Willie Sutton robbed banks because “that's where the money is,” he once quipped. And hackers attack financial institutions for the same reason. Unlike with banks, where there really is only one commodity worth taking, bad actors who attack financials have a range of juicy targets to purloin. And from endpoints to email to a network, there are multiple ways to penetrate and infiltrate a financial organization.
And, unlike with robbers of the Sutton type who really had only two weapons at their disposal — a good gun or a good bluff — today's bad actors have a range of weapons to choose from when carrying out their robberies.
The question for institutions is whether the defenses they have match the weapons the bad actors are using. Increasingly, there is a gap between the way institutions defend themselves and the way hackers attack them. That could account for a huge increase in attacks on enterprises over the past year. According to a Malwarebytes report (via TechRepublic), "Business detections of ransomware rose 365% from Q2 2018 to Q2 2019."
One important reason for that increase is the fact that hackers are getting more sophisticated all the time, developing ever more effective malware and ever more subtle and wily ways to deliver their attacks. To successfully defend themselves, institutions need to constantly reevaluate and up their cybersecurity tactics and methods.
Banks and financial institutions, of course, realize this, and they take steps to defend and protect themselves. Regulators are also aware of this and have instituted rules requiring that protection be put in place. Those regulations are put in place after exhaustive reviews of incidents and data.
But organizations are beginning to realize they are being out-hacked — that the defenses they have in place are just not sufficient. Among the changes are the way hackers deliver their attacks. Traditionally, those attacks have been aimed at endpoints — the points where hackers can weasel their way into systems such as via email or other communication systems. But in recent years, hackers have also been attacking other IT components like storage systems.
Regulators have been paying attention to this development as well. While there are regulations that had been aimed at endpoints, new regulations are emerging that seek to cover other components, including storage. In a recent Risk Alert from the Office of Compliance Inspections and Examinations, the document notes there were “security risks associated with the storage of electronic customer records and information by broker-dealers and investment advisers in various network storage solutions, including those leveraging cloud-based storage.” Organizations need to implement a "configuration management program that includes policies and procedures governing data classification, vendor oversight, and security features will help to mitigate the risks incurred” and ensure that service is not interrupted.
The European Central Bank has followed suit, saying that financial market infrastructure arrangements "should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity." These regulations are a must, as hackers are clearly becoming more sophisticated and ambitious.
Financial institutions are now among the biggest targets for hackers, who are going after these institutions' most critical assets.
A May outage of the accounting software services of Wolters Kluwer NV — makers of the CCH Axcess systems used by many of the world's small and midsized accounting firms — wreaked havoc in the accounting world — to the extent that the IRS provided accounting firms with an extension to file returns.
Another financial firm targeted recently was Cetrom, which provides cloud services used by many CPA firms. The company said that it had been targeted with a malicious virus, similar to the one that hit the CCH systems.
Forensic analysts for those firms are working to determine how the attack occurred, but you can be sure that it was not via the “usual suspect” channels like direct internet connections, for example. Those are very well protected, as required by law. Still, hackers find their way in, hitting systems where companies usually do not examine for attacks.
If companies haven’t installed protections for those systems, it's time that they did. Storage systems, such as storage networks and arrays, cloud repositories and devices can all be vulnerable if they are misconfigured or fail to comply with best practices, security protection guidelines, or regulations and standards. Systems that can inspect these components and report on them to IT and InfoSec staff to allow for mitigation could be crucial in ensuring security and compliance of regulations. With these features, a storage security system can protect organizations and the petabytes of critical data within their storage systems.
Besides installing a system like that, organizations can take several steps to protect their storage systems from hackers:
1. In a network storage system (NAS), disable online access and allow only local network access. Disabling SMB could provide further protection, as could updating NAS firmware on a regular basis.
2. For in-house storage systems, ensure that basic security protocols are followed: regular changes of passwords, ensuring that device passwords are changed from their defaults, limiting access only to staff that requires access and shutting off admin accounts no longer in use. This can ensure that hackers who get access to the network are stymied in their efforts to infiltrate storage devices.
3. In general, organizations need to implement systems that will automate compliance with policies, regulations and best practices — and that applies to storage security as well. Implementing proper training, setting attainable and measurable goals, enforcing penalties and incentivizing proper behavior — these and other standard compliance assurance rules that are likely in effect already for other things need to be expanded to storage security.
Between these steps and a secure storage system, organizations will be able to ensure that we won’t be reading about them in tomorrow’s paper as the next ransomware victims.
