Security incidents in the financial sector have fallen, but there’s no cause to celebrate

A new financial services report from SilverSky shows a nine point drop in the number of security incidents during the first half of 2013. However, while the number of incidents fell when compared to 2012, that doesn’t translate into a cause for celebration.

SilverSky, a managed security services provider in the financial space, tracked incidents for 925 customers during the first half of 2013 in their latest report. During this time, the firm detected and reported some 1,500 likely and confirmed compromises. When compared to the 2012, the latest figures show a 9 percent drop in the number of financial institutions that were impacted by a security incident.

SilverSky attributes this decline to the number of financial services firms who have tightened their security posture, blocking the commonly used avenues of attack such unknown domains.

“Another reason for this decrease is that many attackers tend to repeat their tactics,” wrote Grace Zeng, the report’s author, and for some end users, while they may be fooled once, they are rarely fooled twice, she added. The problem is though, once is usually enough.

Using a wide range of exploit kits, such as Blackhole, Darkleech, or Palevo, and financial malware such as Zeus, criminals target customers of some of the largest financial firms, simply because there are more potential victims. In the SilverSky study, 67 percent of the large organizations included experienced at least one security incident (excluding DDoS) during the first half of 2013.

However, as those larger firms (and their customers) start to catch on to the methods used by malware authors and other criminals, they move to the smaller markets. Smaller financial firms are especially valuable to criminals, as they have limited resources, so defending against a growing number of threats is often an uphill battle. Data from the study shows that 57 percent of the mid-sized financial firms, and 40 percent of the smaller organizations, also experienced at least one security incident during the first half of the year.

So does the drop in the number of incidents, no matter how slight, create cause for celebration? The short answer, Zeng explained to CSO, is no — as we can’t assume things are getting better for financial institutions. Criminals are, as evidenced by the growing number of exploit kits, increasingly focused on client-side attacks — where tricks such as social engineering or Phishing are used to lure victims to a malicious website or open an infected attachment.

“We know that nowadays almost every institution has protection mechanisms such as firewalls, intrusion detection/intrusion prevention (IDS/IPS) at the network perimeter to thwart inbound attacks. So it is no longer easy for attackers to break this wall and directly compromise machines inside the network. In comparison, end users are the weakest link and they could fall victim to client-side attacks (for example, phishing/exploit-leading emails) relatively easily. So attacker are going after them,” she said.

Just this week, cloud-based security firm Zscaler, noticed an uptick in the number of Caphaw (a.k.a. Shylock) infections. This financially motivated malware uses various techniques to avoid detection; including injecting itself into legit processes on the infected host, as well as using self-signed certificates and domain generation algorithms to communicate with the command and control server via SSL.

The recent rise in the number of Caphaw infections is interesting when taken in context to the SilverSky report. The malware has been around since 2011, and mostly targets financial firms in Europe. According to Zscaler’s research, the latest infections are due to Caphaw being added to several exploit kits, which are targeting vulnerabilities in Java.

Patrick Foxhoven, the CTO of Emerging Technology for Zscaler, when asked about his thoughts on the SilverSky study when compared to his firm’s latest research, explained to CSO that there isn’t necessarily a disconnect between the study and the latest jump in Caphaw infections, because when security incidents in general are profiled, the amount of data tends to be noisy and easy to quantify.

“However I tend to categorize this as background radiation on the Internet. Measuring it is interesting but has in no way a bearing on if we are more or less safe. The characteristics of the Caphaw botnet are much more clandestine; as our researchers have noted, not a single AV vendor has detected its signature and communication with its command and control server exists through encrypted channels, so for all intents and purposes, it is almost as if this botnet does not exist,” he said.

“This is why the industry is so focused on advanced threats. The sophistication and stealth of modern threats is far more impactful than the simple background radiation on the Internet. Organizations should assume that these attacks will continue, even if they show signs of slowing; they are persistent, after all. It may be encouraging that reports show that incidents are down, but perhaps that suggests instead that these incidents are becoming harder to detect.”