FST. In today’s complex arena there are many new methods being implemented by attackers that pose new threats to the financial market. What are they?
AC. The financial market is at risk from two main targets of cyber attack, which when exploited can seriously impact the availability of online services, and therefore credibility, in the eyes of customers. The first target of attack involves online transaction services that reside on servers and can be compromised by new attack methods, which are defined as “non -vulnerability attacks”. These types of attacks are executed unnoticed on the servers by existing protection technologies and result in severe service disruptions.
The second type of attack occurs directly on the client device for these financial services. In recent years the use of mobile clients has increased, which on the one hand results in broader internet connectivity options, but on the other hand also results in unsecure network environments and leaves users more exposed to different types of attacks. This exposure creates a situation in which mobile users are often the unwitting malware carriers of bots and Trojans. Some of these malwares are defined as “Financial Trojans” designed specifically to generate financially fraudulent activities against users.
FST. How do you define a “non-vulnerability-based threat” and what are the differences between zero-day (or zero-minute) threats and those defined as non-vulnerability?
AC. Non-vulnerability-based threats aim to exploit weaknesses in the server’s application that cannot be defined as vulnerabilities. They can be typified by a sequence of legitimate events – generally not associated with unusually large traffic volumes – which are used in order to break authentication mechanisms and scan the application for hidden, confidential files. More sophisticated non-vulnerability application attacks include well-chosen, repeated sets of legitimate application requests that misuse a server’s CPU and memory resources. The effect is a full or partial denial of service condition in the application.
This new attack method allows hackers to integrate well with legitimate forms of transactions and to comply with all application rules in order to pass undetected in terms of traffic thresholds or known attack signatures. For a zero-day/zero-minute attack there is always the possibility to create a signature (sooner/later) that represents a malicious code for flagging. However, in the case of non-vulnerability attacks the malicious code doesn’t exist, which makes detection and prevention difficult.
FST. How can security vendors and financial institutions overcome the challenge of detecting non -vulnerability-based threats and ensure that their security management is optimal?
AC. The challenge here is great. In order to try and prevent this new threat, organizations should look for security technologies that try to learn and identify abnormal behavior, rather than simply looking for a malicious code through signatures. The identification of the abnormal behavior should be analyzed based on both rate and rate-invariant traffic behavioral parameters, meaning that low-rate abnormal activities will also be detected.
Upon identification of the abnormal behavior, the technology must include the capability to automatically create in real-time a new type of “signature” that represents behavior rather than code. It is important to understand that this “automatic real-time signature” should have different characteristics than the traditional attack signature. There are two major differences. The first difference is that it should be generated automatically in real-time otherwise the attack will have time to execute successfully. The second difference is that this real-time signature should be applicable only in a certain network and application environment, because abnormal usage of an application in one environment can be completely normal in another one. This lessens the incidence of false-positives or unwanted prevention of legitimate activity.
FST. What does your company have to offer financial institutions to help them stand out from their competitors in this area?
AC. Radware is the only company in the network security space that was able to develop a technology that enables the creation of behavioral real-time signatures for mitigating non-vulnerability threats. We offer it through our APSolute Immunity program of products (DefensePro IPS series) and related services. The technology is based on a number of patented behavioral analysis techniques and draws from the vast research experience we have gained over the last eight years.
Having said this, we need to remember that signature-based and behavior-based real time signature technologies form complementary solutions which cover more threats together than each one is able to cover on its own. Radware’s DefensePro product integrates both types of security technologies and thus provides a comprehensive solution to guard against emerging threats not only today but also tomorrow and well into the future.
FST. What do you envisage for the future of the security area in financial markets? What changes and trends are likely over the next five years?
In general, hackers have switched their primary goal from one of “fun” to one of “profit” and therefore in the short-term we will see more and more cyber criminal organizations using attacks in order to put financial businesses under siege.
In the range of five years the financial market will focus on integrating new web technologies (defined as Web 2.0 technologies) in order to improve services to customers. This trend towards a more interactive experience for the end user will introduce more security weak points. One example being the RSS feed, where we expect to see the financial industry using RSS components to push information to the end user rather than pull it from the internet, which is how it is done today. RSS comes with its own security issues, which may be critical for financial services. It can be used to infect users with “Financial Trojans” and new methods of Phishing – all with almost no human intervention from the user side.
Avi Chesla manages Radware’s security business unit and the security roadmap for the company’s network intrusion prevention system. He is also responsible for specific patent pending applications, evaluating OEM opportunities and representing the company’s product, technology and future directions to industry analysts and major account prospects.