DoS) attacks are one of the most common ways to exploit network vulnerabilities. These typically target a bank’s website and involve botnets directing huge volumes of traffic over the network to try to overload the target website, rendering it unavailable for users.

• Insider threats are not specifically cyber, but the relative ease with which insiders can exploit cyber malware to infect and control banking systems adds to the already significant conventional threat they pose.

Cyber Threats and Retail Banking

Evolving exploitation of vulnerabilities by cyber criminals on Retail Banking

Figure 2 – Exploitation of cyber vulnerabilities to target Retail Banks

PC based / internet banking

Mobile Computing /Banking (smart phones etc)

Social Networking (Web2.0)

InterbankNetworks

Applications - Banking, Trading etc (including supply chain)

Human employees(insider threats)

Corporate NetworkData Centres

ATM systems

Human gullibility (customers)

PaymentProcessing

Phishing

Smishing

Inject malware,Trojans

APT’sspyware

Spear Phishingto achieve APT

Legal gaps

Theft of passwords/identities

Malware injection viaUSB ports, smart cards etc

Point of Sale- POS exploits

APT’s

Inter dependencies (between banks, systems market traders, aggregation points - e.g. clearing houses)

Commercial sensitivities / Legislation e.g.incident information silios between banks

1

2

3

4

5

6

7

8

9

10

11 12

6 BT Advise. Cyber Threats and the Financial Sector: Is anybody safe? 7BT Advise. Cyber Threats and the Financial Sector: Is anybody safe?

The cyber threats posed by one class of threat actor – the Cyber Criminal targeting the retail banking system – are shown in Figure 2.

We have looked at the current cyber landscape and the key threats Cyber Criminals pose for retail banking. The Cyber Terrorist and State Actor, however, are more interested in disrupting or destroying the financial markets.

Cyber Terrorists are often dismissed as being interested only in spectacular loss of life events, and State Actors are believed to have too much self-interest in the global financial system to want to damage it. But given the low entry barrier to cyber warfare, due to its asymmetric nature, it is more than likely that various groups of fanatics will eventually target the financial system. The attempt might come from any IT literate group harbouring strong views against banks or the capitalist system as a whole. It has no doubt already occurred to organised Cyber Criminals that they could use this threat as a form of extortion.

State Actors range from the obvious super powers to small quasi-stable regimes to so-called rogue states like North Korea and Libya. This means the risk of state-sponsored direct or proxy cyber attack may be higher than many believe.

Cyber threats in this context would target functions such as financial exchanges and trading platforms. The “flash crash” of 6 May 2010, for example, saw the Dow Jones industrial average plunge some 700 points in minutes. It appears to have been the result of a form of Denial of Service event, not an attack on the network but a flood of buy and sell orders associated with high-frequency trading systems. This traffic slowed down the markets allowing traders to profit by arbitrage with other exchanges. The potential is clearly there to exploit high-frequency trading systems to stimulate a more significant market crash and/or loss of investor confidence.

A cyber attack can also be designed specifically to destroy investor confidence and thereby disrupt the financial markets. An internet worm capable of significant manipulation of the stock exchanges could potentially achieve these goals, especially if such an attack were synchronised with a viral disinformation campaign created to spook the markets.

Unfortunately, cyber threats do not need to be sophisticated to cause significant devastation. Malware could easily infect systems in a number of exchanges and clearing houses and then simply corrupt the data over time, infecting backup systems in order to disrupt the interbank clearing system, and the trust associated with it. Effective cyber threat modes include the spear phishing of insiders with access to corporate systems, and infecting the IT supply chain.

IT applications and systems provided by third party suppliers of e.g. high-frequency trading applications or simple middleware, can also be infected with built-in back doors and/or internet worms that can operate autonomously to cause major disruption. The spear phishing of corporate IT and data centre staff has succeeded on a number of occasions recently, as major corporations such as EMC have found to their cost.

We cited Zeus earlier as an powerful spyware worm successfully targeting the financial sector. Deploying spyware worms for cyber espionage remains an active threat from State Actors. The valuable information these worms gather can be used to manipulate the markets either for financial gain and/or destruction of investor confidence.

There is potential danger from other species of worm as well. There are, for example, worms bred specifically to manipulate, corrupt or destroy critical information in the data centre hubs of major trading platforms and clearing houses.

