Scott Nicholson Director at Bridewell Consulting
Cyber attacks are a threat to all industries, but financial sector organisations are of particular interest to threat actors due to the value of the information they hold. In fact, financial services firms fall victim to cyber security attacks 300 times more frequently than businesses in other industries, according to Forbes.
And the rise in the number of attacks is not likely to slow down. Indeed, according to the Financial Conduct Authority (FCA), companies reported 145 breaches in 2018 compared to 25 in the previous year.
In 2017, NotPetya malware infected thousands of computers worldwide within hundreds of businesses, including several global organisations such as Maersk, Merck and FedEx. However, financial services companies did not feature heavily on the list. This has nothing to do with fate — the FCA reports that 90% of financial companies operate a cyber awareness programme and many describe themselves as having effective cyber controls. Yet, it also reports that businesses are struggling to identify and manage high-risk staff, including those who deal with critical and sensitive data. And with socially engineered attacks being reported as the most common type of cyber attack, this is of particular concern.
Additionally, the World Economic Forum (WEF) now regards cyber crime as one of the biggest threats to businesses and the economy as noted in its 2019 Global Risk Report. But it can be difficult for financial services organisations to assess their own individual risk. Red teaming is one way to overcome this.
When hacking needs a red team
Ethical hacking is a way for companies to test a particular element of their business and see how resilient it is to attack. Essentially, the ethical hacker will assess the system’s security and report back to the business in terms of what they saw, what they were able to do and how much went unnoticed. Typically, the test will involve web application penetration testing, infrastructure penetration testing or mobile device and mobile application penetration testing.
A red team engagement takes things a step further. It doesn’t just focus on the technology elements. A full-attack simulation focuses on all areas of your business and could include social engineering, physical access attempts, active reconnaissance and the full suite of technical penetration testing techniques.
A typical engagement is likely to take several months and should include some typical milestones such as an assessment with agreed objectives and safeguards, start and end dates, as well as a time to present the findings to the Executive Board. But how does it work in practice?
Attacking for success
Looking at one particular example, a cyber security and data privacy company performed a red team assessment for a financial services organisation who was looking to undertake a real-world test of their security controls.
The cyber security company developed a remote access device using a Raspberry Pi. It was able to connect this to the client network after successfully cloning a client badge to gain physical access. By exploiting vulnerabilities within the internal infrastructure and gaining access to various services, eventually, the main customer databases were accessed which contained approximately five million customer records.
In addition, the cyber security company decided to focus on the human resources department. It created fake LinkedIn profiles and CVs and contacted the department to discuss various job roles. The cyber security company was able to discover that the financial services organisation was using a well-known email filtering product. However, it exploited a particular configuration of the product and sent email attachments which deployed malware onto the client’s laptops, providing access to a large set of personal data files.
The final part of the assessment involved presenting findings back to the board and then working with the financial organisation to improve its internal security architecture.
Staying ahead of the threat
Having an effective cyber security strategy is not just a technology problem. It needs full involvement and support from the C-suite and board, but senior leaders do not always fully understand all the risks — particularly the risks from employees themselves.
A red team assessment is a way to get everyone’s attention and gain perspective from a hacker’s point of view. The G7 Cyber Expert Group, of which the FCA is a part, advises threat led penetration testing for the financial sector in light of the increasing persistence and sophistication of cyber risks which have the ability to disrupt our global financial systems.
The costs associated with an attack are often difficult to fully quantify but The Ponemon Institute calculate the average total cost of a data breach to be $3.86 million in its 2018 report. And with attacks becoming more sophisticated and prevalent, red teaming is one way to stay ahead — identifying and mitigating weaknesses in both cyber and physical defences in order to remain as resilient as possible.