How to Identify and Address Lurking Cyber Risks in Fintech

In the cybersecurity world, fintech is widely known as a major target for threat actors. Vulnerabilities within fintech organizations can cause some of the most costly and impactful breaches in the world. As a result, it’s extremely important for fintech companies to remain vigilant against cyber attacks.

In order for fintech leaders to effectively protect their high-value targets, they need to not only address the threats right in front of them, but also the ones that could be waiting down the road. Technological development and industry shifts mean that threat landscapes can change rapidly, so it’s important that leaders always stay ahead of the curve.

In this article, we’ll look at today’s and tomorrow’s biggest threats to fintech security.

The Biggest Cyber Risks for Fintech Companies

I selected the following risks because I’m seeing them become increasingly more common in engagements. Many organizations haven’t yet properly planned for these risks. However, if you haven’t encountered these risks yet, you’re very likely to in the coming months.

Living Off the Land

Living off the land is a technique where threat actors use existing legitimate system tooling to gather information about an organization. Security and IT professionals use these tools in their day-to-day work, so they can’t be blocked. This makes them great targets for threat actors to use for nefarious purposes.

One of the best ways to detect threats leveraging living off the land techniques is with behavioral monitoring from security tools.

For example, let’s suppose that an accountant is trying to use a process monitoring tool to look at processes on their laptop. This behavior would be out of character for their duties, and frankly for any other non-IT user. Thus, it should be considered suspicious.

We can’t flag the use of procmon specifically, because procmon tools are important for regular operations. However, use of procmon tools by non-IT users might be a trigger.

Social Engineering

Social engineering is continuing to gain traction with threat actors both through email and text. And with groups like Scattered Spider, there’s been a rise in using voice calls for social engineering. 

The entire goal of social engineering is to trick users into giving up information. It could be through clicking a link, answering some questions, or providing other forms of information. All of these actions further enable threat actors to harm organizations.

More user awareness and education on social engineering is needed. Defining a clear chain of command for users is an easy process that can thwart a majority of social engineering.

Who’s allowed to ask me to do what? Who should I double check it with? What is the verification process for any given action? If users are trained to ask and answer these questions, you’ll see the results pay dividends in your security.

Even more importantly, being able to thwart this kind of attack requires leadership to actually follow these rules and processes.

The backdoor opens up when leaders go out of bounds by using their authority to ask for exceptions. Threat actors then pretend to be these leaders, and they imply that there are significant consequences if their requests aren’t immediately granted.

Often without thinking, people give up access to threat actors because they don’t want to face punitive action from their executives. Building a culture of security starts with the leaders following rules and processes and not skirting controls. When they don’t follow the rules, suspicious requests are indiscernible from the routine.

Case Study

Overhauling a Broken FIM Solution with Time Running Out

Read the case study

Third-Party Risk

Another lurking threat comes from third-party risk, also referred to as the IT supply chain.

There’s a common misconception that outsourcing an IT function to a third-party absolves an organization from risk. Unfortunately, that is not the case.

In most cases, bringing in a third party creates an exponential increase in risk, because now you’re responsible for additional risk that your third party may cause as they fulfill whatever IT function it is that you’ve outsourced.

The only way to manage this is to make sure that your contracts clearly spell out expectations for your suppliers. Contracts are especially important for determining minimum standards and penalties for non-compliance.

Configuration and Device Management

Configuration management mistakes are quite common in both fintech and IT as a whole. As more types of devices enter the realm of corporate computing, the complexity of managing security through device settings also grows.

If you have iPads, iPhones, Android phones, and Android tablets, mobile device management gets messy very quickly. For Android, there’s different manufacturers and they all use different distributions. You could have tens of thousands of settings that need to be managed across dozens of different types of devices.

Add the rise of bring-your-own-device in many corporate environments, and the space is rife with holes that attackers can easily exploit due to poor configuration management.

Failing to Patch and Update Tools

Across the computespace, a failure to patch or update still continues to remain a key measure that cyber criminals are using to break into organizations.

