In the financial sector, the global securities market is more vulnerable to short-term cybersecurity threats than the banking and payments market, foreign exchange (forex) market, and trade finance segment, new analysis shows.
BAE Systems and SWIFT, the provider of financial messaging services for banks globally, recently assessed the threats that different parts of the financial sector face from advanced persistent threat (APT) actors. They did so against a set of threat factors that might influence an APT group’s assessment of whether to develop and undertake attacks against it.
Among the factors considered were the ease with which an APT group would be able to target a particular finance market’s infrastructure and the companies using the infrastructure to conduct their business. The two organizations also analyzed the potential financial gains an APT group could make from targeting a particular finance market, the ease with which they could monetize stolen assets and repeat attacks, as well as traceability and stealth.
In addition, the researchers looked at so-called susceptibility factors to determine each financial market’s inherent vulnerabilities to cyberthreats. As part of this exercise, the researchers evaluated factors such as transactional and operational complexity, the maturity of manual and automated processes, the maturity of regulatory oversight, and the availability of mutual checks and balances for catching errant behavior. Each of the threat and susceptibility factors was then assigned a high, medium, or low severity rating.
Researchers found that the securities market faces a greater cyberthreat than other areas of the financial sector. Both the infrastructure used for activities, such as trading, equities, bonds, and derivatives, as well as the organizations using it for these purposes, are at higher risk of cyberattack than banks, forex markets, and trade finance companies dealing in international trade transactions.
One major reason is the large number of participants and infrastructures in the sector, the complexity of transactions, long chains of custody, and the generally unstructured nature of communications in the space, BAE and SWIFT found.
They assessed that attacks on security market infrastructure components, such as Electronic Trade Confirmation and Central Securities Depositories, would yield substantial returns for threat actors even though such attacks would require some effort. The kind of mischief that attackers could do in this market include manipulating data such as securities ownership and values in a central securities depository and manipulating market and reference data.
At substantially greater risk are the participants or organizations actually using the infrastructure for securities-related activities. BAE and SWIFT found varying levels of cyber maturity and nonstandard, unstructured processes in use among organizations in this space. Many organizations use faxes and emails for communication and manage critical data in spreadsheets, the two companies said. Vulnerabilities in this segment give attackers a way to do things like falsifying trade orders, falsifying instructions to security depositories, and exploiting certain market practices to steal securities.
In terms of financial gain, though, cyberattackers would likely make less from attacking participants in the securities market than they would by attacking infrastructure components, BAE and SWIFT noted in their report.
Most concerns about attacks on the financial sector have focused on the banking segments. Attacks such as the one that emptied more than $80 million from the Bank of Bangladesh in 2016 have focused considerable attention on banking system vulnerabilities. BAE and SWIFT’s study shows that, in reality, banks and payment systems are relatively less at risk compared with the securities market because the threats are somewhat better understood and because of the regulatory oversight that exists. Cashing out stolen assets is also more difficult for APT groups in the banking and payment market, the two companies assessed.
“None of the specific financial markets are necessarily safe,” says Pat Antonacci, global director of the customer security program at SWIFT. Most of the threat activity to date has been in the bank and payment system space.
There have been attacks on card networks, ATMs, distributed ledger space, and other facets of the market. But most of the success attackers have had has been on the edge of the network and not so much on the core infrastructure, Antonacci says.
APT groups have recently begun evolving their attacks to other financial markets. “The shift is happening because bad guys are going to where the money is and where there is less security,” he says.
In many cases, attackers have definite knowledge about the workings of the financial market. What is unclear is whether they are obtaining this knowledge from public sources or from insiders and other private sources. Also, when attackers gain initial access to a financial network, they tend to lay low for months together, surveying the terrain, getting to know how the system works, and understanding the checks and controls in place for detecting malicious activity. So once they are ready to execute, they have good knowledge of the system, Antonacci says.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio