Legacy systems within U.S. financial sector likely to blame for breaches, report

Legacy systems within U.S. financial sector likely to blame for breaches, report
Legacy systems within U.S. financial sector likely to blame for breaches, report

A recent SecurityScorecard study claims America's financial industry is highly susceptible to data breaches and legacy systems may be to blame.

The firm's 2016 Financial Industry Cybersecurity Report analyzed 7,111 financial institutions to find existing vulnerabilities to determine the strongest and weakest security standards based on security hygiene and reaction time compared to their peers.

The U.S. commercial bank with the lowest security posture is one of the top 10 largest financial service organizations in the U.S in terms of revenue, and only one of the top 10 largest banks, Bank of America, received an overall ‘A' grade, the report said.

In addition, 1,356 of the institutions showed at least one unpatched CVE (Common Vulnerabilities and Exposures), and of these companies, 72 percent are vulnerable to CVE 2014- 3566 {POODLE), 38 percent are vulnerable to CVE 2016-0800 (DROWN), and 23 percent are vulnerable to CVE 2015-0204 (FREAK), the report said.

Although the U.S. financial industry ranks fourth out of 18 of the U.S. economy's primary industries in terms of security, its Cubit Score, DNS Health score, IP Reputation score and Network Security score are below the overall average for other industries, the report determined.

Researchers said in the report that companies with low IP reputations are more than three times more likely to experience a data breach compared to companies with higher IP reputation scores.

To make matters worse, 95 percent of the top 20 U.S. banks, by revenue, have a Network Security Grade of a ‘C' or below, and 75 percent are also infected with malware families that include Ponyloader and Vertexnet.

“One of the most revealing findings was the consistency of malware infections across the industry, whereby 75 percent of all financial institutions were impacted by a modern financial crimes botnet,” Alex Heid, chief research officer at SecurityScorecard, told SCMagazine.com. “We had expected the number to be lower, with the assumption being malware would mostly impact entities with low endpoint security and low network security scores.” 

He said the data revealed that even financial institutions which appear to have strong network and endpoint security have experienced malware infections, although he said they were most likely the result of spear-phishing and or social engineering attacks.

Legacy systems which may not have been updated and secured for an extended period of time, resulting in extensive vulnerabilities, were to blame, in part.

“The biggest vulnerabilities faced by the banking industry resides within the use of legacy systems that run outdated software, yet these systems are still critical to the performance of daily business operations,” Heid said “When legacy systems are in use, the network topology should ensure sufficient segregation from any other public networks or devices.”

Heid said that the top performing banks emphasize the development and nurturing of internal information security teams that specialize in threat intelligence, incident management, vulnerability identification and forensic investigation. Although it's a costly proposition, he said it's important to understand that black hat hackers put together teams in the same configurations to conduct attacks that monetize the fruits of their efforts.

The financial industry spends billions of dollars each year on cybersecurity products and resources, but this could be counterproductive, he pointed out. “While many of these resources are quite effective when used properly, information security teams are sometimes burdened by an overkill of tools, resources and data feeds whereby determining which intelligence is truly actionable becomes a difficult task,” Heid said. “Increasing budgets for security spending will only help improve security if the right solutions are selected and implemented properly, otherwise an enterprise might inadvertently be creating a new attack surface by simply purchasing the latest partially configured public-facing security appliances.”

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS