Author: Brian Brannon

07 Mar 2018
Three Reasons Why Cybercriminals Attack

Three Reasons Why Cybercriminals Attack Financial Institutions

Three Reasons Why Cybercriminals Attack

Cybercrime and threats continue to be at an all-time high. An attack on a financial institution resulting in the loss of data can have a devastating effect on the organization’s revenue and reputation. In addition, the amount of time and money needed to resolve these attacks can be significant.

While we hear about cybercriminals and the effects of cybercrime, we’re left wondering, why do these criminals attack? In years past people would say cybercriminals attacked for the fun of it. However, now people turn to hacking for a variety of financial, political, and ideological reasons.

Three of the top reasons cybercriminals attack include:

Bragging Rights or Power

Some attackers, be it individuals or members of a larger group, will target large, well known organizations with the hope that the resulting recognition or publicity will give them bragging rights within the hacker community. This was best illustrated by attacks perpetrated by a teenager named Michael Calce (aka MafiaBoy) in early 2000. These attacks brought down large websites such as Yahoo, eBay, and Dell. Calce was later arrested after bragging about his attacks on the internet via IRC.

Political or Personal Agendas

Some attackers target particular companies, websites or governments as a way of drawing attention to their own political beliefs or personal grudges. In many cases, the attackers are disgruntled employees (or former employees) of an organization looking for revenge. Other attacks in this category can be attributed to nation states who are acting on political agendas.

An example is Blue Security and its anti-spam product, Blue Frog. Attackers did not like that the organization was blocking spam so they launched a distributed denial of service (DDoS) attack on the company and the organization shut down.

One of the largest DDoS attacks was launched against KrebsOnSecurity.com in retaliation for a series the site produced on the takedown of the DDoS-for-hire service, which coincided with the arrests of two men.

Financial Gain

In today’s market, cybercriminals have found it lucrative to readily sell stolen data on the black market. Or, attackers will penetrate organizations as a form of extortion, demanding payment with a deadline with the threat of an ensuing DDoS attack. Recent FBI statistics indicate that hackers were able to successfully extort more than $209 million in ransomware payments from businesses and financial institutions in Q1 2016 alone. While we hear about attacks on larger well-known organizations, it can actually be more profitable for an attacker to target smaller, lesser known organizations since their security measures might not be as tight.

Community banks and credit unions cannot be complacent when it comes to protecting themselves and the sensitive information they hold. It is critical to defend your institution with a variety of security layers, not only firewalls and anti-malware, but additional security layers designed to guard against cybercrime. Safe Systems’ proprietary solution, Rogue Actor Detection (RAD), designed specifically for banks and credit unions, enables financial institutions to identify when an intruder is present, identify curious internal employees, identify rogue internal employees, and uncover suspicious activity before any damage is done.

White Paper Download
Read the Guide

28 Feb 2018
To Fight Cybercrime, Financial Institutions Must Identify Rogue Actors Featured Blog Image

To Fight Cybercrime, Financial Institutions Must Identify Rogue Actors

To Fight Cybercrime, Financial Institutions Must Identify Rogue Actors Featured Blog Image

Cybercrime continues to be a growing problem for community banks and credit unions. Today’s criminals continue to develop increasingly sophisticated tactics to exploit systems. The goal of an attacker is to gain access to an organization, locate and extract valuables, and avoid being discovered. These intruders are referred to as rogue actors.

What is a Rogue Actor?

There are two types of rogue actors. The first type of rogue actor is an external individual or group who enters an organization’s systems without prior authorization. This unauthorized access could come from an external attack, or through a physical presence. This physical presence could be accomplished using social engineering techniques. In this scenario, the adversary poses as a printer repair tech, or any potential vendor, and gains unauthorized physical access to your systems. The second type of rogue actor is an adversarial insider attempting to obtain unauthorized access to valuable data for personal gain or malicious intent.

How to identify a Rogue Actor?

One effective strategy to identify a rogue actor is for organizations to place decoys throughout their environment. Since there are no legitimate reasons for the decoys to be accessed, an alert will notify the appropriate groups on the anomalous activity. If the organization’s other security layers are bypassed, these alerts enable the organization to quickly remediate the issue. There have been several major breaches over the last few years that likely would have benefitted from these types of decoys within their organization. It is important to be aware of any suspicious activity so you can successfully mitigate risks and prevent data loss.

What is the impact of a Rogue Actor?

The impact of having a rogue actor on a network can be devastating to a financial organization, with the main risk being theft or unauthorized access of data. Financial institutions are prime targets due to the amount of sensitive data they house. A data breach at a bank or credit union not only affects that organization but also all customers or members whose personal information may be compromised or stolen. Rogue actors can then hold the compromised data for ransom or sell it on the black market.

