Guidelines for cybersecurity management in the financial sector

The most common attack vectors

Financial institutions face many potential cyber threats, including phishing attacks, ransomware and malware campaigns. Below, we describe the successful attack vectors most commonly seen in financial institution testing.

Social engineering attacks

Attackers use social engineering methods to persuade individuals to disclose confidential information or provide credentials to access a protected network. Social engineering takes many forms. Email phishing attacks are the most common, but attempts via SMS or even in-person attacks at locations should also be addressed. These attacks are very effective because people are often too curious or helpful. Just clicking on a malicious link or opening a malicious attachment can open the door to hackers in your IT system.

Malware and ransomware attacks

Attackers use malware that can seriously damage an organization’s IT system or data. Particularly hazardous are ransomware attacks, which lock (encrypt) data and demand high compensation to recover the data or prevent it from being made public. While it is true that you can negotiate a partial reduction in the amount of compensation, in any case, the company’s reputation is at stake, customer data is at risk, and the customer experience is also compromised, as services are usually disabled for at least some time. Today’s malware protections are partially effective but typically do not prevent the most sophisticated attacks. Therefore, additional technical measures are needed.

Denial of service attacks

Denial of service (DDoS) attacks are typically based on sending a large amount of traffic against an organization’s servers. This slows down the network and websites in the first phase and causes system crashes in the second phase.

Supply chain attacks

Supply chain attacks are one of the newer attack vectors and involve multiple stakeholders. They are used in particular when attackers want to access the network of a large company that has good cyber protection and connects via the internet to or supplies hardware or software from smaller companies. Attackers choose one of these smaller companies, which usually have poorer cyber security, and move up the supply chain to the final target. They then use hacking techniques that may not be effective in the target company to break into the target company via another route, the ‘path of least resistance’.

Financial institutions must design their cybersecurity management strategies with the most common attack vectors in mind and build resilience even more intensively in these areas. In doing so, we need to be aware that it is not only the installation of security devices that is important but also their correct placement in each environment, the customization of settings to the specific environment, and the monitoring of their performance throughout the IT lifecycle. Various upgrades and other changes can have a significant impact on the correct identification of malicious content and attack attempts.

Common vulnerabilities

One of the reasons why financial institutions are so vulnerable and consequently attractive to cyber criminals is their customer orientation and the size and complexity of their IT systems. In the following, we will describe the most commonly detected vulnerabilities in the financial and banking sector.

Unsecured networks and outdated software

A well-secured network and up-to-date software are two essential prerequisites for ensuring security in an information system. Security devices at the network’s perimeter and, more recently, within the network itself are used to monitor traffic and detect possible deviations. The absence of security devices, their inappropriate placement and the lack of monitoring of what is happening on the network are common causes of successful attacks.

Low user awareness

Employees who do not know how to identify and respond to potential cyber threats can pose a significant vulnerability to an organization. On the other hand, it is a vulnerability that can be addressed relatively easily through user education programmes, and the susceptibility to social engineering attacks can be significantly reduced in just a few months. We will address user awareness in more detail below.

Weak security mechanisms for logging into systems

Attackers can gain access to a corporate network with stolen or weak passwords, so implementing a strong password policy is essential to ensure security. Multi-factor authentication (MFA) with one-time passwords, mobile phone authenticators, or FIDO technology is highly recommended to access public and mission-critical systems and applications.

It makes sense to address vulnerabilities holistically and strategically. Ad-hoc ways of managing cyber risks are not desirable as they may solve the problem in the short term but often do not contribute to an overall improvement in the cybersecurity posture.

Cyber security testing

Cybersecurity testing is one of the most essential components of an effective security strategy. It helps organizations identify vulnerabilities in their systems so that they can take action before attackers exploit them. In our experience, the banking sector is one of the most advanced in Slovenia in security testing, as most banks have been diligently taking care of cybersecurity for years by testing, raising user awareness and implementing various security solutions. However, security testing often reveals that sensitive data is stored in easily accessible places, such as shared files containing administrator passwords for multiple systems. While automated tests typically classify such vulnerabilities as low or info, the actual impact of exploiting the vulnerability on the bank’s business and reputation can be huge. Such an anomaly can be avoided by manual penetration testing or by using automated solutions that try to exploit the vulnerabilities found in a given system. Given the correct input (e.g. specifying which data is critical for us), the selected solution will rank such vulnerabilities with a higher criticality level.

