Under attack: application security risk rises among FIs
September 2021 | FEATURE | RISK MANGEMENT
Financier Worldwide Magazine
September 2021 Issue
As a result of the exponential rise in cyber threats across the financial system in recent years, increasing numbers of financial institutions (FIs) are investing significant sums in application security in a bid to limit the fallout from a data breach.
Among a raft of vulnerabilities, FI applications – legacy, desktop, web, mobile and micro services, among others – are susceptible to reverse engineering which can expose sensitive information to malicious actors. Moreover, many applications do not have secure storage for cryptographic keys, so if stolen, an attacker can use an application without authorisation. Weak and broken encryption are also risks.
“Web applications and web application programming interfaces (APIs) are surprisingly vulnerable and lead to multiple breaches each year in most FIs,” says Jeff Williams, chief technology officer and co-founder of Contrast Security. “Indeed, they have been the leading cause of breaches for many years as their design makes them easy to attack and hard to secure.
“And web API risk is growing exponentially,” he continues. “Almost all new applications are browser or mobile apps with an API backend. Unfortunately, the lessons we have learned about web app security have not translated well to API security, so we are seeing a re-emergence of basic flaws like injection in the API world.”
Boiled down, with cyber criminals seeking vulnerabilities in applications to steal data, intellectual property and sensitive information, application security processes, tools and practices need to protect all kinds of applications used by internal and external stakeholders – customers, business partners, employees, and so on – from threats throughout the entire application lifecycle.
However, over the past year in particular, cyber threats have intensified, with the majority of FIs experiencing multiple application security episodes. Indeed, according to a 2021 report by Contrast Security – ‘State of Application Security in Financial Services’ – 98 percent of FIs have fallen victim to a cyber attack as many as three times during the past 12 months.
Drilling down, the Contrast Security report also reveals that more than half of the organisations surveyed (52 percent) saw 10 or more successful attacks over the past 12 months, with respondents in organisations with more than 15,000 employees estimating the cost of each attack to be $1m or more.
The report also notes that: (i) only 15 percent of organisations said their application security and development tools are fully integrated; (ii) 64 percent stated that application security processes slow release cycles at least some of the time; and (iii) for many survey respondents, each vulnerability takes 10 hours of security team time and 10 hours of developer time to remediate.
Among the many application security risks identified by Contrast Security is the lack of runtime protection. “Most FIs have no idea whether they are being attacked, much less who is attacking, what attack vectors they are using, and what systems are being targeted,” explains Mr Williams. “Runtime protection not only gives them this visibility but can also prevent vulnerabilities from being exploited. It is, quite frankly, insane to put a server on the internet without runtime protection and yet all too common.”
Another key vulnerability is in the use of open-source software (OSS). “It is not that open-source libraries are any more or less full of vulnerabilities than code you write yourself, it is that you have to keep them up to date,” says Mr Williams. “Security researchers often find vulnerabilities in OSS and disclose them. Almost instantly, hackers start scouring the internet to see if any companies are vulnerable.”
In the view of David Maher, executive vice president and chief technology officer at Intertrust Technologies, while some FIs do have security teams and secure processes, cyber criminals are constantly upping the ante. “Attacks are becoming much more sophisticated, frequent and varied,” he observes. “It can be very challenging to ensure sufficient security, especially when the opportunity for financial gain is so apparent.”
Investment priorities
Although historically their budgets have not tended to treat application security as a priority issue, FIs are rapidly waking up to the scope of their cyber vulnerabilities and investing accordingly.
In terms of investment, the Contrast Security survey reveals that only 33 percent of FIs have the capacity to track and close all reported vulnerabilities. At the same time, only 15 percent were confident that their application security tools were fully integrated with their development tools. More positively, however, 75 percent of respondents stated an intention to increase their application security budget in 2021 and beyond.
“FIs clearly have the capability, but it is taking decades of evolution, involving disasters, regulation, competition and new technologies, for them to step up the security of their applications and APIs,” suggests Mr Williams. “It is inevitable, but big changes take time. What is clear, however, is that the current level of insecurity is unsustainable.