Solution for Financial Institutions

Safe Systems’ proprietary solution, Rogue Actor Detection (RAD), is designed specifically for banks and credit unions. RAD places banking-specific decoys inside an institution’s environment. Implementing RAD will enable financial institutions to identify when an intruder is present, identify curious internal employees, identify rogue internal employees, and uncover suspicious activity to reduce dwell time and minimize damage.

It is critical to defend your institution through a variety of security layers, but firewalls and anti-malware are simply not enough anymore. This additional security layer will guard against cybercrime and help ensure your IT network is secure. On average it takes an organization 191 days to become aware of a compromise. With RAD, you can detect threats early, and remove threats before they cause any damage or loss.

White Paper Download
Read the Guide

21 Feb 2018
How DDOS Extortion Can Impact Your Institution

How DDOS Extortion Can Impact Your Institution

How DDOS Extortion Can Impact Your Institution

While cyber threats become more commonplace, sophisticated and damaging for financial institutions, one type of threat that has remained pervasive is the denial-of-service attack, or DoS. DoS is a cyber event where an attacker seeks to prevent legitimate users from accessing computer systems, devices or other online resources. The perpetrator floods the victim’s machine or network with false requests to overload the system and prevent legitimate access.

Cybercriminals have taken this form of attack to the next level with Distributed Denial of Service (DDoS) attacks which, while similar to a DoS attack, differs in that the incoming requests or traffic come from more than one source – something that makes it extremely difficult to stop.



To better understand the nature of a DDOS attack, consider the analogy of a supermarket. If you are a shopper and only have two or three items, you can usually go through the check-out line quickly. However, if the store only has one register open and there are several people in front of you with baskets full of groceries, they are essentially denying you service to that cash register due to the amount of items that must be processed. If that same store has multiple check-out lines open, and they all have long lines, you are being blocked access to the cash register from multiple sources.

How DDoS Works

To execute a DDoS attack, an attacker sends malicious software to vulnerable devices, often through infected emails, attachments, websites and even social media, creating an entire network of infected machines and devices called botnets. The attacker can then control the botnets remotely and send an influx of traffic to flood the network or target by sending huge amounts of random data or connection requests. The infected devices will show no signs of attack and will continue to function normally, but will have the occasional sluggish response due to the lack of available bandwidth.

The scale and sophistication of DDoS attacks has increased considerably over the years. In fact, according to a report from Verisign, one third of all downtime incidents have been attributed to DDoS attacks. Attackers often hold the organization’s website or device for ransom, performing a small example of the attack to show the victim what will happen if the ransom is not paid.

A recent botnet called Mirai, reared its head in 2016 and infected unsecured internet of things (IoT) devices such as DVRs, home routers, printers and IP cameras. These devices are vulnerable to attack since they are not required to have the same level of security as computers. The Mirai botnet was responsible for DDoS attacks on several high-profile websites such as Twitter, Reddit, Netflix, and Airbnb.

Impact of DDoS Attacks on Financial Institutions

Financial institutions are prime targets for DDoS attacks due to both the large amount of private data and monetary funds that they house, and as they continue to expand their use of digital channels and outsourced services, the possibility of an attack increases as well.

A well-executed DDoS attack can interrupt a host of banking services including website access, ATM networks, and online banking platforms, in addition to internal systems and functions that help the bank operate and serve customers. Beyond the operational impact is the resulting damage to the institution’s brand equity and reputation when customers are prohibited from accessing their financial information and funds.

Combating DDoS Extortion

To combat DDoS extortion, financial institutions should have a solid plan in place to identify all critical services as well as vendors and the organizations that host them; know who to contact and notify in case of an attack; and ensure that all employees are trained and ready to execute the plan. In addition, financial institutions should also contact the cyber division of the FBI, the Financial Crimes Enforcement Network (FinCen), and their local regulator to report the attack.

DDoS attacks remain unpredictable and can seriously disrupt your institution’s business operations. All financial institutions need a solid plan in place to be prepared, not if, but when a cyber event like this occurs.

White Paper Download
Read the Guide

14 Feb 2018
Rogue Actor Detection Monitoring for Internal Threats

Rogue Actor Detection: Monitoring for Internal Threats to Your Institution’s Network

Rogue Actor Detection Monitoring for Internal Threats

While financial institutions are aware of the importance of protecting their network from adversaries and possible outside attacks, many are not investing in protecting themselves against breaches coming from internal threats. These rogue actors could be an employee, an outside attacker, or another unauthorized user trying to access valuable data.

Within the last few years, several major breaches have been perpetrated by attackers exploiting a weak point within an organization and then scanning the network to gather information. While cybercriminals have certainly realized the benefits of targeting financial institutions, community banks and credit unions have been slower to realize the importance of monitoring for rogue actors and reacting to this danger.

