2018 Financial Industry Breach Analysis

If you have worked with me in the past, you have probably heard my soap box speeches about social engineering and the difference training can make.  In fact, you have probably heard it more than once and politely continued to smile and nod until I finished, then quickly retreated to your desk so you don’t have to hear it again. 

 I am happy to report that many of our clients have increased their social engineering training efforts— many are now conducting internal phishing campaigns.  Yet, this is still the most common attack reported to me by clients.  So, I decided to compare the incidents reported to me by our financial institutions against the national statistics. 

I analyzed Verizon’s 2018 Data Breach Investigations Report (the Report), comparing only the Financial Sector to information I have received from our clients and guess what-- there will still be no reprieve from my preaching about social engineering; but there will be one change.  Employees not reporting a phishing email, can be just as detrimental as clicking on the link.  Another take away is that the majority (58%) of victims of security incidents or breaches are categorized as small businesses, meaning community banks will continue to be a target.

Reported Incidents

According to the Report, there were approximately 600 reported incidents involving the Financial Sector, with almost 150 of those resulting in confirmed breaches.  While many of the attacks directed toward the Financial Sector are in the same category as previous years, the way in which they are done is changing.  Almost two-thirds of those incidents were involving Denial of Service, Botnet or attacks on ATMs. 

By far the most common attack in the Financial Sector continues to be Denial of Service.  These might not be as publicized as they once were, but they still occur more frequently than any other incident.  However, the severity of these attacks appears to be diminishing.  To quote the Report, “The data shows that these attacks on average, are more like a thunderstorm than a Category 5 hurricane.” The Report notes that most attacks were measured in minutes and the strength of the attacks had fallen to below a gigabit per second. 

ATM incidents have also stolen part of the spotlight this year and are changing in appearance.  While payment card skimmers are nothing new, they continue to be installed on ATMs by organized criminal groups. These can vary in sophistication and how easily they can be installed and detected.  Another attack which is becoming more publicized and present is ATM jackpotting. This is another form of tampering in which physical access results in software and/or hardware installation to cause the ATM to spit out money.  This attack does not require debit cards to be cloned and used, but it does involve a greater level of tampering than the card skimmer overlays.

Social Engineering

The next most prevalent and detrimental attacks facing financial institutions are Phishing and Crimeware (with Ransomware specifically dominating the category).  Overall, the Financial Sector was the 5th most targeted industry for social engineering attacks across all industries.  Phishing and pretexting represent 98% of social engineering incidents and 93% of breaches. Email continues to be the most common vector (96%). 

This is nothing new, and most of us know how effective social engineering can be.  However, there is light at the end of the tunnel.  With increased employee training and internal phishing campaigns, it appears the numbers are improving.  The Report found that most people never click phishing emails. When they analyzed the results from phishing simulations, the data showed that in the normal (median) organization, 78% of people don’t click a single phish all year. However, the Report also showed troubling statics with repeat clickers.  On average, 4% of people in any given phishing campaign will click it, and the trend suggests that the more phishing emails someone has clicked, the more they are likely to click in the future.  So how should you protect yourself from that 4%? 

The next part of the Report really shed some light on that exact question for me and changed the training tactics I recommend to my clients.  The Report stated that only 17% of phishing campaigns were reported.  It is difficult to protect yourself from a threat you are not aware of.  The Report also analyzed average clicking and reporting times.  On average the time until the first click in most campaigns is 16 minutes. Most people who are going to click a phishing email do so in just over an hour. The first report from a savvy user normally comes in around 28 minutes, with half of the reports done by 33 minutes. So, it may not be possible to catch the first click, but you could stop further potential damage with employee reporting.   It is nearly impossible to protect yourself from all phishing emails and those 4% who will always click, but if the other 96% report the email right way, you stand a much better chance of averting a potential dangerous situation.  Moral of the story: shift the practice from ignore, to prepare.    

Ransomware made up approximately one-fourth of the non-DoS/ATM incidents reported by financial institutions, but had a great impact on many smaller groups.  It was crowned as the most prevalent variety of malware (39%) found across all industries.  The way it infects networks is also evolving.  The Report stated that Ransomware is increasing in server assets over time and infections are no longer limited to the first desktop that is infected. Lateral movement and other post-compromise activities often reel in other systems that are available for infection and obscuration.  This evolving strategy is troubling because encrypting a file server or database is more damaging than a single user device.

Conclusion

To wrap up my analysis of the reported security events and breaches for financial institutions, I would still argue that phishing and crimeware, while not the most frequently occurring, have a much larger impact on the Financial Sector.  The majority of both attacks (96% for social engineering and 93% for malware) come from email. So, train employees, review your backup solution and train some more.  However, this training should include a few new points:

  • All employees should report every phishing email, every time, even if they think it’s just a test.   
  • Next, train your responders along with the phishing campaign.  Test your ability to detect a campaign, identify potential infected hosts, determine device activity post-compromise, and confirm existence of data exfiltration.
  • Lastly, keep doing it. 

Phishing tests are a great way to test both your front-line staff and responders at the same time.  Make every phishing test an incident response test as well, to help ensure when that 4% happens to you, you will know what to do.

For more information on Verizon’s 2018 Data Breach Investigations Report please visit https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf