How to Tackle the Expanding Attack Surface in the Financial Industry

The proliferation of COVID-19 related threats has made cybersecurity a top concern for financial institutions in 2021. Banks are a lucrative target for cybercriminals due to the volume of highly sensitive financial and personal data they possess, which can be weaponized by cybercriminals for identity theft and fraud. In fact, there are 400,000 globally connected Internet-accessible assets between 12 of the top financial organizations in the country alone.

Bank branch closures and other business process changes caused by the pandemic forced the financial industry to accelerate digital transformation at a faster rate than other verticals. In order to continue business operations as normal, banks needed to digitally and securely onboard new customers. Institutions sought to further integrate cloud, mobile devices and web services into their infrastructure to accommodate customers seeking new digital ways to do business.

This shift led to the rapid adoption of internet-accessible assets such as mail servers, web applications, DNS servers, VPN gateways and Internet-of-Things devices. With so many assets added quickly during this time, many financial organizations may no longer have a clear picture of their expanding attack surface, putting them—and their customers—in a highly vulnerable position.

To meet the challenges brought on by this intense digital transformation, financial institutions need a force multiplier for their security strategy that allows them to leverage highly skilled security professionals, extensible technology and actionable cybersecurity intelligence to keep employees and customers secure. That is why organizations are increasingly adopting crowdsourced security programs, such as bug bounty programs or vulnerability disclosure programs (VDPs).

The Challenge of Asset Inventory

Bugcrowd recently analyzed the internet-accessible asset inventory of several top organizations in the financial industry to help security teams better understand their risk. What they found was a rapidly expanding attack surface, enticing adversaries to attack. In total, these companies had over 6,000 expired transport layer security (TLS) certificates, which indicates a lack of clear visibility into overall IT management hygiene. Understanding the complete collection of an organization’s assets plus the associated metadata of each asset continues to be a major stumbling block in information security, and the financial services industry is certainly not immune to this problem.

It has become common for organizations to lack an up-to-date inventory of what Internet-accessible assets they have exposed. Even more worrisome is that in some cases they do not know who is responsible for them, or even what their purpose is. It is a stark reality where internet-accessible asset inventories can reach five, six, or even seven-figure totals, yet many financial institutions likely do not even know where their number sits.

The lack of an inventory of internet-accessible assets directly impacts critical risk management business processes, including vulnerability scanning, regulatory compliance, third-party risk management, cyber-insurance costs, mergers & acquisitions, IT audits, and security risk scoring.

Achieving Scalable Risk Reduction

While it is clear there are many major cybersecurity hurdles for the industry to overcome, the good news is that many financial organizations have already begun augmenting their internal security teams with relevant external security expertise by turning to crowdsourced cybersecurity.

Crowdsourced security is an organized security approach wherein a number of ethical hackers are incentivized to search for and report vulnerabilities in the digital assets of a given organization, with the full understanding and awareness of the organization.

By engaging “the crowd,” internal security teams have helped in identifying and addressing vulnerabilities created by rapid changes in an organization’s digital ecosystem. Organizations can have vulnerabilities proactively disclosed before adversaries discover them and a major breach occurs.

In 2020, Bugcrowd’s Priority One report found that companies in the financial sector doubled their payouts for Priority One (P1) submissions, which refer to the most critical security vulnerabilities, from Q1 to Q2. These findings show thatthe industry responded to the challenges of the pandemic by engaging ethical hackers with strong incentives to identify new risks. This resulted in the financial services sector returning more submissions from January to October of 2020 than in all of 2019.

It is critical for financial institutions to embrace a layered “strength in numbers” approach to stay ahead of their adversaries. By making a crowdsourced cybersecurity platform an integral component of the security posture, financial organizations can ditch the ‘one-size fits all’ perspective in favor of a layered security approach with continuous access to skilled security professionals tailored to fit their needs.

Author: Ashish Gupta, CEO, Bugcrowd