“Large FIs have thousands of software applications and more developers than Microsoft,” he continues. “Financials are also the largest consumer of OSS. Ultimately, application security is critical to the future of these businesses, and as applications get more complex, more interconnected, and more critical, the risk goes up exponentially. Our report clearly lays out an untenable situation: the number of vulnerabilities and attacks are simply not sustainable.”
Indeed, the report states that, despite a huge time investment in application security, 67 percent of organisations have 20 or more serious vulnerabilities per application in development and 48 percent have 10 or more serious vulnerabilities per application in production.
Mitigating threats
While application security strategies have yet to fully mature for the majority of FIs and remain a generally low priority, the good news is that the implementation of a modern application security platform can dramatically accelerate their programmes and produce rapid and real improvement in cyber defences.
“If you are building web applications or web APIs – which FIs are – you need to take security seriously,” says Mr Williams. “Work out an initial threat model. Build great defences and use interactive application security testing to verify them continuously. Remember that open-source components come with an obligation to keep them up to date, so build processes around that and use the technology available to you.”
Furthermore, according to Mr Maher, in addition to knowing as much as possible about the threats, defences, vulnerabilities, attacks and breaches they face, FIs can achieve true security by adopting the strategies outlined below.
First, employ risk analysis, which goes beyond threat analysis. Focus on data and the consequences of misusing services, both internal and external, instead of known current threats. This can help determine a specific ‘security by design’ approach, as well as strategies to tackle threats that are yet unknown.
Second, implement data governance and permissions at the micro service API level. Whenever an action of any kind is requested, the source needs to be authenticated and its authority checked for permissions. This action and who requested it should also be logged.
Third, deploy a set of data flow analysis and monitoring services. Going beyond traditional security information and event management (SIEM), FIs should use strategic design techniques and micro services architecture to log every relevant event and employ analytic techniques for understanding both normal and anomalous patterns.
Finally, deploy a strategy for automatic notification of anomaly detection. Such a strategy needs to be continuously refined to reduce false positives and escalate reports of patterns of events that are truly suspicious. Strong mitigation countermeasures, such as application protection technologies, are required to protect FI apps, including white-box cryptography.
“The right way forward is to create a combination of culture, teams, process and technology – along with an executive-level mandate – that makes application security a priority,” says Mr Williams. “Try to break down silos between application security and development and create the infrastructure needed to produce security.”
Pandemic impact
Historically, the financial services sector has long been a target for cyber criminals, a fruitful environment that has recently seen rapid acceleration due to the emergence of the coronavirus (COVID-19) pandemic.
“The pandemic led to a number of unprecedented cyber security challenges, not just for FIs but for all organisations and individuals too,” notes Mr Williams. “At the beginning especially, cyber criminals exploited the situation and phishing, ransomware and social engineering all increased. Hackers became increasingly inventive, even launching their own fake COVID-19 websites.
“The shift to remote working had the biggest impact though, as it made FIs more vulnerable,” he continues. “It is harder to protect employees, and therefore the company, when everyone is spread so far apart. The line between the personal and professional is blurred, and people get sloppy with passwords. Moreover, the surge of videoconferencing, remote access and virtual private network services in the home greatly expanded the attack surface that hackers can exploit to enter a network.”
Future threats
While FIs have undoubtedly made great strides in bolstering their application security in recent years, for many, mitigating cyber threats remains very much a work in progress, particularly in a COVID-19 environment. That said, the pandemic has been beneficial in some respects, with FIs becoming aware of how thorough their security measures need to be.
“Cyber threats from criminal gangs around the world are significant and will only grow as the tactics and techniques become more widespread,” forecasts Mr Maher. “This is a serious issue that will get worse before it gets better. Application security posture for FIs has largely risen to meet this challenge, but for institutions focused on the complex details of finance, those security threats should be addressed by dedicated solutions in systems, architecture and countermeasures.”
Moreover, with FIs having experienced at least three successful application exploits in the past year, there is clearly a long way to go. “One thing is for sure: observability is critical to security,” says Mr Williams. “Unfortunately, particularly at the application layer, FIs have almost no visibility into where they are vulnerable, what attackers are doing or even the operation of their own defences.
“We believe that enhancing this visibility is the key to both creating more secure software as well as protecting it against cyber attacks,” he adds. “If FIs focus on this, then they are taking a step in the right direction.”
© Financier Worldwide
BY
Fraser Tennant