Cybersecurity in Financial Services

Supply chain attacks: In this attack, cybercriminals penetrate the components of a third-party vendor or a partner to gain access to its customers' systems. Attackers can gain remote access to financial institutions' systems, steal sensitive data or move laterally through different environments. An infamous example of this is the Lazarus group attacks in South Korea via a supply chain that involved software used by this country’s banks and government agencies. At Fluid Attacks, we have the tools that can strengthen your software supply chain security: SCA (software composition analysis) and SBOMs (software bill of materials). With SCA, an analysis of the code is done to identify open-source components and their dependencies, thus finding risks associated with third-party components and informing of the recommended solution to mitigate them. With continuously updating SBOMs, you get a clear picture of everything that makes up your software. Our SCA has the capability to produce precise and comprehensive SBOMs for you in different standardized formats (CycloneDX and SPDX). Read more about this process here.

Phishing attacks: These misleading emails or messages, which impersonate real entities or individuals, may contain malware that downloads to the receiver's device with only a single click of a malicious link, or they may be sent with the intent to trick the recipient into disclosing sensitive information like login credentials. This tactic can be used on both company employees and customers. Examples include the OCBC phishing scam of 2021, which resulted in a $13.7 million loss and targeted this Singaporean bank’s customers, and the PerSwaysion spear-phishing campaign, which breached the email accounts of high-ranking financial executives.

Social engineering: This tactic involves manipulating people into divulging sensitive information or taking actions that compromise security. Phishing attacks are a form of social engineering, but attackers can also use social media, phone calls, or even impersonate the company’s staff to trick employees. Examples include hackers tricking an employee of the Chilean interbank network Redbanc into downloading malware, giving them access to sensitive information, and the 2015 Dyre Wolf campaign that used advanced social engineering to steal around $1 million from companies.

Ransomware: This looming danger encrypts critical data and blocks operating systems until a ransom is paid, disrupting operations and causing losses. Ransomware can be delivered in different ways. Some examples include the 2021 ransomware attack that hit the U.S. insurance firm CNA Financial and disrupted the company’s employee and customer services and the ransomware attack faced by the Israeli insurance company Shirbit, whose refusal to pay the ransom resulted in four class-action lawsuits amounting to $360 million from customers affected by the data breach.

Distributed Denial-of-Service (DDoS) attacks: DDoS attacks overwhelm a server with fake internet traffic, making it unavailable to legitimate users and disrupting the financial institution’s service. These popular attacks can compromise online banking, customer accounts, employee portals, etc. Examples include the 2022 Moscow Stock Exchange and Sberbank DDoS attacks that took their websites offline and the DDoS attacks on Dutch financial entities of 2018 that left their (ABN Amro, ING and Rabobank) online and mobile banking services down.

Insider threats: This form of risk can be for different reasons: Sometimes, disgruntled or greedy employees can misuse sensitive information; other times, data can be accidentally leaked by inattentive employees. Examples include the 2010 Bank of America ATM fraud incident, where an employee installed malware on 100 ATMs and stole thousands of dollars, and the Scotiabank employee who put at risk a number of customers’ accounts by accessing them without a valid reason.

Sarbanes-Oxley Act (SOX): This act of 2002 is a federal law that imposes financial reporting and disclosure requirements on all publicly traded U.S. companies and aims to protect investors and prevent accounting fraud.

Gramm-Leach-Bliley Act (GLBA): This act of 1999, also known as the Financial Modernization Act of 1999, is a federal law in the U.S. that mandates financial institutions to protect the customer's financial information and implement a data security program.

Payment Card Industry Data Security Standard (PCI DSS): This set of policies and procedures governs the security of the cardholders’ data, such as credit card numbers, expiration dates and security codes. PCI DSS security controls help companies minimize the risk of data breaches, fraud and identity theft.

New York Department of Financial Services (NYDFS): These cybersecurity regulations aim to guarantee that financial institutions protect their client data and information systems from attacks.

General Data Protection Regulation (GDPR): This European Union legislation requires the protection of personal data and mandates strict norms on data processing, storage and transfer for organizations that handle EU residents’ personal information.

Multi-factor authentication (MFA): This type of authentication grants access to resources only after the user provides two or more verification factors. Implementing MFA enhances user authentication and prevents unauthorized access to sensitive data and systems.

Data encryption: Sensitive data managed by financial institutions should always be encrypted at rest or in transit, ensuring that even if intercepted by threat actors, it will remain unreadable and unusable.

Endpoint security: Endpoints such as desktops, laptops, smartphones and servers should be protected with antivirus or other software that monitors the devices for irregular activity, unauthorized access attempts, malware detection and other threats.

Patch management: Financial institutions need to prioritize timely application of security patches that software vendors regularly release to fix vulnerabilities in their products.

Secure software development: We encourage our clients to follow the best secure coding practices, and we conduct thorough security testing throughout their software development lifecycle (SDLC) with our automated tools and certified hacking team to identify vulnerabilities in their applications and infrastructure.

Vulnerability identification: Our solutions, like pentesting and ethical hacking, endeavor to find vulnerabilities, which are the door cybercriminals need to penetrate your systems. Using top-level tools, methods and their valuable expertise, our hacking team attacks your system (with your permission) the same way a malicious actor would. With their findings, which you receive through our platform, you can make an informed decision on how to proceed.

Vulnerability management: Once the vulnerabilities in your software have been identified, which are detailed in our platform, they can be prioritized, reviewed by your team and assigned to them, and once this process has been completed, you can request re-attacks to verify their remediation. From the same platform, you can keep track of how the process of mitigating or reducing your exposure to risk is going. In addition, we offer remediation recommendations and support through generative AI and virtual calls with hackers.