Those that don’t have reliable and comprehensive vulnerability management, as well as comprehensive patching metrics, are at much greater risk of compromise.

This is an easy one to fix: if you apply patches, attackers are much less likely to get in.

Cloud Hosting

Recently in fintech, there’s been a huge push to move systems from on-prem to cloud hosting. Instead of needing to have users access your internal company network, you put everything out in the cloud and it immediately makes it available. 

Cloud vulnerabilities, however, are quite rampant. The push to the cloud has been very rapid, and even perhaps a little bit premature. There’s a wide variation of cloud services that are available with a number of different partners. Unfortunately, the vast majority of those have a common theme of pay-by-the-drink.

You pay for CPU, network, storage, and many of your security tools as well. This is a common bone of contention for me. I think it is absolutely ridiculous that cloud providers are allowed to charge extra for you to buy into various security tools.

Unfortunately, that is now the reality with cloud hosting. Many cost-conscious corporations are moving their resources to the cloud and they have to make very difficult decisions about which functions and features they want to pay for, lest the cloud quickly becomes more expensive than on-prem hosting.

How Are Fintech Companies Managing These Risks?

In general, fintech orgs are usually pretty good about cyber hygiene and other technical challenges. Fintech companies tend to throw a lot of dollars at vendor specific tools that solve specific problems.

So when it comes to technical risk — got a problem, buy a tool. They’re generally very good at closing those holes. But in any large organization, things like configuration management, as well as those third-party supply chain risks, can pose significant problems.

This is due to the sheer volume and the heterogeneity of their environment. An unwieldy amount of suppliers or a large variation in device types can make this type of challenge overwhelming for even the best IT teams.

Also, there’s a trend gaining momentum toward consolidating infosec tools. The plethora of tools in the security portfolio, as well as the lack of integration of these tools, can easily lead to coverage gaps.

Without a single pane of glass across the infosec stack, those gaps in coverage can provide a very easy target for threat actors to gain a foothold using any of the previously mentioned techniques.

Best Practices for Identifying and Assessing Cyber Risks

There are a few different methods companies should follow for identifying and mitigating risks to their cybersecurity. I highly recommend using a risk framework or COBIT framework. Apply this framework to every application or system in the environment, as well as to each of the integrations that exist within the organization.

This puts a risk-based lens on the organization. The goal of these risk frameworks is to uncover risk, but to also quantify the risk and put it on some sort of scale. Usually these frameworks will focus on both the severity of the risk and the likelihood of occurrence.

If a particular risk is extremely high, but is also very unlikely to occur, then that’s probably not the best place to drop millions of dollars in the infosec budget. This is where mitigation strategies or other risk acceptance strategies come in.

One other area to mention is insider threat. Due to its design, fintech is highly susceptible to attacks from the inside. In addition to stringent background checks for all employees, behavioral-based monitoring tools are a great addition to the portfolio to look for out-of-place actions.

Also, fintech’s regulatory and compliance risk is constant. Unfortunately, that risk is also constantly changing, making this one a tough nut to crack. Having a team focused on this moving target, as well as appropriate tooling to track and mitigate the risk, is a must-have. Having such a team will help you navigate the minefield and avoid fines and penalties.

Contact Black Kilt to Identify Your Company’s Biggest Cyber Risks

Here at Black Kilt, all of our consultants have Fortune 500 and large business experience. Not only do we have a diverse array of skills, but we also pride ourselves in taking a look at the bigger picture.

We come in with a risk framework, look at your integrations, and we’re going to ask some of those tough questions. We’re not here to be a pushover, we’re here to solve your problems. We don’t shy away from the uncomfortable topics because those are often where your biggest cyber risks lie.

It’s our job to make sure our clients are informed in making the best decisions possible. We pride ourselves on providing the data they need to make those decisions.

If you’re looking to get started on identifying and addressing some of your cyber risks, contact Black Kilt. We’ll provide a full consultation free of charge.

Related Posts