Every week there is a new headline regarding the latest data breach or newly discovered vulnerability in widely deployed software. Below, we’ve compiled a list of five threats we think will see increased importance in the upcoming year.
Zero Day Attacks
The past year has brought unprecedented levels of mainstream media attention to a number of zero day vulnerabilities including Heartbleed, Shellshock, and Poodle. A zero day vulnerability is a flaw in software, hardware or firmware that is exploited as soon as or before it becomes generally known to the public. These vulnerabilities have taken advantage of long standing but previously undiscovered programming bugs in widely deployed software platforms. Due to the discovery and subsequent exploitation of these vulnerabilities, cyber criminals and nefarious nation state actors have begun to take a much closer look at these previously ignored code bases. The common theme with many of these newly discovered and highly popularized vulnerabilities is that they don’t necessarily target Windows-based systems as many other successful attacks in the past have. Instead, they were discovered on software libraries that are present on a large number of networked devices, which are often overlooked when developing a security model.
We will continue to see more sophisticated attacks on the most vulnerable part of a financial institution’s network, their employees and customers. With multiple layers of protection from IPS devices and firewalls on the perimeter of most networks, attackers rarely attempt to directly attack properly secured networks directly (with the exception of the previously mentioned zero day vulnerabilities). Instead, they focus their efforts on compromising one or more workstations on the bank’s internal network or the customer’s workstations. From here the path to compromising confidential information is simpler and obtaining even standard user credentials can allow an attacker to run further attacks and escalate their privileges to that of an administrator on the network.
Continued proliferation of social media in the banking environment has greatly increased the amount of information an attacker can gather remotely on individuals within the bank. This information can then be used in creating spear phishing attacks targeted at individual employees who appear to be coming from a co-worker within the bank, but in reality, contains a link to a malicious website or include a malicious attachment disguised as something as innocuous as a spreadsheet. These same spear phishing attacks can be directed towards the bank’s customers, often appearing to come from the bank itself. With the increase in advanced phishing techniques, solid employee and customer training in how to spot a potentially fraudulent message as well as steps that can be taken to verify the authenticity of a message will be important tools this year.
Credit/Debit Card Theft
Banks and their customers were affected by a multitude of breaches at retailers this past year. Retailers seemed to be compromised on a nearly weekly basis, including Home Depot, Jimmy John’s Gourmet Sandwiches, P.F. Chang’s, Michaels, and many more. In October 2014, Special Agent Jason Truppi of the FBI told USA Today that in the previous 12 months, over 500 million financial records had been stolen, thanks in large part to the breaches listed above.
Cryptolocker was a fairly widespread piece of ransomware that made headlines in 2014 and impacted financial institutions and their customers. Instead of covertly infecting a system and attempting to steal confidential information as most malware does, ransomware instead takes the opposite approach, encrypting files and displaying a very visible message on a system demanding payment for decryption. This type of attack has proven to be successful for criminals, with the creator of Cryptolocker receiving over $3 million in ransom payments for encrypted data.
Attacks on Mobile Devices
With mobile platforms continuing to become more popular for activities such as mobile banking, it’s no surprise that attackers have started focusing more efforts on developing malware that targets mobile platforms. Mobile users often don’t use the same level of caution when downloading applications and accepting windows that pop up that they would when on a personal computer, leading to an environment that is easy for an attacker to take advantage of. This coupled with the relative lack of antivirus solutions available for mobile devices has led to a 112 percent increase in mobile malware samples detected in the past year by McAfee.