Even before Covid-19 shut down thousands of branches and forced banking customers and employees to conduct business with each other entirely remotely, banking was on a multiyear digital transformation journey, driven by changes in customer preferences, increased competition, complex regulation, and artificial intelligence. The pandemic has only increased the urgency of banks’ transformation efforts, as customers suddenly demand digital options at an unprecedented scale.
Rapidly digitizing customer information, processes, services, and interactions is no longer a means of mere convenience or operational efficiency. Now, it’s a matter of survival. Banks that demonstrate the ability to respond quickly and effectively will stand out and reap enormous rewards, while those that falter in this moment will struggle to regain their footing.
But accelerating digitization creates a new challenge: securing an ever-expanding array of networks, applications, and other novel technologies while addressing the need for speedy deployment. The security of open banking APIs, cloud-native technologies, advanced analytics, and other critical components of every bank’s digital strategy must be rigorously tested and hardened to avoid costly lapses that could damage an institution’s reputation, and lead to massive regulatory and legal costs.
Security and regulatory challenges
Rapidly transforming processes and systems to support fully digital and secure customer interactions is never easy. Digitization frequently requires cloud deployments, cognitive computing analytics, and data provenance across IT systems — all of which must be secured.
Then, there’s the inherently sensitive nature of the data banks possess. Personally Identifiable Information (PII) like a customer’s address, phone number, and social security number plus a range of highly specific data about customers’ personal finances and assets can prove disastrous if they fall into the hands of a hacker.
The compliance complexities in this environment are more formidable than in other industries, mainly because of numerous regulations that apply to financial institutions, from Dodd-Frank to AML, KYC, the Bank Secrecy Act, as well as non-industry specific rules such as PCI, CCPA, and many more.
Incorporating security testing into your strategy
Security testing should be a fundamental component of any digital transformation, especially as migration to the cloud requires ongoing assessments to ensure security requirements are met. Without this assurance, the risks inherent in digital transformation can end up reducing the value-added to the business.
After all, as quickly as banks expand digital services to address customer demand, attackers move just as quickly to understand the new landscape, identify vulnerabilities, design attacks, and access sensitive information.
The good news is, building security into a transformation plan from the beginning actually supports the goal of rapid digitization. Best in class approaches include regular comprehensive analyses of security weaknesses, and execution of fixes on an ongoing basis throughout the creation, development, and expansion of a digital platform. These approaches include continuous penetration testing as new features and capabilities are added, as well as broader red team exercises to gauge a bank’s ability to detect and resist real-world attacks. Employing these strategies, banks can still move at the speed of business and prevent the setbacks and liabilities associated with data breaches.
Cloud services, when integrated thoughtfully, facilitate a platform model of banking and accelerate digital transformation. Between the shared responsibility model for security, the options for both private and public cloud services, and the fact that cloud providers like Google, Amazon, and Microsoft have some of the world’s deepest technological and security resources, it often makes sense for financial institutions to partner with cloud providers to build and deliver new services, both rapidly and at scale.
However, moving to the cloud also requires security to be front of mind every step of the way. Security requirements and secure, efficient cloud architecture are an important part of the design phase, and any process of moving to the cloud also requires validation that controls are working as intended to secure infrastructure and data.
This is imperative because attackers’ methods are evolving in parallel with financial institutions’ infrastructure. That includes the development and usage of new attack techniques designed specifically to take advantage of cloud security weaknesses. The ubiquitous example is the Capital One breach that popularized a technique that uses a Server Side Request Forgery (SSRF) to target the EC2 metadata service and exploit overly broad IAM permissions. The EC2 metadata service is a foundational piece of AWS’s cloud infrastructure, and this breach demonstrates the potential impact an attacker can have by targeting cloud components.
A financial institution that becomes the target of such attacks could not only be exposed to liability and reputational damage, but would likely have to slow its digital program while it reallocates resources to incident response, redesigning services, and testing new implementations.
Fortunately, weaving rigorous penetration testing into a rapid digital transformation program is more manageable now than ever before. The trend toward agile development has begun to transform certain aspects of security delivery, just as it improved the pace of collaboration between software design and DevOps. Both internal security teams and strategic security partners can integrate with development and infrastructure teams, penetration-test new services and features, and provide continuing confidence that security controls are functioning the way they need to be without slowing down deployments.
As rapidly as banks are transforming, attackers are working just as hard to stay ahead. Sophisticated attackers are not limited by individual services or scope definitions; because of this, penetration testing is necessary, but not sufficient for a mature security testing program. Real-world attackers also look more broadly at the platform and infrastructure and often launch attacks that exploit vulnerabilities in multiple features and systems.
While penetration testing is important for assessing the security of specific network components and applications, red teaming tests across many defenses and detection mechanisms. In addition to finding technical vulnerabilities, red teaming is also effective for identifying and detecting issues that take advantage of human vulnerabilities. After all, many recent financial-sector data breaches can be traced back to tactics such as spear-phishing and password reuse.
Defending against Advanced Persistent Threat (APT) groups and other longer-term cyber espionage campaigns also require a more holistic approach. Consider Cloud Hopper, which leverages the legitimate access granted to third-party Managed Service Providers (MSP) to gain unauthorized administrator access to cloud and enterprise infrastructure. Cloud Hopper exploits the one-to-many trust relationship a single MSP has with clients to pivot from one target organization to another. Successful detection of such APT campaigns relies on the correlation of anomalous events across an environment and over an extended timeframe. Detection capabilities must include lateral movement within an environment to prevent an initial foothold from becoming a complete infrastructure compromise.
Detection capabilities must also extend beyond infrastructure to application events. Password spraying — a password guessing attack, which, instead of targeting a single user account, sprays password guessing attempts across all accounts — is a common vector that is especially effective against large financial institutions. This is because of the limited range and predictability of user identifiers, such as account or card numbers, across a large user base where simple detection criteria such as failed login attempts per user are not effective. Defending against modern threat actors requires that both technical security controls and detection and response capabilities are validated. Regular red teaming ensures that the security operations center is primed to detect and respond to suspicious activity in real-time, mitigating the effect of such attacks.
In the long run, building red teaming into a bank’s security program can save time and protect a financial institution’s investment in digital transformation by ensuring that security technologies and features not only protect individual components but are also effective across the environment as a whole.
Prioritizing your assets for assessment
Security teams should prioritize which applications require greater levels of assessment. Visibility into what each part of a platform does, what data it has access to, as well as overall infrastructure, architecture, and features, can help with the prioritization process and ultimately results in a security program that provides the most value in the least amount of time. Useful questions to ask in this prioritization process include:
- How critical is the data that a platform component can access in light of business goals?
- How recently has this component of the platform been tested?
- How active are attacks against similar services or technologies?
- How valuable do attackers find the data stored in or accessible by this part of the platform?
Threat assessment capabilities determine the areas in which organizations are most susceptible. Planning a security program, or the expansion of a security program, based on a threat assessment can increase confidence that the time and money invested in security testing are being properly allocated, and that the bank achieves a proper return on that investment.
Even after the Covid-19 pandemic subsides, online and mobile banking usage will surely increase. While the potential reward for banks that are able to transform quickly is great, there’s too much risk in digital transformation without a comprehensive security strategy built-in. The demand for speed and scalability does not mean having to sacrifice strong security, but it does demand that banks begin by evaluating their IT systems to prioritize security efforts. The modest incremental cost of integrating a robust security program within a transformation program ensures that digitization benefits will actually be realized.
Interested in learning how cloud security can protect your digitization investment? Access our essential guide to Cloud Security.