The recent Silicon Valley Bank (SVB) meltdown put some of the most high-profile tech companies and venture capitalists in limbo as the go-to bank for US tech startups came rapidly undone, dragging down banking stocks around the world. Many then started wondering if the SVB crisis is the same as the 2008 Lehman Brothers collapse - an event that triggered the Great Recession.
I was involved with a couple of the institutions associated with the clean-up of the 2008 financial crisis and remember it well. The FDIC was at risk of being overwhelmed by the number of U.S. bank failures and rushed out a new application that would enable them to scale their bank takeover processes. I was on the system integrator team responsible for building and rolling out this application and ran their security team. Later, I moved over to Fannie Mae to support their post-crisis transformation, initially as a contractor, but ultimately serving as their CISO.
While the circumstances are much different than they were in 2008, the crisis around SVB reminds us of a lesson we’ve learned – financial institutions, no matter how far apart, are intertwined. Banks are interconnected through financial and operational networks and a major failure could result in a domino effect on others.
The U.S. Senate and regulators are investigating the SVB failure and potential weaknesses in the system that could spill over into the broader financial system and applying controls to mitigate them. The Fed asserts that SVB mismanagement and risky investments gone bad as the primary root causes. Next time though, could the triggering event be a cascading series of cyberattacks?
Before diving into cybersecurity threats to the sector, let’s first review what the sector consists of.
What is the Financial Services Sector?
Money is often called the blood of an economy, and the financial services sector is the system that circulates money throughout, enabling transactions at all levels. From buying a movie ticket to acquiring a company, nothing avoids the touch of the financial sector.
The modern financial services sector is not a single entity but is composed of many different players, each playing an important role. The sector is comprised of banks, credit unions, and other depository institutions; lenders of all sizes; investment and securities firms and the trading facilities they use, such as stock and commodity exchanges; insurance companies and other entities engaged in risk transfer and management; government-sponsored enterprises (GSEs) like Fannie Mae and Freddie Mac, tasked with improving economy-wide capital flow; and a multitude of financial utilities and service providers working to support all of the above.
The 2023 Cybersecurity Maturity Report reflected that the financial services and energy had the highest cybersecurity maturity scores among all industry sectors. This is likely due to both sectors having high regulatory requirements and increased scrutiny of cybersecurity practices. It’s good that the financial sector in general reflects a good security posture since financial organizations are frequent targets of cyberattack.
Threats to the Financial Services Sector
In the past, the biggest fear was that banks would be robbed physically. But now a greater fear is of getting hacked within a minute. In finance, where transaction speed and integrity are critical competitive differentiators, the value of a critical financial network lies in its efficiency—how quickly can money be transferred in a secure manner?
The 2022 Verizon Data Breach Report (DBIR) indicated that the financial sector continues to be victimized by financially motivated organized crime, often via the actions of social engineering (phishing), hacking (use of stolen credentials) and malware (ransomware). Miscellaneous errors, often in the form of mis-delivery, are also still very common.
In March, the FS-ISAC released its Navigating Cyber 2023 report, which agreed with the DBIR in that financial services organizations remain a prime geopolitical target. Their Cyber Threat Level is a barometer of cyber threats facing financial services. The barometer remained at Elevated for much of 2022 across all regions and remained Elevated for longer in EMEA. The FS-ISAC report identified the following cybersecurity threats to the sector:
- Geopolitical conflict goes cyber at scale as existing tensions, exacerbated by Russia’s invasion of Ukraine, sparked a flood of hacktivist activity that continues unabated. China and its goal of Taiwan unification, and Iran’s ideologically motivated attacks on Western financial institutions contribute to the geopolitical cyber threat landscape.
- Denial-of-Service (DoS) and Distributed DoS (DDoS) Attacks are increasing globally due to the increased availability of ‘as-a-service’ options and are frequently associated with extortion. While most of these attacks have low or no impact, the financial services sector remains one of the most targeted. FS-ISAC’s joint report with Akamai showed that 2022 saw a 73% increase in DDoS attacks on financial firms in Europe and a 22% increase globally compared to the previous year.
- Ransomware attacks regularly dominated headlines throughout 2022. Almost all security vendors agree that ransomware attacks are getting worse. Ransomware-as-a-service (RaaS) providers, who give affiliates access to their ransomware suite in exchange for a cut of the illegal profits, are likely to blame for this growth. Listen to our Inside Cybercrime podcast where we discuss RaaS.
- Business email compromise (BEC) has become one of the most common and costly frauds impacting firms around the world. BEC can take several forms but the most reported to FS-ISAC are payroll diversion requests or fraudulent payment requests, either as part of an impersonation scam or vendor fraud.
- Cryptocurrencies present a range of challenges to financial institutions globally. Threat groups finance their operations using cryptocurrency in ransom demands, among other methods. The increase in cryptocurrency investment holdings highlights the need for better oversight and protections for this asset class.
- Supply chain threats impacted a more digitized business environment. Open banking and APIs, mobile banking apps, and exposure to partner breaches contributed to making financial services organizations vulnerable to hackers via third parties. In 2022, the most prevalent supply chain attacks reported by members were the hijacking of software updates, fraudulent code signing, and the compromise of open-source code.
Of the threats highlighted above, I’m going to drill deeper into supply chain risks.
Software Supply Chain Risks
Software supply chain attacks within the critical financial infrastructure could compromise a network so thoroughly in significant players, the blood of the economy could be greatly impacted.
