4 steps the financial industry can take to address its growing attack surface

The financial services industry has always been at the forefront of technology adoption, but the 2020 pandemic has accelerated the mainstream of mobile banking apps, chat-based customer service, and other digital tools. Adobe FIS 2022 Trend Report, for example, found that more than half of financial services and insurance companies surveyed saw a noticeable increase in digital/mobile visitors in the first half of 2020. The same report found that four in ten finance executives say that digital and mobile channels account for more than half of their sales – a trend that is only expected to continue in the coming years.

As financial institutions expand their digital footprint, they have more opportunities to better serve their customers, but they are also more exposed to security threats. Each new tool increases the attack surface. A higher number of potential security vulnerabilities can potentially lead to a higher number of security vulnerabilities.

According to the Cisco CISO Benchmark survey, 17% of enterprises received 100,000 or more daily security alerts in 2020. Post-pandemic, this trajectory has continued. 2021 saw a record number of common vulnerabilities and exposures: 20,141, which surpassed the 2020 record of 18,325.

The main finding is that digital growth in the financial sector is not stop; therefore, cybersecurity teams will need ways to gain accurate, real-time visibility into their attack surface. From there, identify the most exploitable vulnerabilities and prioritize them for fixing.

Traditional approaches to security validation

Traditionally, financial institutions have used several different techniques to assess their security posture.

Simulation of offense and attack

Breach and Attack Simulation, or BAS, helps identify vulnerabilities by simulating potential attack paths that a malicious actor could use. This allows for dynamic control validation, but is agent-based and difficult to deploy. It also limits simulations to a predefined playbook, which means the scope will never be complete.

Manual Penetration Test

Manual penetration testing allows organizations to see how a bank’s controls, for example, resist an actual attack, while providing additional input from the attacker’s perspective. However, this process can be expensive and is only done a handful of times a year at best. This means that it cannot provide real-time information. Moreover, the results always depend on the skills and scope of the third-party penetration tester. If a human missed an exploitable vulnerability during a penetration test, it could remain undetected until exploited by an attacker.

Vulnerability scans

Vulnerability scans are automated tests of a company’s network. These can be scheduled and run at any time – as often as desired. However, they are limited in the context they can provide. In most cases, a cybersecurity team will only receive one CVSS severity rating (none, low, medium, high, or critical) for each issue detected by the scan. Their team will bear the burden of finding and fixing the problem.

Vulnerability scans also pose the problem of alert fatigue. With so many real threats to manage, financial industry security teams need to be able to focus on exploitable vulnerabilities that can have the greatest impact on the business.

A silver lining

Automated Security Validation, or ASV, provides a new and accurate approach. It combines vulnerability scans, control validation, actual exploitation, and risk-based remediation recommendations for comprehensive attack surface management.

ASV provides continuous coverage, giving financial institutions real-time insight into their security posture. Combining both internal and external coverage, it provides the most complete picture possible of their entire risk environment. And, because it models the behavior of an actual attacker, it goes much further than a scenario-based simulation.

How the financial industry uses ASV

It (almost) goes without saying that banks, credit unions and insurance companies need a high level of security to protect their customers’ data. They must also meet certain compliance standards, such as FINRA and PCI-DSS.

So: how do they do it? Many invest in automated security validation tools that show them their true security risk at all times, then use that information to create a roadmap for remediation. Here is the roadmap followed by financial institutions like Sander Capital Management:

Step 1 Know their attack surface

By using Pentera to map their web attack surface, they gain a complete understanding of their domains, IP addresses, networks, services and websites.

2nd step Challenge their attack surface

Safely leveraging mapped assets with the latest attack techniques, they uncover comprehensive attack vectors – both internal and external. It gives them the knowledge they need to understand what’s really actionable — and worth the resources to fix it.

Step 3 Prioritize remediation efforts by impact

By leveraging attack path emulation, they can identify the business impact of each security vulnerability and assign importance to the root cause of each verified attack vector. This gives their team a much easier roadmap to follow to protect their organization.

Step 4 Execution of their remediation roadmap

Following a list of cost-effective remediation actions, these finance organizations are empowering their security teams to address gaps and measure the impact of their efforts on their overall IT posture.

When it comes to your Organization: Do you know where your weakest links are so you can solve them before an attacker uses them against you?

If you’re ready to validate your organization against the latest threats, request a free security checkup.


Leave a Comment