Can We Afford the Damage of a Ransomware Attack on Financial Market Data?

The world is still picking up the pieces, dealing with the aftermath of the WannaCry ransomware attack that hit over 200,000 users in more than 150 countries. Everyone’s speculating when and where the next big cyber-attack will come around and planning how to come prepared to the next battle.

While the WannaCry attack is the new malware on the block, and vying for the notorious first place in malware history, the 2014 JP Morgan Data Breach is still considered a doozy, having affected tens of millions of people, and seven million businesses—coming to a staggering total of 83 million customers. Five individuals used malware, social engineering, and spear-phishing attacks to plunder emails, addresses, phone numbers, SSNs, and other customer information, not just from JP Morgan itself, but other related financial institutions around the same time.

Reducing Enterprise Application Security Risks:

More Work Needs to Be Done

A Cyber Attack on Financial Market Data Could Paralyze the Markets

The speed in which the WannaCry attack spread, and the fact that it easily infiltrated systems that are supposed to be responsible for our health and safety is particularly troubling: if hospitals and car manufacturers’ software can get exploited so easily – financial data applications probably aren’t different, vulnerability wise.

The Financial Industry Cybersecurity Report summed it up saying that Cybercrime has become the second most reported economic crime in PWC’s Global Economic Crime Survey, and financial institutions are prime targets. As cybercriminals find new ways to attack, breach, and exploit organizations, threat patterns such as phishing, spear-phishing, and social engineering evolve and become more sophisticated.

The 2016 Financial Industry Cybersecurity Report further lists the following findings:

  • The U.S. Commercial bank with the lowest security posture is one of the top 10 largest financial service organizations in the U.S (by revenue).
  • Only one of the top 10 largest banks, Bank of America, received an overall ‘A’ grade.
  • 75% out of the top 20 U.S. commercial banks (by revenue) are infected with malware and several malware families were discovered within these banks, including Ponyloader, and Vertexnet.1
  • 95% out of the top 20 U.S. commercial banks (by revenue) have a Network Security grade of “C” or below.
  • Nearly 1 out of 5 financial institutions use an email service provider with severe security vulnerabilities.

The report authors summarize it all by saying that financial organizations need solutions that assess vulnerabilities and their vendor’s vulnerabilities in real-time.

Open source is everywhere. You can’t avoid it anymore. We need to manage it.

Understanding the application security challenges of today, we need to acknowledge that software composition has changed fundamentally in recent years. A software program today typically consists of proprietary code, open source components and commercial libraries – and open source is usually the most dominant part.

Forrester’s latest ‘software composition analysis’ report estimates that 60%-80% of the average software product are open source components. Although open source has been central to increasing software developers’ productivity, it has also introduced new challenges into the software development process. The problem is most software development and security teams have not adapted well to these new challenges, and don’t know how to properly address them.

The first step is to continuously manage all your software components: proprietary, third party and open source. This will enable location and mitigation of vulnerabilities before hackers get a chance to exploit your organization or product.

An automated open source management solution helps organizations track their open source components continuously, alerting them when vulnerabilities are discovered and recommending the required updates or patches that will help protect your organization and its data from the next cyber-attack.