1. IBM Global Technology Services
Thought Leadership White Paper
Financial services
IBM Security Services cyber security
intelligence index for financial services
Financial services is one of the most attacked industries. Are you protected?
2. 2 IBM Security Services cyber security intelligence index for financial services
Contents
3 The cyber security landscape
5 How can you help keep your organization safe?
6 Let IBM help address your cyber security needs
7 Glossary
About this report
IBM Managed Security Services has developed this report
to provide insights into the current threat landscape for the
financial services industry and to offer solutions that can
help you better protect your organization. Information is
based on cyber security event data collected by IBM between
1 April 2012 and 31 March 2013 in the course of monitoring
client security devices, as well as data derived from respond-
ing to, and performing forensics on, cyber security incidents.
Where noted, additional information comes from industry
analysts and publicly available data.
For a cross-industry overview of the threat landscape, please
see the white paper, IBM Security Services Cyber Security
Intelligence Index
“A new class of high-bandwidth DDoS
[distributed denial of service] attacks of up
to 70 Gbps hit top U.S. banks in the second
half of 2012, justifiably causing serious
concerns among bank security staff, law
enforcement and bank regulators.”1
—Gartner, Inc.
“Banking executives are much more likely …
to point to cybercrime than to systems fail-
ures as the most important IT risk that
threatens their company’s reputation.”2
—2012 IBM Global Reputational Risk and IT Study
Cyber attacks against financial services firms have become more
frequent and sophisticated. Companies within this industry
have a complex back-office IT architecture, consisting of divers
platforms and interfaces. They employ multiple front-office
channels, including the Internet, mobile networks, automated
teller machines (ATMs) and kiosks. At the same time, many
financial services organizations rely on IT resources outside of
their firewalls and distribute their applications and data across
multiple devices. As a result, numerous vulnerable points exist
that can lead to security breaches and data theft.
Many of these attacks are designed to gain continuous access
to critical information, to perpetrate fraud or to cause damage
to critical infrastructures. In addition, hostile government and
terrorist-sponsored attacks aimed at financial services are
intended to cripple a country’s financial system. Such attacks
can significantly impact financial services companies not only
in terms of monetary losses but also in terms of credibility and
reputation. In fact, most banking executives consider data
breaches, data theft and cybercrime to be the most significant
IT risk threatening their company’s reputation.3
e
3. 3IBM Global Technology Services
Case study: 21st century bank heist inflicts US$45 million
in losses
An international cybercrime organization used sophisticated
intrusion techniques known as “unlimited operations” to hack
into the systems of global financial institutions, steal prepaid
debit card data and eliminate withdrawal limits. The stolen
card data was then disseminated worldwide and used in
making fraudulent ATM withdrawals on a massive scale
across the globe. The operation spanned 26 countries.
In a U.S. federal indictment announced in May 2013, eight
defendants, who allegedly formed the New York-based cell of
the organization, were charged variously with conspiracy to
commit access device fraud, money-laundering conspiracy
and money laundering. According to the indictment, the eight
defendants, along with their co-conspirators, targeted New
York City and withdrew approximately US$2.8 million in a
matter of hours.4
The cyber security landscape
By taking advantage of advanced analytics, IBM has been able to
pore over and make sense of the massive amount of information
that crosses platforms we monitor for our clients. This has
allowed us to develop real insight into the kinds of attacks that
are taking place, who may be launching them and how their
techniques are evolving.
Determining which security events require action
Among financial services clients, IBM detects an average of more
than 111 million security events annually, which is notably
higher than for other industries. By implementing sophisticated
correlation and analytic tools, we can determine which of those
events are actual attacks—malicious activities attempting to
collect, disrupt, deny, degrade or destroy information systems
resources or the information itself. We then employ the work of
security analysts, among others, who help further identify those
attacks that qualify as security incidents and, therefore, should be
further investigated. This process revealed that our financial ser-
vices clients had an annual average of 87 incidents that required
action. (See Figure 1.) Clients can significantly save time and
resources by focusing only on those security incidents that
require action rather than on all 111 million identified events.
Not surprisingly, the incident rate within the financial services
industry is one of the highest among all the industries we
monitor. Attackers know that they stand to gain a significant
potential payoff by breaching systems at these firms.
Annual 111,268,300
Security events Security incidents
Monthly 9,272,358
Weekly 2,139,775
Annual 87
Monthly 7
Weekly 1.67
Figure 1. Security intelligence allows IBM to identify which events are actual
security incidents requiring action.