Internet worms introduced either by insiders or via the IT supply chain can be hard to detect yet are capable of distributing themselves across internal networks and server farms within and between data centres. The sophistication of internet worms and their potential to inflict significant damage is increasing. The latest worms are polymorphic so they can change their appearance autonomously as they replicate and spread themselves across machines. They are already starting to use encryption techniques to hide their movements and to protect the integrity of their payloads (the virus).

As data centres in the financial sector are high profile targets, they are well protected. However as discussed, there are still inherent vulnerabilities associated with insider threats and the supply chain that can potentially be exploited by internet worms to launch a cyber attack. These internet worms are evolving rapidly in terms of complexity and diversity.

In the context of the Cyber Terrorist and Cyber Warfare threat actor, we can expect to see more co-ordinated attack scenarios. These could, for example, involve both malware threats and physical attacks on undersea cables, fibre connection to key data centres, and energy grids. There are a number of critical services distributed between primary and secondary data centres that share the same energy grid. Physical attacks on both primary and backup data centres are conventional and anticipated, but co-ordinated cyber attacks on the Supervisory Control and Data Acquisition (SCADA) systems of data centre utilities such as cooling and standby generators are all viable, as demonstrated by the State sponsored Stuxnet malware attack on the SCADA systems associated with Iranian nuclear facilities.

8 BT Advise. Cyber Threats and the Financial Sector: Is anybody safe? 9BT Advise. Cyber Threats and the Financial Sector: Is anybody safe?

Cyber Threats and Financial Markets

It seems that today’s threat actors are always one step ahead. They appear to know more about the financial sector than the financial sector knows about them. So what now?

Evidence shows that a coherent, strategic approach to cyber security can improve an organisation’s defences and dramatically reduce risk.

Pro-active monitoring, continuous analysis, and real-time response are just some of the measures that can make a difference.

To find out more, we invite you to contact us at onedeskdefence@bt.com or 0800 783 9053. Just don’t leave it too long.

BT is totally committed to cyber security. In fact, we are unique in offering both network services and managed cyber security services (CDMS), with capabilities reaching from home hub to top Security Industry Authority (SIA) level. We were named 2010 Number One Managed Security Services IT Outsourcing Partner by Datamonitor.

We have considerable first-hand experience protecting our own networks from a diverse range of cyber threats. We have one of the largest dedicated security and business continuity practices in the world, investing millions of pounds in security-related R&D each year. We’re a key contributor to the Government’s Cyber Security Working Party, and manage security solutions across the UK’s Critical National Infrastructure in collaboration with the Centre for the Protection of National Infrastructure (CPNI). We work closely with the Office of Cyber Security and Information Assurance (OCSIA) and Communications-Electronics Security Group (CESG). We have acquired specialist expertise supporting UK national defence, and have just delivered a cyber defence solution to the MOD.

We have also been serving the financial sector for over 25 years, with 18 of the top 20 high street financial organisations depending on BT’s network. We process 80% of all UK credit card transactions - more than 400,000 per hour. Across Europe, we handle up to 750 Visa debit and credit transactions per second, with 99.99% fault-free connectivity. Our customers include 20 of the top 50 Fortune 500 companies, 80% of the FTSE 100 and 19 of the top 20 UK financial institutions. BT Global Banking & Financial Markets brings together our global teams working across banking, financial markets, insurance, and card services.

In short, we know cyber security. We know the financial sector. So we know we can help.

10 BT Advise. Cyber Threats and the Financial Sector: Is anybody safe? 11BT Advise. Cyber Threats and the Financial Sector: Is anybody safe?

Raising awareness, lowering risks

BT and cyber security

http://www.http://news.softpedia.com/news/Data-Breach-Cost-Heartland-12-6-Million-So-Far-111098.shtmlhttp://www.bbc.co.uk/news/technology-13681566http://www.bbc.co.uk/news/business-13451990http://www.bbc.co.uk/news/technology-13711528http://www.bbc.co.uk/news/world-us-canada-13740591

Offices worldwide

The telecommunications services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any part of any contract.

© British Telecommunications plc 2012Registered office: 81 Newgate Street, London EC1A 7AJRegistered in England No: 1800000

PHME XXXXX