Software supply chain security is a couple of different problems rolled into one. With more open-source software (OSS) being consumed than ever before, there’s a quality problem that’s more of an unintentional insider threat. Developers can unintentionally include vulnerable OSS components or are impacted by a zero-day OSS vulnerability. An example of the later was Log4Shell or Log4J. With Log4J, anybody running anything with Java, had to go around and manually email their vendors to figure out if Log4J was in their products and validate the version and if they were affected, and if so, what to do about it. Everyone was scrambling to determine how vulnerable they were to attack.
The other type of software supply chain risk is an integrity challenge where threat actors get access to build machines, compromising software artifacts, etc. as shown in the figure above from SLSA. We think of these threats as being outside or external threat actors. SolarWinds was an example of this, where a nation state threat actor used a routine software update to slip malicious code into Orion's software and then used it as a vehicle for a massive cyberattack that afflicted thousands of organizations.
The 2020 SolarWinds cyber breach was a ruinous global supply chain attack that impacted organizations from the U.S. Treasury department to Intel and Cisco. Due to the nature of the Orion software -- and by extension the Sunburst malware -- having access to entire networks where it was deployed, many government and enterprise networks and systems faced the risk of significant breaches. The SolarWinds attack suggested the stakes may now far exceed a mere cash jackpot.
Financial providers hopefully took note of the SolarWinds attack’s lessons. The suspected threat actor group behind the SolarWinds attack has remained active and hasn't stopped at just targeting SolarWinds. In May 2021, Microsoft reported that Nobelium, the group allegedly behind the SolarWinds attack, infiltrated software from email marketing service Constant Contact. According to Microsoft, Nobelium targeted approximately 3,000 email accounts at more than 150 different organizations. The unprecedented damage done through these supply chain attacks with relative ease has emboldened others.
The security breach at CircleCI in January was another eye-opening moment for many organizations, as they saw how their overall security was impacted when an application they relied on was compromised.
And most recently, CISA announced at the end of March that there is an active supply chain attack underway by a threat actor dubbed as “Smooth Operator.” This attack involves the delivery of a trojanized installer for voice and video conferencing software by 3CX to target downstream customers. The attack may have started as far back as February 2022 and could have broad impact like SolarWinds. 3CX claims to have more than 600K customers and 12 million users in 190 countries.
Supply chain risks are not unique to the financial sector. Government and industry groups like OWASP, SLSA, and the OpenGroup are defining best practices to help in the mitigation of these risks. See the Creating a Secure Software Supply Chain You Can Trust white paper to learn more.
While guidance and technology on how to mitigate many software supply chain risks is now available, implementation of controls is taking time. A DarkReading report released in March, State of Code Security: The AppSec Maturity Marathon, noted that “While [organizations are] well aware of software supply chain attacks and feel vulnerable in that regard, most have not yet adopted dedicated tools to test APIs or code dependencies.”
The financial services sector is truly the lifeblood of our global economy. While the organizations in the financial sector are highly regulated and generally have good security postures, threat actors continue to follow the money and target them. Cybersecurity risk in the financial system has grown over time as the finance ecosystem has become more digitized, as evidenced by the increase in cyber incidents.
While financial sector organizations have some of the best cybersecurity programs, threats like software supply chain attacks could trigger a broad incident that affects the financial stability of the system. Organizations need to act to mitigate these evolving threats. Last month, Osterman Research published CISO and CIO investment priorities for Cybersecurity in 2023. The report revealed that leadership views cybersecurity as a significantly higher priority than two years ago and are continuing to invest.
OpenText Cybersecurity supports many organizations in the financial services sector. We also have solutions to help mitigate relevant threats to the sector, including software supply chain risks.
- Voltage SecureData: Major Financial Services Corporation
- Voltage SecureData: SIX
- ArcSight: National Bank of Georgia
- ArcSight Intelligence/Crowdstrike: Major Financial Services Organization
- ArcSight: Kuwait Finance House
- NetIQ Identity Manager & eDiscovery: DX Labs (Digital Lab Information)
- NetIQ Identity Manager: Helvitia
- Emerging Software Supply Chain Security Best Practices
- AppSec in the Post-Covid Environment in the Financial and Healthcare Industries
- Banks are fighting a multi-front war on fraud
- Friend or foe? Data interoperability key to trust in payments
- Could digital fax be a secret weapon for cybersecurity in financial services?
Videos: Fortify Unplugged: Software supply chain playlist
- Creating a Secure Software Supply Chain You Can Trust
- Equifax – Transforming the Organization with Fortify on Demand
- Solarwinds: Bringing down the building... Software supply-chain pressure points - John Pescatore (Director of Emerging Technology at SANS) breaks down the SolarWinds attack and vulnerabilities in the software supply chain.
- EXTRA! SEC Cyber rules forcing Corporate Boards to Pivot - The 2022 Security and Exchange Commission's cyber security proposalsare expected to finalize in the next few weeks. Hosts discuss what corporate boards and CISOs need to be doing.
- Do a little dance… time for some SLSA! - Dan Lorenc, founder and CEO of Chainguard Inc., talks about SLSA, software supply chain security risks, and his opinions on Software Bill of Materials (SBOMs).
- Log4j vulnerabilities: All you need to know and how to protect yourself – Steve Springett, ServiceNow software security leader, explains the Log4j vulnerability and its potential exploitation. He also shares approaches to mitigate OSS and software supply chain risks.