4. 4 IBM Security Services cyber security intelligence index for financial services
Primary categories of incidents
Our analysis shows that two types of incidents are most preva-
lent among financial services companies. Together, malicious
code and sustained probes or scans account for 70 percent of all
incidents. (See Figure 2.)
Figure 2. Malicious code and sustained probes or scans are the primary
types of incidents affecting the financial services industry.
10%
12%
Malicious
code
Sustained
probe/scan
Unauthorized
access
Suspicious
activity
Access or
credentials
abuse
Denial of
service
42%
28%
7%
1%
Categories of incidents
Figure 3. The vast majority of attacks are instigated by a combination of
insiders and outsiders (multiple).
Categories of attackers
Outsiders
46.3%
Multiple
52.7%
Malicious
insiders
Inadvertent
actors
0.8% 0.2%
Who are these attackers, and why do they attack?
Although this report is not focused on the perpetrators of
attacks, it can provide some insight into the types of attackers
responsible for them and their motivation.
Insurance executives rank theft and cyber-
crime as the leading IT risk factor with the
potential to cause reputational damage.5
Outsiders are the primary culprits, with 46.3 percent of attacks
(more than 40 of the 87 annual incidents) perpetrated entirely by
outsiders and another 52.7 percent perpetrated by a combination
of outsiders and insiders. (See Figure 3.) Attacks that are solely
launched by malicious insiders or by inadvertent actors account
for less than 1 percent of attackers, significantly lower than the
25 percent that IBM found across multiple industries.
5. 5IBM Global Technology Services
On the whole, sheer opportunity accounts for half of all attacks
confronting IBM clients cross industry. (See Figure 4.) Because
they typically lack sophistication, these attacks are relatively easy
to detect. By reducing their number, a company can turn its time
and resources to more sophisticated attacks.
Figure 4. Opportunity is the primary motivator for attacks, and opportunistic
attacks are generally easy to detect.
Opportunistic
49%
Industrial espionage,
financial crime,
terrorism, data theft
23%
Other
6%
Dissatisfaction
with employer/ job
15%
Attacker motivation
Social activism,
civil disobedience
7%
How are these incidents possible?
As shown in Figure 5, misconfigured systems or applications,
along with end-user errors, are the primary reasons for security
breaches, regardless of industry. By addressing these preventable
factors and educating end users, organizations may be able to
significantly reduce the number of attacks.
How can you help keep your organization
safe?
Today’s technology has made cyber security more critical than
ever and yet more challenging. Financial services organizations
employ complex IT infrastructures consisting of systems that
are connected to both internal and third-party networks. At the
same time, customers access their accounts from a variety of
devices, including laptop computers, mobile phones and tablets,
which can also make systems more vulnerable to attacks. Striking
a balance between security and accessibility is key to a successful
cyber security approach.
To address these cyber security challenges, financial services
organizations must fundamentally change how they think about
security. Updating technology and following best practices are
not enough; combating attacks requires a more pragmatic
approach that informs every decision and procedure.
Figure 5. Cross industry, preventable factors are most often at the root of
breaches, but oftentimes underlying factors cannot be identified.
How breaches occur
Misconfigured
system or application
End-user error
Undetermined
Vulnerable code
Targeted attack,
exploited
42%
31%
17%
5%
5%
6. 6 IBM Security Services cyber security intelligence index for financial services
Striking a balance between security and
accessibility is key to a successful cyber security
approach.
To implement such an approach, your organization must:
●● Build a risk-aware culture. Because attacks can come from
anywhere, it is crucial to determine your security risks and
goals and then spread the word to everyone within the
company. This must come from the top down, and tools
should be implemented to track progress.
●● Automate security “hygiene.” A robust, security-rich system
can help you keep track of every program that is running and
make it possible to install updates and patches as they are
released. This “hygiene” process should be routine and
embedded in the foundation of your systems administration.
●● Manage incidents with intelligence. A company-wide effort
to implement intelligent analytics and automated response
capabilities is essential. Creating an automated and unified
system that implements intelligent analytics can help you
better monitor your operations and respond more quickly.
Let IBM help address your cyber security
needs
It is easy to feel overwhelmed when you consider what it
takes to protect your organization from sophisticated attacks.
