Consequences of attacks and verification of unacceptable events

Over the three quarters of 2022, financial organizations most often faced theft of confidential data (51% of cases) and business process shutdown (42%). As a result, 7% of the company’s attacks suffered direct financial losses. In 6% of cases, attackers used the resources of a financial institution to carry out further attacks on customers and other companies.

According to PwC research, almost half (49%) of company executives consider cyber threats to be one of the most influencing factors on business. Financial organizations expressed the greatest concern: 59% of respondents from this industry are afraid of cyber threats.

In Russia, the financial sector is also one of the most interested in ensuring a sufficient level of security:

The regulatory framework is constantly being improved, continuous information exchange between FinCERT and organizations (the number of which is more than 800) is maintained, information security forums are held.

Credit and financial institutions annually account for about a quarter of companies that turn to information security specialists for penetration testing and verification of unacceptable events. And although the financial sector is best prepared for attacks compared to other sectors of the economy, in general, the level of protection of organizations from internal and external attackers remains insufficiently high. Among the financial institutions studied by Positive Technologies experts from 2021 to 2022, 86% of the cases managed to gain access to the local network as part of an external pentest, and in half of these companies, even an attacker who did not have a high level of training could penetrate the internal network. The exception was one bank, which not for the first time ordered a pentest and took into account all the recommendations: the researchers managed to gain access only to the demilitarized zone – the buffer zone between the resources of the network perimeter and the local computer network.

During the internal pentest, in all cases, the experts managed to establish full control over the infrastructure, as well as demonstrate the possibility of gaining access to critical systems: for example, a vulnerability was identified in one of the banks, allowing more than 1,000 ATMs to be compromised.

The list of typical events unacceptable for financial organizations that information security specialists needed to verify included:

withdrawal of funds over a certain amount from the accounts of a financial institution or its clients;

suspension of operational processes of a financial institution due to unavailability of information systems;

unavailability of digital financial services for clients for a certain period of time;

distortion or destruction of information in databases (including backup copies) used in the operational activities of a financial institution;

attacks on the organization’s customers and partners through its infrastructure and digital services;

leakage of databases containing personal data of customers, banking secrecy and other confidential information.

The ways of implementing these events, which are indicated during the work, vary. For example, an attacker can withdraw funds by gaining access to card processing, to banking systems with sufficient rights to perform banking operations, remote access to ATMs with rights to download files to end devices. As a rule, when carrying out verifications, it is possible to implement more than 70% of the designated events for a limited period of time.

Most of the critically dangerous vulnerabilities in financial organizations are associated with the lack of up-to-date software updates. In 43% of organizations, critically dangerous vulnerabilities related to the shortcomings of the password policy have been identified.