Security has become increasingly complex. In addition to the ordinary computer, today’s world is full of tiny computers or smart devices that have complete, functional operating systems and are connected to the internet. These Internet of Things (IoT) devices include our phones, refrigerators, thermostats, TVs, light bulbs, and even cars. While this level of connectivity provides the benefit of greater convenience in our daily lives, it has also increased the number of ways we can be compromised by attackers.
“The denial-of-service attacks that forced popular websites like Reddit and Twitter off the internet last October were enabled by vulnerabilities in devices like webcams and digital video recorders. In August, two security researchers demonstrated a ransomware attack on a smart thermostat,” said Bruce Schneier.
As institutions continue to connect more devices to the internet, the number of potential security weaknesses on their network will increase. So how can banks and credit unions use this knowledge to improve their security programs?
According to Schneier, an internationally renowned security technologist and author, there are four truths related to the current world of computer security:
- “Attack is Easier Than Defense”
According to Schneier, “Computer-security experts like to speak about the attack surface of a system: all the possible points an attacker might target and that must be secured. A complex system means a large attack surface. The defender has to secure the entire attack surface.”
Attackers work to find ways to use software and solutions in malicious ways that developers never intended. They can find the smallest security flaw or vulnerability in any system and use that to their advantage. This means financial institutions have to plug and patch each and every hole and vulnerability in all systems in order to be secure, whereas an attacker only has to find a single vulnerability in a device to be successful.
- “There are New Vulnerabilities in the Interconnections”
“The more we network things together, the more vulnerabilities on one thing will affect other things,” said Schneier. For example, attackers can penetrate a network through a DVR system, bypassing the more robust level of security of a computer. The hard truth is that the more devices you connect to your environment, the more attack surface you have due to the growing number of vulnerabilities.
- “The Internet Empowers Attackers”
“One of the most powerful properties of the internet is that it allows things to scale. This is true for our ability to access data or control systems or do any of the cool things we use the internet for, but it's also true for attacks,” according to Schneier. The internet is a powerful tool that improves efficiency for everyone, including attackers, which is why they use it to scale an attack. An attacker can connect to a network through any number of different connected devices, some as benign as a thermostat, refrigerator or light bulb. Attackers often function as a part of a community, readily sharing knowledge and experience with each other. It’s no surprise that the source code for the Mirai botnet, which was able to infect IoT devices such as DVRs, home routers, printers and IP cameras, is now available on the internet for anyone to use.
- “The Economics Don’t Trickle Down”
“Our computers and smartphones are as secure as they are because companies like Microsoft, Apple, and Google spend a lot of time testing their code before it's released, and quickly patch vulnerabilities when they're discovered,” said Schneier. Whereas vendors of DVR’s, IP cameras, printers, and consumer devices do not allocate enough resources and money to effectively secure their devices. Additionally, these devices typically have less expensive and less secure components, as well as low-end operating systems with no focus on security or patching, all of which make it is easier for attackers to use them to penetrate a network. Financial institutions must keep this in mind when adding new devices to their environments and should implement additional security layers to guard against attacks.
Improving Your Security Program
The first step to having a truly secure network is to be aware of all devices that are connected to your network. A solid asset management program enables financial institutions to know what systems they have in place, what devices they have, where they are located, and what is connected. When connecting a new device to the network, make sure passwords are secure, the device is operating with up-to-date software, and it is protected by the security layers in place.
In addition, financial institutions should have controls in place to continually scan for vulnerabilities. Firewalls and anti-malware software alone are no longer enough to protect against cybercrime. Additional security layers, like Safe Systems’ Rogue Actor Detection (RAD), enable financial institutions to identify when an intruder is present, identify curious internal employees, identify rogue internal employees, and uncover suspicious activity before any damage is done. Combined with Safe Systems’ V-Scan, a powerful network scanning tool that scans the entire network for vulnerabilities and produces an exhaustive list of all vulnerabilities that exist on each device, financial institutions can have greater visibility into their networks, giving them the confidence their organization is truly secure.