IBM Security Services consultants can help you plan, implement
and manage virtually all aspects of your security strategy. Our
senior security professionals have honed their skills in both the
public and private sectors, working in corporate security leader-
ship and consulting, investigative branches of government, law
enforcement, and research and development.
In addition to offering consulting services since 1995, IBM has
helped to set the standard for accountability, reliability and
protection in managed security services. IBM Managed Security
Services can provide the security intelligence, expertise, tools
and infrastructure you need to help secure your information
assets from Internet attacks. We monitor and manage your
security operations around the clock or as needed to help you
enhance your information security posture, reduce your total
cost of ownership and better address regulations, regardless of
device type or vendor.
To better understand how IBM can help you improve your
business environment, talk to your IBM client representative to
schedule a detailed session.
Case study: A bank engages IBM to identify vulnerabilities
and help strengthen its security posture
The need
With security a top priority, this Kuwaiti commercial and
investment bank wanted to test and evaluate its public-facing
and internal systems for possible threats and cyber attacks.
The company sought an external service provider to deliver
thorough and cost-effective security testing and evaluation.
The IBM solution
The bank engaged IBM Security Services to test and
evaluate its network and application security. The IBM team
conducted penetration testing to demonstrate how attackers
could significantly affect the business. It also assessed
designated web-based and nonmainframe-type applications
and documented security risks while recommending
corrective actions.
As a result, the bank was able to gain a better view of its
security posture and a “hacker’s eye view” into its network.
IBM delivered a more accurate list of security vulnerabilities
and an action plan, along with recommendation on how
the bank could move forward with its security planning.
This helped reduce potential attacks that might target the
vulnerabilities in the network.
7. 7IBM Global Technology Services
Term Definition
Access or
credentials
abuse
Activity detected that violates the known use policy of
that network or falls outside of what is considered
typical usage.
Attacks Security events that have been identified by
correlation and analytics tools as malicious activity
attempting to collect, disrupt, deny, degrade or
destroy information system resources or the
information itself. Security events such as SQL
injection, URL tampering, denial of service and
spear phishing fall into this category.
Breach or
compromise
An incident that has successfully defeated security
measures and accomplished its designated task.
Denial of Attempts to flood a server or network with such a
service large amount of traffic or malicious traffic that it
renders the device unable to perform its designed
functions.
Droppers Malicious software designed to install other malicious
software on a target.
Event An event is an observable occurrence in a system
or network.
Inadvertent Any attack or suspicious activity coming from an
actor IP address inside a customer network that is
allegedly being executed without the knowledge of
the user.
Incidents Attacks or security events that have been reviewed
by human security analysts and have been deemed
a security incident worthy of deeper investigation.
Keyloggers Software designed to record the keystrokes typed on
a keyboard. This malicious software is primarily used
to steal passwords.
Malicious A term used to describe software created for
code malicious use. It is usually designed to disrupt
systems, gain unauthorized access or gather
information about the system or user being attacked.
Third-party software, Trojan software, keyloggers
and droppers can fall into this category.
Term Definition
Outsiders Any attacks that come from an IP address external to
a customer’s network.
Phishing A term used to describe when a user is tricked into
browsing a malicious URL designed to pose as a
website they trust, thus tricking them into providing
information that can then be used to compromise
their system or accounts and steal their identity.
Security Any device or software designed specifically to
device detect or protect a host or network from malicious
activity. Such network-based devices are often
referred to as intrusion detection and prevention
systems (IDS, IPS or IDPS), while the host-based
versions are often referred to as host-based intrusion
detection or prevention systems (HIDS or HIPS).
Security An event on a system or network detected by
event a security device or application.
Spear
phishing
Phishing attempts with specific targets. These targets
are usually chosen strategically in order to gain
access to very specific devices or victims.
SQL injection An attack used that attempts to pass SQL com-
mands through a website in order to elicit a desired
response that the website is not designed to provide.
Suspicious
activity
These are lower-priority attacks or instances of
suspicious traffic that could not be classified into one
single category. They are usually detected over time
by analyzing data collected over an extended period.
Sustained
probe/scan
Reconnaissance activity usually designed to gather
information about the targeted systems, such as
operating systems, open ports and running services.
Trojan Malicious software hidden inside another software
software package that appears safe.
Unauthorized This usually denotes suspicious activity on a system
access or failed attempts to access a system by a user who
does not have access.
Wiper Malicious software designed to erase data and
destroy the capability to restore it.