All these things apply to all sectors. It's just the Finance sector is a particular target so the risks are a bit higher.
Security vulnerabilities across the finance sector have increased more than fivefold (418 per cent) in the last four years, according to a study by NCC Group. The most common high and medium-risk vulnerabilities were found in customer-facing web apps. NCC categorised vulnerabilities found in 168 financial services …
Friday 22nd September 2017 14:16 GMT Scott Broukell
Friday 22nd September 2017 14:40 GMT ecofeco
Friday 22nd September 2017 17:12 GMT Notas Badoff
"And not as smart as they think they are."
After working through some 'improved' 'secure' connection options for enabling credit card processing for a $company, I discovered that the two banks involved didn't know which SSH programs they were using over the wire, then with that answered they couldn't say what versions they were running. Then that they hadn't thought to check for reasons to update, like vulns listed by version. Epochs of vulns given the age of those versions.
They didn't know, they didn't know, they didn't know - reads just like "they didn't care", eh? As bad as the phone companies I'd worked with and swore off. All big companies have soft spots. Start with the heads...
Friday 22nd September 2017 19:29 GMT Aodhhan
Of course it's BUNK
This goes against reports from Verizon, Gemalto, FFIEC, PCI, etc.
Unless this report by NCC Group is only on undeveloped financial sectors.
Also be weary of reports which you can't view unless you become a member. Most security reports are in the open... and this means open to scrutiny and review.
This report is provided more as a phishing scam, behind doors.
As someone who is a pen tester in the banking industry, I can tell you information security has improved greatly over the past 2 years.
Notas... if you think you were talking to an administrator, security analyst, or developer... then you're mistaken. Banks don't waste these employees time by answering questions from the general public. A helpdesk person isn't technical. Their job is to write up tickets for the experts to deal with.
Not to mention, if someone asks me what we are using for a firewall, protocol communication app, etc... do you really think I'd tell them? THINK man.
Friday 22nd September 2017 19:41 GMT fnusnu
Sunday 24th September 2017 19:08 GMT Slx
This is the same sector that seems to think it's completely fine to process the majority of our financial transactions using a 16 digit card number + expiry date and a number printed on the back and very little else other than trust.
They also seem to think it's completely fine to protect your bank accounts with a 1960s magnetic stripe card and a 4 digit numeric pin number.
From what I can see, we get all up in arms if our email accounts don't have two-factor security and complicated anti-hacking measures, but we're fine with the whole notion of banks that have about as much real security as the piggy bank you had when you were 6.
Monday 25th September 2017 01:44 GMT Anonymous Coward
Out of scope vulnerabilities
'The stats look at vulnerabilities on systems "out of scope" for pen-testers but not hackers'
I'm not familiar with the concept, would anyone care to enlighten me?
"David Morgan, executive principal at NCC Group, said:"
What exactly is an 'executive principal', does s/he maintain systems, write code or test for security vulnerabilities?
"Since they are a frequent target for cybercriminals, financial services companies should be continuously monitoring for vulnerabilities and regularly updating their software, particularly when these tools form the building blocks of what are often business-critical web applications."
If you work in information technology and this is news to you then maybe you should find another career. And if your IT people aren't already doing the above then maybe you should get rid of them and hire on some competent people.
Monday 25th September 2017 19:37 GMT Anonymous Coward
I have seen some Rolls Royce, no-expense-spared, state of the art security in financial services, with so much headcount people had time to sit and watch the footie on the big screens. I've also seen bad practice that would shame your Aunty Mabel in organisations turning over mindbogglingly vast sums of money on a daily basis, with the litany of excuses I used to think had gone out of fashion twenty years ago - "it's alright, it's inside the firewall", "we've always done it this way", "well how else do you expect me to do my job?!??" and the rest. The main difference seems to be the very good orgs had retail customers, whilst the bad ones only have similarly clueless orgs - big enough to pay for a few hundred mansions and customised Range Rovers, not big enough to care about security.
When it's good, it's very very good. When it's bad... "I've seen things you people wouldn't believe". Real jawdroppers. I thought I'd seen egregious incompetence and wilful blindness -- before I got into finance I'd seen an entire database team with admin passwords taped under their keyboards and server rooms that could be opened with an Oyster card -- but the bad fin serv firms? OHHHH...
I do sometimes wonder whether my liver will pop like an overripe tomato before the massive systemic risks blow up the world or not. The ghastly thing is that the only hope I have lies in regulators. The regulators attitude is "you'll know you broke the regs if you get hacked and lose a lot of money, or your firm blows up. If that happens, we'll carry out a big investigation and then bar you from the City, five years later. " If _I_ was senior in one of those firms, I dare say that would sound like a poor trade off against another £1m bonus in the new year.