Costly Invasions

As an example, a previously undetected hacker group, now known as the MoneyTaker group, has netted approximately $10 million in ATM network heists from at least 20 companies, including U.S. banks and credit unions, by targeting the networks banks use to transfer money. According to Group-IB, a global leader in preventing and investigating high-tech crimes and online fraud, the attackers used a form of malware that is stored in the memory of the computer, which makes them extremely hard to detect by traditional antivirus defenses. This also makes it very difficult for organizations to know they have even been hacked since all traces of the invasion are destroyed each time the machine is rebooted. On average, it can take an organization more than 200 days to discover that their network has been compromised.

Setting Out Bait

Security experts agree that a missing piece in many institutions’ security strategy is identifying unusual activity and having solid reconnaissance protection in place. One of the few ways to do this is to deploy what is known as decoy data and services onto the network. This technology serves as a trap for someone who is looking to gain illegal access to the network. Remediation processes can begin immediately once an attacker accesses the “bait” or “decoy.” Any unusual activity on these areas will trigger an alarm, since no there are no legitimate reasons to access the decoys.

Examples of decoy information placed on networks typically include items like port scan sensors, remote desktop protocols, SMB shares, FTP and/or SQL.

Protection for Community Financial Institutions

Many organizations that recently experienced breaches would have benefitted from implementing a solution to effectively monitor and detect unusual activity on its internal network. Safe Systems’ Rogue Actor Detection (RAD) offers reconnaissance protection for internal networks and is designed specifically for the unique needs of community financial institutions. This helps financial institutions obtain this necessary security layer without the high cost of having to develop it themselves, enabling financial institutions to identify unusual activity and remediate the issue quickly.

For community banks and credit unions, perimeter defenses can only do so much to protect their institution and customer information. Cybercriminals will continue to develop sophisticated forms of malware and carry out targeted attacks to compromise their networks. To be truly protected, it is important for financial organizations to monitor for internal threats and stop unauthorized network users before they strike.




White Paper Download

2018 Community Bank IT Outlook

Primary Research and Analysis of Your IT Priorities in 2018
White Paper Download

17 Jan 2018
Network Vulnerability: Why Scanning Your Institution’s Servers Is Not Enough

Network Vulnerability: Why Scanning Your Institution’s Servers Is Not Enough

Network Vulnerability: Why Scanning Your Institution’s Servers Is Not Enough

As community financial institutions continue to innovate and add to their IT infrastructure, they are unknowingly adding security threats, issues and vulnerabilities that might not be addressed by the standard security measures that are in place. Recent high profile security breaches have shown that it can take more than 100 days for an organization to detect suspicious activity on the network. To quickly identify internal threats, network security solutions must now scan and monitor more than just servers. It is vital for community banks and credit unions to scan the entire network to provide greater visibility and monitor potential threats on all workstations and devices connected to the network. Reasons for this necessity include:

  1. Increased Vulnerabilities
  2. Financial institutions now have more devices and software connected to their network than ever before, driving the number of vulnerabilities upward. A single vulnerability can result in an attack on the entire network, which leads to stolen bank and customer data, a devastating effect on the organization’s revenue and reputation, and the significant costs associated with repairing the damage.

  3. More Cyberattacks in the Financial Services Industry
  4. Cybercrime and threats are at an all-time high, especially in the financial services industry. According to a study by Raytheon and Websense, financial services organizations see three times as many attacks as organizations in other industries. This is because financial institutions house significant amounts of valuable, financial data such as credit and debit card information, corporate bank account numbers and other personal identification documents. Cybercrime will continue to plague financial institutions so it is important to be proactive and implement solid security defenses to secure the institution and its data.

  5. Strict Regulatory Expectations Around Security
  6. Due to the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) to help institutions identify their risks and determine their cybersecurity preparedness. The CAT helps financial institutions weigh specific risks such as vulnerabilities in IT security measures versus controls or solutions aimed to prevent, detect and respond to these threats and determine areas for improvement. To remain in compliance with the FFIEC guidance, community banks and credit unions must scan their networks on a weekly basis to prevent cyber threats and demonstrate that they have the appropriate threat and vulnerability detection solutions in place.

Greater Network Visibility

To establish a secure IT network and be better protected in the current environment, financial institutions should employ a strategy that places many uniquely tailored layers throughout their networks, from the end-user to the internet, as well as a network security solution that scans the entire network, including all devices and workstations. It is important to implement a solution that identifies unknown vulnerabilities and reduces the risk of cyber-attacks. By scanning more than just servers, financial institutions have the ability to prioritize and address the vulnerabilities identified.

In an effort to help financial institutions better address network vulnerabilities, Safe Systems developed the V-Scan vulnerability scanning solution. V-Scan is a powerful network scanning tool that scans the entire network, both Windows and non-Windows-based devices and operating systems, and produces an exhaustive list of all threats that exist on each device. Safe Systems takes all the data collected and breaks it into different segments, creating a tailored report. With Safe Systems’ V-Scan solution in place, financial institutions will have greater visibility into their networks, providing confidence that the organization is truly secure.

White Paper Download
Read the Guide