Blog

Financial Services: The Value Is in the Data, but the Risk Is in the Building

David Wolf | April 9, 2020

When money was mainly kept in a vault, criminals tried to steal it from every possible angle. Today, financial data stores have replaced physical vaults. These modern vaults are accessed by critical applications across the global financial campus and are typically based in data centers within connected buildings. With financial data as the new currency, criminals are attacking these connected buildings as IP-enabled entry points to the financial campus and data center.

In today’s financial services environments, for every 100 computers there are 99 other devices, according to Forescout’s Banking on Security research report. Printers are the most common Internet of Things (IoT) device, but modern financial buildings also have automated lighting, thermostats, cameras, surveillance tools, physical security systems, and digital signage, among many other connected things. While building automation and connected devices provide many benefits, these devices are often hard to control and ripe for exploitation.

Classifying the Threats

Data for this research comes from the Forescout Device Cloud, an anonymized set of more than 10 million devices connected to Forescout customer networks. This report focuses on a subset of the data, covering over 900,000 devices connected to more than 8,500 networks at 100 large financial services organizations. Forescout software analyzes each device’s fingerprint to classify them based on vendor, model, operating system version, and observed functions.

Researchers at the Forescout Research Labs identified a wide range of devices connected to financial services networks. Just over 70 percent of connected machines were related to traditional computing: PCs, workstations, servers, and networking gear. However, almost 30 percent were other IP-connected “things”, which are more easily overlooked by security teams. These include VoIP phones, printers, surveillance cameras, energy management systems, uninterruptible power supplies, smart thermostats, and a variety of building security controls, sensors, and alarms.

The most glaring output from the analysis was the significant lack of segmentation on financial services networks, especially outside of the core network. As noted by Elisa Costante, head of the Forescout Research Labs: “Financial services networks are remarkably flat and have more devices per segment than most of the verticals we track in Forescout Device Cloud. The financial campus still has a lot to gain from further investment in network segmentation.”

Buildings Under Siege

The convergence of operational technology (OT) and IT is well underway, but not all security leaders have the IoT and OT in connected buildings within their risk management purviews—and an all-too-frequent response to this information is a shrugging “so what?”. Unfortunately, these devices pose significant physical and financial risks. Attackers are targeting common building equipment using malware called siegeware, disrupting operations, finding entry points to sensitive data, and even holding entire buildings for ransom.

Tens of thousands of publicly exposed building automation and physical security systems can be found using Shodan, a search engine for Internet-connected devices. Default passwords, hard-to-patch vulnerabilities, and other security gaps mean many of these exposed devices can be readily compromised. Attackers can—and have—changed thermostat settings, turned off lights or water, taken control of locks, and denied users access to systems by flooding them with traffic. With more technical effort, attackers can use application-hacking techniques to spoof protocols, corrupt memory, overflow buffers, and inject their own code into these devices, granting persistent access and opportunity for lateral movement.

Internet-connected video and surveillance cameras are increasingly common devices on financial services networks, representing 25% of networked IoT devices (excluding printers). Exploring the potential vulnerability of these devices, a Forescout research team demonstrated that they could drop malware onto an exposed camera, use this entry point to reach a nearby workstation, jump to an access control system, and then add or remove users, granting unauthorized access to the building or denying access to legitimate users. With control of the camera, they could spy on the building occupants, stop and start recording, and even loop old footage, just like in the movies. This is just one example of the business risks posed by these devices when they are indiscriminately added to the network.

Historical Controls for Defending the Bank Vault

The history of protecting the contents of bank vaults offers some valuable lessons for financial services firms looking to protect valuable data from connected devices.

  • As bank robbers increased their efforts to get into vaults, banks added multiple layers of protection. For today’s financial networks, those layers are enhanced visibility, comprehensive segmentation, and continuous enforcement.
  • Bank vaults use a wide array of cameras and sensors to watch who and what is near the vault. Networks need similar visibility controls to build accurate asset inventories of what is connected to the network. These device and software inventories must be dynamic, updated in real time, and include not just each device’s network address but a detailed fingerprint of what it is and what its normal operating modes are.
  • Vaults also use layers and separation to slow down potential thieves. Valuables in a vault are not simply piled on the floor and ready for looting. Thick doors and sophisticated locks may be the first line of defense, but there are multiple layers inside, including locked grills, and multiple safes or secured boxes inside the vault. Similarly, financial networks should confine devices to an appropriate network segment, with strict controls on device access, network paths, and lateral access to and from the device, based on its intended usage and minimum required zone of trust.
  • Finally, vaults have a strict set of policies about who can open them, timed locks to limit when they can be opened, and alarms set for rapid response in the event of a breach. Networks need similar mechanisms, built on a foundation of continuous monitoring of devices and their real-time compliance status. Strict policies about device connection and behavior should be defined to provide early detection of suspicious or malicious activity. Automated controls, especially for repetitive activities and standard threat reactions, such as quarantines, enhance response times and reduce staff workloads.

“For FinServ, it’s all about segmentation” said Tom Dolan, Forescout General Manager of Segmentation and Orchestration. “Once we’ve carved up the flat networks and crisply defined zones of trust, then we can really start to unlock the benefits of orchestration across the entire security portfolio. We can clearly see the FinServ need for that in this report and the data.”

Download the Forescout Research Labs’ Device Cloud report Banking on Security for practical analysis on the state of segmentation and device control on today’s financial networks.