Misconfiguration Madness: Thwarting Common Vulnerabilities in the Financial Sector

Ever since people started putting their money into banks and financial institutions, other people have sought to steal those deposits or otherwise fraudulently obtain those protected assets. When someone asked infamous 1920s-era bank robber Willie Sutton why he robbed banks, he simply replied, “Because that’s where the money is.” 

Today, much of the money held by banks and other financial institutions is in digital form, and many of the sensitive records held by those firms can be just as valuable as the digital currency itself. But the reasons behind the targeting of financial institutions by threat actors remain much the same as they were in Sutton’s time over 100 years ago: that’s where the money — and at least some valuable personal data — is kept.

As such, the financial services sector is increasingly embattled when it comes to cyberattacks. According to Verizon’s Data Breach Investigations Report, banks saw a 238% increase in attacks in 2022 from the previous year. And many of those attacks were successful, resulting in an average of $5.9 million in cleanup costs per incident according to IBM’s 2023 Cost of a Data Breach Report. And that does not account for any actual money lost or stolen.

Why Banks and Financial Institutions Make Tempting Targets

While the physical security at many banks today is impressive, with huge vaults, bullet-proof glass, silent holdup alarms, guards, and things like exploding dye packets ready to make strongarm robberies much more difficult, it’s often a different story when it comes to cybersecurity. Yes, many banks have invested in modernizing their public-facing applications, but those often need to run in tandem with 50-year-old applications and systems written in comparatively ancient computer languages like COBOL, which are long past being actively supported or updated.

The business environment itself can also make cybersecurity a challenge, especially for larger institutions, which are subject to state, national, international, and industry mandates, laws, and standards. That makes for a complex business environment that is difficult to protect without running afoul of different regulatory requirements. And adding more fuel to an already challenging fire, in recent years, financial service institutions (FSIs) have also had to deal with increasingly distributed and hybrid workforces, which significantly expands the potential attack surface and adds yet another wrinkle to the challenge of cybersecurity.

Finally, cyberattacks on banks, when successful, tend to be rather potent. For example, during the 2017 data breach affecting Equifax, 187 million customers — or more than 40% of the United States population — were potentially affected by the large-scale data theft.

In fact, many reports say that cyberattacks on banks are devastating the entire financial sector.

Protecting Financial Institutions

Financial institutions require legions of skilled security personnel in order to overcome the many challenges facing their industry. Developers are an especially important part of that elite cadre of defenders for a variety of reasons. First and foremost, security-aware developers can write secure code for new applications, which can thwart attackers by denying them a foothold in the first place. If there are no vulnerabilities to exploit, an attacker won't be able to operate, at least not very easily.

Developers with the right training can also help to support both modern and legacy applications by examining the existing code that makes up some of the primary vectors used to attack financial institutions. That includes cloud misconfigurations, lax API security, and the many legacy bugs found in applications written in COBOL and other aging computer languages.

However, the task of nurturing and maintaining security-aware developers in the financial sector won’t happen on its own. It requires precise, immersive training programs that are highly customizable and matched to the specific complex environment that a financial services institution is using.

That training regimen also requires significant flexibility so that developers can learn about the most modern aspects of cybersecurity — for example, how to eliminate API vulnerabilities — while also providing support for legacy languages like COBOL. It should also be hands-on, allowing developers to “learn by doing” in continuous contextual bursts that match what they will find in the real financial services environment they are supporting.

A Bright Future for Software Security in the Financial Services Sector

The financial services sector is always going to be one of the most attacked of any industry. That was true back when people first started using banks and is still true today. With a challenging regulatory landscape and a complex business environment, it might at first seem impossible to stop the majority of those attacks.

However, it is also one of the verticals most willing to try new cyber defense strategies and more modern training techniques. In my close workings with global financial institutions, I have experienced first-hand how receptive their security leaders can be to learning programs that align developers and AppSec professionals to common security goals and approach secure coding, in particular, with empathy for developers and how they experience security in their workflow. One US-based institution selected an upskilling solution for their cohort that allowed them to run inter-team tournaments and test the knowledge they had built, while also providing a framework for evaluating new and prospective hires, and applying key learning pathways accordingly. This eventually led to a developer-driven — yet executive-endorsed — security champions program that helped each person touching code in their organization keep security front-of-mind.

Many FSI enterprises understand the immense value of having a core of security-aware developers trained in everything from modern cloud and API security to the perils found in legacy systems. They can level the playing field and deny cyberattackers room to maneuver. That requires both a highly flexible and customizable training regimen and the creation of a cohesive security culture.

By providing that kind of training alongside things like incentives for security champions and privilege-based initiatives where only the best, most security-aware developers who have completed their training are allowed to work with critical assets, financial services firms can create a bulwark against even the most determined attackers. And yes, they can keep their data, users, and digital money safe, even in the face of these unprecedented, challenging times.