Cybersecurity testing is done at different levels and on different infrastructures. However, a traditional security test can be divided into three basic steps: vulnerability scanning, penetration testing, and risk assessment. The Red Teaming cyber exercise, which we will describe in more detail below, follows a slightly different path.

Vulnerability scanning

Vulnerability scanning identifies potential vulnerabilities in a business system and prioritizes them. This is the first step in testing the system’s security, which must be followed up with a thorough review and exploitation test of the identified vulnerabilities (penetration test). The test should not only focus on vulnerabilities that are marked critical or high but also on those marked info or low, as these can often include vulnerabilities that do not directly pose a significant threat at first glance but may contain information that could allow attackers to launch further attacks through other sources.

Penetration testing

A penetration test aims to check how secure an organization’s IT system is by simulating a cyber-attack. A penetration test can be performed on an external or internal network, the entire network, or only on a predefined segment, multiple segments, applications, or APIs.

It is recommended that penetration testing is carried out periodically, as new vulnerabilities and threats are constantly emerging due to the high dynamics of IT environments. Automated tools that allow standardized tests which can be performed regularly and efficiently can offer great support to organizations and allow them to run more extensive penetration tests at longer intervals (e.g. once a year). When deciding on an automated tool, consider choosing the one that not only scans vulnerabilities and ranks them according to their published criticality level of exploit (CVE) but also tries to exploit each vulnerability in your system and suggests a remediation process accordingly.

Risk assessment

Based on the results of the vulnerability scanning and penetration test, a risk assessment with technical issues and business impact is made. The risk assessment links vulnerabilities to the potential consequences of exploiting them and, based on the results, decides which ones should be addressed first and proposes appropriate measures to reduce or eliminate the risks.

Red Teaming

A special type of security testing is the so-called cyber exercise or Red Teaming, a simulation of an actual cyber-attack. Whereas in penetration testing, the customer defines the scope of the test (e.g. network segments, application, etc.), and the contractors stick to the agreed scope, Red Teaming is where the test is conducted on the organization as a whole, using the most up-to-date hacking tactics and techniques. Such exercise tests how well the organization detects and responds to cyber-attacks. Typically, there is one contact person on the customer side who coordinates the test with the contractor, while other users are not aware of the exercise. Therefore, it is crucial that the organization clearly communicates why they intend to carry out a Red Teaming cyber exercise in a given year or six months and what the objective of such a test is.

Red Teaming is the only security test that not only checks the security of your network but also the resilience of your organization to a cyber-attack. Although it may sound tempting, a cyber exercise is not suitable for every organization. It is recommended for those who have already reached a certain level of cybersecurity maturity, which means that it has experience in conducting penetration tests and perhaps also in building user awareness and taking care of compliance.

One of the objectives of a Red Teaming exercise can be to train the response team. Based on the results of the exercise, ethical hackers (Red Team) make recommendations to the response team (Blue Team), which can improve the identification of potential attacks and, thus, the security posture of the organization. A more advanced form of response team training is Purple Teaming, where the organization tests the perception of an attack with well-thought-out attack techniques and, depending on the activities of the response team, implements further training.

User awareness training

Continuous training in cyber-security awareness is another essential pillar of cybersecurity management. According to statistics and field experience, users are still a very vulnerable part of the IT system. With a well-written phishing message, many users directly or indirectly disclose their credentials to attackers. Modern attacks are carefully designed, often aimed at obtaining information about a specific person or profile within an organization. Attackers search for information on social networks and the web and use artificial intelligence to write targeted spear phishing messages without grammatical errors that have made them easily identifiable in the past.

Organizations should educate their employees on cybersecurity best practices such as strong passwords, secure storage of private data, and protection against phishing attacks. In this context, it is recommended that organizations encourage employees to report any suspicious activity they observe on the network or detect in email communication.

Another essential part of building awareness is practical training with simulations of social engineering attacks. You can use solutions that offer a wide range of content and a variety of training materials, which can also be ranked by difficulty to promote increasing levels of awareness and the ability to identify attacks. A crucial part of awareness training is feedback on the success or failure of the exercise. Users who have not successfully completed the exercise are made aware of the red flags they should have identified in the exercise, offered additional training materials, and sent a similar exercise again after a set period of time. The solution administrators have insight into thorough statistics to monitor the improvement trends and successfully identify which departments or user groups are making progress faster and can be offered more challenging materials, and who needs additional exercises at a less demanding level.

