Organizations in financial services industries are being specifically targeted in Web attacks, according to a principal for a large accounting and consulting firm. And those attackers increasingly are highly sophisticated criminals, not the hackers of the past.
These attackers “know what assets they’re going after and they’re going after you in a very orchestrated way,’’ according to Edward Powers, principal, Deloitte & Touche.
In fact, for these “criminal elements,’’ cybercrime is now replacing drug trafficking as a primary source of revenue, he told technology and operations executives at a Wall Street Technology Association conference on managing the risks of running information systems in capital markets.
The cybercriminals are getting quite specific about the data and the infrastructure they want to capture or control, he said. And the means of entry increasingly is increasingly an electronic form of “social engineering,’’ where the criminals use available information on the Web to figure out the access controls used by a company – and the passwords and other identification controls that are associated with persons inside an organization. Particularly, at a high level in the organization, such as a chief executive or chief financial officer.
These “adversaries” use "digital exhaust" left by the executives or their firms, on public sites, he said. Much information is pulled from social media sites such as Facebook or LinkedIn to figure out the professional background of individuals and any affinities that can be leveraged.
They build profiles of the executives and board members to conduct identity theft or execute attacks, by gaining access to networks and accounts where the individual is a trusted user. He calls the practice “spear-phishing,’’ for the highly targeted techniques used to pull in personal information that is public.
The initial attacker, however, is not likely to be trying to steal directly from the target individual or organization, Powers said.
"When you're attacked as an organization for your data or for control of a piece of your infrastructure or whatever it might be, in all likelihood, the people who are attacking you are not actually using what they take from you for direct financial gain,’’ he said. “They're usually selling that off, whether it be sensitive data or whether it be control of critical pieces of your infrastructure that can be leveraged, they are selling that off to other criminal parties in this very highly evolved underground economy."
The growing use of mobile devices, such as smart phones and tablets, is exacerbating the problem, as is the use of social networks, even in a person’s off-time. He recommends leaving mobile phones at home or office, when traveling and using temporary alternatives.
"This really goes beyond organized crime into a broader underground economy evolved around targeting your organizations and trying to exploit this new spectrum of vulnerabilities,''' he said.
Making matters worse: most corporate security teams are not staffed to ward off organized attacks or state-sponsored attacks, which now occur regularly. Because the numbers can grow swiftly, from all parts of the globe
For instance, MasterCard and other payment processors were quickly targeted by a worldwide set of invisible attackers when they cut off payments to WikiLeaks after its release into the public domain of thousands of military and diplomatic documents about American operations that could have threatened American lives.
“Most security teams are frankly out-resourced" in people and time, against well-organized criminal elements, state-sponsored attackers and communities of ‘hacktivists,’’ Powers said.
In the past month, Nasdaq OMX Group disclosed that attackers had come close to infiltrating a Web application it calls Directors Desk, which allows boards of directors of public companies to communicate on sensitive subjects, securely.
Also, the Financial Industry Regulatory Authority fined a Lincoln Financial brokerage firm and a Lincoln Financial advisory firm a total of $600,000 for failing to protect 1 million customer records from being accessed improperly through Internet browsers.
The independent regulator of brokers said it fined Lincoln Financial Securities of Concord, N.H., $450,000 and Lincoln Financial Advisors of Fort Wayne, Ind., $150,000 for failure to protect customer information from public access.
In that case, FINRA said LFS failed to require brokers working remotely to install security software on their personal computers when conducting business.
FINRA also found that LFS failed for seven years and LFA for two to keep current and former employees from sharing log-in credentials that permitted them to access customer records from anywhere, using an Internet browers.
As a result, customer names, addresses, social security numbers, account numbers, account balances, birth dates, email addresses and transaction details were at risk.