Attack Surface

The financial services industry has always been at the forefront of technology adoption, but the 2020 pandemic accelerated the widespread use of mobile banking apps, chat-based customer service, and other digital tools. Adobe's 2022 FIS Trends Report, for instance, found that more than half of the financial services and insurance firms surveyed experienced a notable increase in digital/mobile visitors in the first half of 2020. The same report found that four out of ten financial executives say that digital and mobile channels account for more than half of their sales – a trend that's only expected to continue in the next few years.

As financial institutions expand their digital footprint, they have more opportunities to better serve their customers – but are also more exposed to security threats. Every new tool increases the attack surface. A higher number of potential security gaps, may potentially lead to a higher number of security breaches.

According to the Cisco CISO Benchmark survey, 17 percent of organizations had 100,000 or more daily security alerts in 2020. Post-pandemic, that trajectory has continued. 2021 had an all-time high number of common vulnerabilities and exposures: 20,141, which out-paced the 2020 record of 18,325.

The key takeaway is that digital growth in the financial industry is not stopping; therefore, cybersecurity teams will need ways to gain accurate, real-time visibility into their attack surface. From there, identify the most exploitable vulnerabilities and prioritize them for patching.

Traditional Approaches to Security Validation

Traditionally, financial institutions have used several different techniques to assess their security posture.

Breach and attack simulation

Breach and attack simulation, or BAS, helps identify vulnerabilities by simulating the potential attack paths that a malicious actor might use. This allows for dynamic control validation but is agent-based and hard to deploy. It also limits the simulations to a pre-defined playbook – which means the scope will never be complete.

Manual penetration testing

Manual penetration testing allows organizations to see how a bank's controls, for example, stand up to a real-world attack, while providing the added input of the attacker's perspective. However, this process can be costly and is completed only a handful of times per year at best. This means that it can't provide real-time insight. Additionally, the results are always dependent on the skill and scope of the third-party penetration tester. If a human were to miss an exploitable vulnerability during a penetration test, it could remain undetected until leveraged by an attacker.

Vulnerability scans

Vulnerability scans are automated tests of a company's network. These can be scheduled and run at any time – as often as desired. However, they're limited in the context they can provide. In most cases, a cybersecurity team will only receive a CVSS severity rating (none, low, medium, high, or critical) for each issue detected by the scan. Their team will carry the burden of researching and resolving the issue.

Vulnerability scans also pose the problem of alert fatigue. With so many real threats to deal with, security teams in the financial industry need to be able to focus on the exploitable vulnerabilities that can potentially cause the most business impact.

A Silver Lining

Automated Security Validation, or ASV, provides a fresh – and accurate – approach. It combines vulnerability scans, control validation, real exploitation, and risk-based remediation recommendations for complete attack surface management.

ASV provides continuous coverage, which gives financial institutions real-time insights into their security posture. Combining both internal and external coverage, it provides the fullest possible picture of their entire risk environment. And, because it models the behavior of a real-life attacker, it goes much further than a scenario-based simulation can.

How the Financial Industry is Using ASV

It (almost) goes without saying that banks, credit unions, and insurance companies need a high level of security to protect their customers' data. They must also meet certain compliance standards, such as FINRA and PCI-DSS.

So: how are they doing it? Many are investing in automated security validation tools that show them their true security risk at any given time, then using those insights to create a roadmap for remediation. Here's the roadmap that financial institutions like Sander Capital Management are following:

Step 1 Knowing their attack surface

Using Pentera to map their web-facing attack surface, they're gathering a complete understanding of their domains, IPs, networks, services, and websites.

Step 2 Challenging their attack surface

Safely exploiting the mapped assets with the latest attack techniques, they're uncovering complete attack vectors – both internal and external. This gives them the knowledge they need to understand what's truly exploitable – and worth the resources to remediate.

Step 3 Prioritizing remediation efforts by impact

By leveraging attack path emulation, they can pinpoint the business impact of each security gap and assign importance to the root cause of each verified attack vector. This gives their team a much easier-to-follow roadmap to protect their organization.

Step 4 Executing their remediation roadmap

Following a cost-effective remediation list, these financial organizations are empowering their security teams to resolve gaps and measure the impact of their efforts on their overall IT posture.

When it comes to your organization: do you know where your weakest links are so you can resolve them before an attacker uses them against you?

If you're ready to validate your organization against the latest threats, request a free security health check.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.