Organizations should have a security incident management policy in place and define the procedures for reporting an incident. This will ensure that employees are aware of their responsibilities when reporting incidents and that they respond quickly and effectively. Organizations should define rights and responsibilities according to different user roles in their security policies or internal rules. They should also tailor the type and complexity of training by role. Documentation should be stored in a place accessible to all employees; its purpose is to be used as a guide for everyday work.

Banking institutions are also frequently confronted with the consequences of cyber-attacks on their customers. In this respect, we see an increasing engagement of banks in warning customers of cyber-attack attempts through various means of communication and raising their awareness of appropriate behaviour and how to identify the traps. Such actions significantly contribute to raising awareness of cyber-attacks in the broader social context.

When raising awareness about cyber security, it is also important that organizations regularly review their security policies and address the latest cyber threats accordingly. Organizations in the financial and banking sectors are also bound to comply with standards and directives that promote effective cybersecurity management.

The NIS2 directive and DORA

In December 2022, the European Union adopted two important documents that have fundamentally changed the position of cybersecurity in a large part of the economy and public administration. The NIS 2 directive sets out measures for a common high level of cybersecurity in the European Union, which member states must implement in local legislation by mid-October 2024. Among other things, the Directive expands the range of entities, who will now also have to monitor the cyber risks of their suppliers. In doing so, the Directive addresses the increasingly urgent problem of supply chain attacks.

The DORA Regulation focuses specifically on the digital operational resilience of the financial sector and, as such, is a binding legal act in all EU Member States. In practice, it will enter into force on 17 January 2025. All institutions bound by the Regulation must prepare themselves accordingly by that time.

Both regulations are important to ensure that organizations have the appropriate measures in place to protect themselves from potential cyber threats and build cyber resilience. These measures include the introduction of security audits and testing, building user awareness, detecting malicious activity on networks, and responding appropriately. When a cyber incident happens, organizations must respond quickly but in a coordinated manner, decisions must be prudent, and all procedures must be documented.

NIS2 and DORA provide a framework for organizations to help them systematically strengthen their cybersecurity posture.

NIST Cybersecurity Framework

To effectively manage cybersecurity, organizations can also rely on the NIST Cybersecurity Framework, a cybersecurity management framework developed by the US National Institute of Standards and Technology (NIST). The framework provides guidance on how to identify potential risks and vulnerabilities, develop policies and procedures to address them and create an incident response plan. In addition, the framework is also helpful in assessing an organization’s cybersecurity maturity and risk exposure.

The current version of the NIST Framework includes a five-step cybersecurity management cycle: identify – protect – detect – respond – recover. The main objective is to make the process cyclical, underlining that cybersecurity is a constantly evolving field that requires continuous monitoring and improvement.

A new version of the NIST Framework is expected in early 2024, and it introduces a new category: “governance”. It is placed above all the other five levels of the circle. In doing so, the authors of the framework have emphasized the importance of cyber risk management and moved cybersecurity governance closer to management and decision-makers.

If the notion of governance is being promoted within a recognized framework such as the NIST Cybersecurity Framework, then CISOs should also strive to present changes in the cybersecurity field to management and boards in the form of rich content: the changed attack surface, the different types of threats and risks, and how these challenges will be addressed within the team and the organization. Such presentations will gain significantly more importance than data on the number of newly discovered vulnerabilities or newly installed security appliances. It is important to recognize cybersecurity as one of the cornerstones of a successful business and a guardian of reputation. In institutions where a lot of personal and sensitive data is handled, any breach and disclosure will likely result in significant negative publicity. Organizations that implemented ISO 27001 have already proven that management recognizes information security as a guiding principle for their business. At the same time, the new 2022 version of the standard further introduces some controls that are more technologically oriented.

To conclude …

While the NIST Cybersecurity Framework is moving towards management by adding the element of governance, ISO 27001:2022 is moving towards cybersecurity by adding technical controls. The conclusion is similar in both cases: cybersecurity and information security should be addressed from both a technological and a business point of view and contribute to the successful functioning of organizations. Achieving a higher level of cybersecurity in organizations is a continuous process that requires constant monitoring, response, and improvement. The basis for improvement is a clear picture of the state of cybersecurity, as shown by the results of security tests and recommendations based on these results.