The Art of Cyber War and What Makes Financial and Accounting Firms Vulnerable

Learn more at our upcoming free live CPE webinar scheduled for Tuesday, May 31, 2022 at 2pm CDT/3pm EDT – 5 Steps to Protect Your Firm from Catastrophic Cyber Attacks. Register here.

Cyber warfare is real. The harsh reality is that the financial sector is the biggest target for cyber attacks because these firms hold large volumes of personal, as well as financial data. They are a single access point to data from multiple organizations, which is incredibly valuable to cyber criminals.

These attacks come in many different forms. The top three threats a financial firm should worry about are ransomware, phishing attacks and loss of sensitive data. The ransomware business alone is a multi-billion dollar business that is built on holding data from networks for ransom. All these threats open the door to impeded workflow, liability, and loss of clients.

According to a report from Boston Consulting Group (BCG), cyber attacks have hit financial services firms 300 times more than other companies. Forbes reveals that 25% of all malware attacks are targeted at financial and accounting firms with cyber attacks costing $18 million per firm compared to $12 million per incident in other industries.

The Threat Actors at Work

Criminal enterprises, nation-states, inside attackers, hacktivists and other malcontents lurk in the cyber sea waiting to feed on unsuspecting victims. Financial organization leaders not only must worry about criminal enterprises and nation-states, but to a greater extent, must prepare for potential insider attacks or other lone wolf malcontents.

There are also other attack types including keyloggers (a software program or device designed to secretly monitor and log all keystrokes). They pose a serious threat to users, as they can be used to intercept passwords and other confidential information entered via the keyboard. As a result, cyber criminals can get PIN codes and account numbers for e-payment systems, passwords to online gaming accounts, email addresses, user names, email passwords, and almost any other information imaginable. 

Rootkits are a type of malware designed so that they can remain hidden on a computer. While they might not be noticed, they are active. Rootkits give cybercriminals the ability to remotely control a computer.

Cyber criminals also use back door attacks – accessing a system through unsecured points of entry.

These are commonly known as advanced persistent threats (APT). With nation-states, the objective with an APT is to remain undetected on the network, gather data and intelligence, learn what controls are on servers, get the network architecture, and then start searching for vulnerabilities they can use to either disrupt the organization, steal intellectual property or make money off of it by selling client data.

These are not “might happen” scenarios. The most common distribution methods, known as attack vectors, include email attachments, apps or Excel spreadsheets, Word documents, or other files that deliver a payload once the file attachment is opened on the computer. Ransomware can also be delivered by a drive-by hit on a compromised website. That is why websites must be secure. 

Even legitimate advertising networks – especially those that provide news and information and have ads – can be fooled into spreading malware. Malicious USB drives are a great delivery mechanism to attack a system. They are effective in gaining access to or compromising a network.

Users must practice good password hygiene and never reuse the same credentials on multiple websites. If a criminal gains access to an email account the next step is to use the credentials to get into bank accounts, other websites, and steal identities. Even with good security hygiene, hackers can use simple penetration testing tools to identify open ports on a network. When the tool finds an open port it lets the hacker looks for vulnerabilities, unpatched software, and other ways to exploit the service. Just like that, the hacker has access to data.

Take the Prevention Stance

To prevent this, an organization must secure its information. Imagine an onion – the core of the onion are the assets to protect such as servers. Assume that administrative, technical, and physical controls can break so the best defense is NOT an unhackable single layer. Multiple layers are the only way to target attack vectors. Dozens of layers could be added to a security posture to protect core assets and devices, data, and customer information. The key is to make certain any holes in the layers are not aligned to allow penetration. The security strategy must take into account the hazard, technology, process and people to prevent loss. 

Even so, there are vulnerabilities – mostly human error – which makes constant security awareness training crucial.

Hacking Has Come a Long Way: The Email Attack Vector

Hackers are professionals. Long gone are the days of broken English and misspelled words. Especially in the case of spear phishing attacks, the techniques are very refined. The criminals learn about an organization and then use tactics such as sending an email that looks legitimate. For example, an email from an executive authorizing a $50,000 wire transfer. Layered security is the defense.

Choose tools to authenticate the mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send email.

Again, it cannot be stressed enough that organization leaders must create and foster a security-first environment. Everyone who has access to any kind of computer or device on a network must have security awareness training. Continuously. No one is exempt. 

Understanding the Tools and Building a Security Toolbox that Works

A best practice is to employ a cybersecurity expert who has email and domain access within the financial firm. Understand that a security expert and IT professional are not the same. They complement each other.

The job of a spam filter is to trap emails with potentially malicious attachments. It is a first line of defense in a ransomware attack. Once criminals have open access to a network, they can access an encryption key. Then file encryption on the target begins, and tests run to make sure the files can be unencrypted once the victim pays the ransom. Ironically, distributors of malware have good customer service. Some actually have 800 numbers and use screen sharing support to help make sure the victim’s files get unencrypted, and offer assistance with ransom payment using Bitcoin, View Cash, or other methods. 

In addition to a spam filter, a known DNS filter will trap the request and the files will never get encrypted because no key was shared. Tools such as Windows Defender will defend against Trojans, but for malware attacks that is not enough. End point detection and response (EDR) is necessary. If all other physical controls fail, the savior is EDR which uses behavioral analytics and artificial intelligence to see if the commands are at normal and expected behavior. This is a different way to look at security. In the past users were assumed to understand threats such as phishing attacks and be diligent about handling email attachments. Macros were assumed not to be malicious. That is not true today.

Orchestrating Prevention and Solutions

The complexity of these attacks builds the case for security designed to allow time to orchestrate mitigation.

All of the tools available are useless without orchestration – properly assessing the risk, having the technical tools ready, plus understanding administrative, technical, and physical controls. The best case scenario is a security provider with multiple vendors and best-of-breed products, practices, and policies.

In the final analysis, whether a financial or accounting organization decides to handle security in-house or outsource it, the key to success is having both a management and policy-driven remote access strategy with the ability to monitor the hardware devices on a network and analyze the logs to see if they are showing any abnormal behavior.

Learn more at our upcoming free live CPE webinar scheduled for Tuesday, May 31, 2022 at 2pm CDT/3pm EDT – 5 Steps to Protect Your Firm from Catastrophic Cyber Attacks. Register here.

  • About the AuthorTom Kirkham is founder and CEO of IronTech Security & Kirkham.IT. Tom founded IronTech Security to focus on cybersecurity defense systems that protect and secure data for the financial, law, and water utility industries. IronTech focuses on educating and encouraging organizations to establish a security-first environment with cybersecurity training programs for all employees to prevent successful attacks. Tom brings more than three decades of software design, network administration, and cybersecurity knowledge to the table. During his career, Tom has received multiple software design awards and founded other acclaimed technology businesses. He is an active member of the FBI’s Arkansas InfraGard Chapter and frequently speaks about the latest in security threats.

Leave a Reply

Subscribe Here