Physical Security at Banks Models Best Practices for Cybersecurity

There’s no question – cyber threats are one of the most pressing issues in financial services. According to a report by the Identity Theft Resource Center and the Generali Global Assistance, financial institutions are hit by cyberattacks 300 times more frequently than businesses in other industries, and we’re seeing companies take notice. In fact, in his annual letter this year, JPMorgan Chase CEO Jamie Dimon called cybersecurity the “biggest threat” to the financial services industry and wrote that JPMorgan Chase spends nearly $600 million each year on cybersecurity. 

As the cybersecurity landscape continues to shift, new threats require new solutions. The challenge is how to identify the priority threats, select the solutions that deliver the best ROI and stretch dollars to maximize your organization’s protection. 

So how can you best simplify the decision-making process? Use an analogy. Consider the physical security measures at banks. It makes the perfect analogy, because banks are just like applications or computing environments; both contain valuables that criminals are eager to steal.

1. The first line of defense at a bank is the front door, which is designed to allow people to enter and leave while providing a first layer of defense against thieves. Network firewalls fulfill the same role within the realm of cyber security.
   
   
2. Past the entrance there is often a security guard, which serves as an Intrusion Prevention System (IPS) or anti-malware device. This “security guard,” which is typically anti-malware and/or heuristic-based IPS function, seeks to identify unusual behaviors or other indicators that signal that trouble has entered the bank, such as somebody wearing a ski mask or perhaps carrying a concealed weapon.
   
   
3. Once hackers get past these perimeter security measures, they find themselves at the presentation layer of the application, or in the case of a bank, the teller. There is security here as well. Firstly, authentication (do you have an account) and second, two-factor authentication (an ATM card/security pin). IPS and anti-malware devices work in concert with Security Information and Event Management solutions to serve as security cameras, performing additional security checks. Just like a bank leveraging the FBI’s Most Wanted List, these solutions leverage crowd sourcing and big-data analytics to analyze data from a massive global community and identify bank-robbing malware in advance.
   
   
4. A robber will often demand access to the bank’s vault. In the realm of IT, this is the database, where valuable information such as passwords, credit card or financial transaction information or healthcare data is stored.

As in the physical world, there are several ways of protecting this data, or at the very least, monitoring it. But first, cybersecurity models must adapt to meet future threats. To understand how and why cybersecurity models will need to change, we will review three obstacles financial institutions have to overcome in the near future: advanced distributed denial of service (DDoS) mitigation, encrypted cyber-attacks and DevOps and Agile software development.

Adapting for the Future: DDoS Migration 

A DDoS attack is any cyber-attack that compromises a company’s website or network and impairs the organization’s ability to conduct business. During a DDoS attack, there’s an attempt to stop legitimate visitors from accessing data that’s normally available on a website, accessing private data, vandalizing a site or completely shutting down a service.

During a DDoS attack, attackers flood a network with requests and information by either voluntarily using their own machines  or hijacking machines to use for the attack. For example, when hackers last year targeted Brazilian Bank customers through their IoT devices, these devices were susceptible of being enslaved for DDoS attacks.

This is why banks and financial institutions leverage multiple layers of security: it enables an integrated, redundant defense designed to provide full protection in the unlikely event a bank is robbed. This also includes the ability to quickly and effectively communicate with law enforcement. 

In the world of cybersecurity, multi-layered defense is also essential. Why? Because preparing for “common” DDoS attacks is no longer enough. With the growing online availability of attack tools and services, like IoT devices in the Brazilian Bank example, the pool of possible attacks is larger than ever. 

Inspecting Encrypted Data 

Companies have been encrypting data for well over 20 years. Today, over 50 percent of internet traffic is encrypted, and for good reason – to provide better privacy and security for users. With the availability of free SSL certificates, SSL/TLS encryption is still the most effective way to protect data as it ties the encryption to both the source and destination.

But that doesn’t make it foolproof. As encrypted applications grow more complex, the potential attack surface is larger. Hackers are now leveraging encryption to create new, stealthy attack vectors for malware infection and data exfiltration. 

The equivalent in the banking world is twofold. If someone were to enter a bank wearing a ski mask, that person probably wouldn’t be allowed to conduct a transaction. Secondly, there are often additional security checks when someone enters a bank and requests a large or unique withdrawal.

Dealing with DevOps and Agile Software Development 

Many traditional security solutions today focus on stopping existing threats, but as new applications become more complex, there’s a new set of vulnerabilities that these security solutions haven’t seen before, meaning they can’t adequately protect against them. 

To use our bank analogy again, existing security solutions mean that (ideally), a career criminal carrying a concealed weapon cannot enter a bank and that someone who is acting suspiciously is blocked from making a transaction. However, nothing stops someone with no criminal background or no history of suspicious activity from entering the bank. The bank’s security systems must be updated to look for other indicators that this person could represent a threat.

The key to solving this problem is implementing a web application firewall (WAF) that adapts to evolving threats and applications. A WAF accomplishes this by automatically detecting and protecting new web applications as they are added to the network via automatic policy generation. It should also differentiate between false positives and false negatives.

Why? Because just like a bank, web applications are being accessed both by desired legitimate users and undesired attackers (malignant users whose goal is to harm the application and/or steal data). One of the biggest challenges in protecting web applications is the ability to accurately differentiate between the two and identify and block security threats while not disturbing legitimate traffic.

Today’s technology landscape is constantly changing, especially in the financial services sector where companies are continually looking to new digital technologies for greater efficiency. As you look to implement or upgrade cybersecurity solutions, ensure that these technologies are designed to adapt to the constantly evolving threat landscape and your organization’s operational needs. The safety of your business – and your customers – depends on it.