As the COVID-19 pandemic continues to take its toll on the economy, we recognize more clearly than ever that financial services are among a select group of critical economic services, and it is paramount that they remain secure and operational.
To assess the cyber risk posture of the financial services industry, Forescout Research Labs recently harnessed the power of the Forescout Device Cloud – a repository of more than 11 million customers’ enterprise devices. Forescout examined 100 large financial services deployments with over 8,500 virtual local area networks (VLANs) and nearly 900,000 devices. Researchers analyzed each device according to its place in the network and the risk it poses to core business applications, such as the central Configuration Management Database (CMDB). Our data insights underscore the growing risk that malware poses to the financial sector.
Here are a few takeaways from the report: Banking on Security: Leveraging Device Data to Manage Risk in Financial Services:
Financial services networks are remarkably flat
While the financial services industry excels in device visibility when compared to industry counterparts such as energy and healthcare, networks in financial services are remarkably flat. This is significant because flat networks lack proper segmentation and therefore expose core network applications to wide-open lateral movement of malware. By compromising a seemingly innocuous IoT device—a printer, POS system or any number of OT devices on peripheral networks, a cybercriminal can move unimpeded and do significant damage in flat network architectures.
According to our research, nearly half of financial services POS systems (45%) are neighbored by printers. Over all, 63% of POS systems have a printer or non-financial IoT device neighbors, highlighting the flat nature of the typical POS network and areas where risk is most prevalent. Without a robust device segmentation strategy and the tools to enforce strict policy on these devices, Active Directory-joined devices accessing banking and financial services present a severe risk to financial organizations. Still worse, IT, OT and IoT device networks that are AD-joined continue to expand and connect to the core networks and data centers of banks.
Financial services need to monitor and secure IoT and Operational Technology (OT) devices
Considering that 45% of all non-enterprise IoT devices within the financial services networks are printers, followed by OT devices, such as interruptible power supply appliances (UPS) and programmable logic controllers (PLCs) at 14%, the risk of cyberthreats traversing network domains is higher in flat networks with limited device segmentation strategies. This approach is inconsistent with Zero Trust best practices. Key IT infrastructure such as the data center could be exposed to undue risk due to vulnerable connected devices elsewhere in the infrastructure.
Operating system updates are critical
Of all the managed Windows devices within financial services firms gathered from the Forescout Device Cloud, 70.89% were found to be running up-to-date versions of Windows, while 28.62% were running unsupported Operating Systems (OS) and must enter the Microsoft Extended Security Updates (ESU) program that began on January 14th, 2020. Legacy Windows OSes, such as Windows XP and Windows Server 2003, are fragile systems that, although rare (0.48%), still constitute a significant risk to financial networks today.
Additionally, 29% of Windows OS devices required patching to address the BlueKeep vulnerability, 16% of devices were running RDP services where BlueKeep may originate, and 27.55% of Windows devices were running Windows 7, which is now unsupported by Microsoft. A looming procurement challenge remains on the horizon, with 28.62% of the financial services Windows device fleet losing support and requiring paid maintenance in Microsoft’s ESU program.
Securing the Financial Services Industry
Since the advent of the age of IoT, the likelihood of lateral movement of malware has grown—and this is certainly the case for financial services. Cybersecurity stakeholders within financial services organizations must invest in comprehensive segmentation strategies built upon accurate and up-to-date asset inventories to support ongoing device fleet procurement at scale. Every IP-enabled asset in the CMDB inventory is a device that should be governed by a timely, well-orchestrated security policy.