Small banks and credit unions increasingly under cyber attack

Ransomware, spear phishing intensify as criminals probe weak defenses

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By now, every one of 6,000-plus com­mu­ni­ty banks and near­ly 7,000 cred­it unions in the Unit­ed States should be well aware of the risk of being tar­get­ed for a cyber attack by well-fund­ed, deter­mined criminals.

Being aware is one thing. Appro­pri­ate­ly mit­i­gat­ing this ris­ing risk is quite anoth­er. And there remains a big oppor­tu­ni­ty to help small finan­cial insti­tu­tions do much bet­ter at defend­ing themselves.

Rec­og­niz­ing this, Jeff Lunsford, a naval avi­a­tor-turned-tech-investor, and Edgar­do Nazario, a Yale grad­u­ate and for­mer prod­uct man­age­ment vice pres­i­dent at Lime­light Net­works, launched Seat­tle-based tech secu­ri­ty start­up Prae­sidio in ear­ly 2014.

Com­pa­ny name change: On June 2, 2016, Prae­sidio announced a new com­pa­ny name: DefenseStorm.

Nazario is Praesidio’s CEO and Lunsford is the com­pa­ny chair­man. The company’s core tech­nol­o­gy is called Guardian. It is a cloud ser­vice intend­ed to be added to the stack of secu­ri­ty ser­vices the bank or cred­it union already has in place.

Guardian is designed to serve as a cloud-based Secu­ri­ty Oper­a­tions Cen­ter, and func­tion as a force mul­ti­pli­er enabling small­er finan­cial firms, with lim­it­ed resources, to lever­age shared intel­li­gence and have secu­ri­ty experts at their dis­pos­al with­out hav­ing to recruit and hire in-house experts.

Third­Cer­tain­ty recent­ly sat down with Prae­sidio CTO  Sean Cas­sidy to dis­cuss what this tech secu­ri­ty start-up is see­ing on the front lines at small­er finan­cial insti­tu­tions. This text has been edit­ed for clar­i­ty and length.

3C: So what attack pat­terns are you seeing?

Sean Cassidy, Praesidio CTO and co-founder
Sean Cas­sidy, Prae­sidio CTO and co-founder

Cas­sidy: We’re see­ing a lot of attacks on net­works that have less mon­i­tor­ing and few­er defens­es. We’re see­ing a lot of ran­somware, where some­body down­loads some­thing they shouldn’t, it gets on the bank’s net­work, and it encrypts all of the files and all of the backups.

A lot of the small­er finan­cial insti­tu­tions don’t have end­point-lev­el pro­tec­tion, so ran­somware has become like a plague. It’s spread­ing every­where, and it’s get­ting very sophis­ti­cat­ed. And it’s get­ting very expen­sive, in the tens of thou­sands of dol­lars, to decrypt files.

3C: How trou­ble­some can it be if you get hit by ransomware?

Cas­sidy: Very trou­ble­some. If the bank doesn’t have a good back­up strat­e­gy, this can be dev­as­tat­ing. You have to pay the ran­som to get your files back. And the attack­ers are get­ting bet­ter at evad­ing sim­ple detec­tion. It used to be when you saw a bunch of files change at once (being encrypt­ed by the attack­er), then you’d know that’s a ran­somware attack. Now we’re see­ing encryp­tion slow­ly trick­le in over weeks or months.

3C: What about spear phishing?

Cas­sidy: We’re see­ing a huge spike in very sophis­ti­cat­ed spear phish­ing, where they actu­al­ly tar­get known bank employ­ees. The attack­ers look them up on social media, they might even try to get a home address for them from pub­lic vot­ing records. And then they might use the fact that you were just pro­mot­ed, and say, ‘Hey, great job on the pro­mo­tion, could you just review this press release for me?” They’ll make it look like it’s com­ing from mar­ket­ing. So the press release looks good, but the Word doc­u­ment is actu­al­ly infected.

 3C: Why are small­er finan­cial insti­tu­tions being targeted?

Cas­sidy: Attack­ers are now attack­ing small­er banks and cred­it unions because their defens­es are slight­ly weak­er. Once inside, they can piv­ot to the bank’s larg­er part­ners, either oth­er big­ger banks, or to ven­dors that they’re direct­ly con­nect­ed to.

3C: What does Prae­sidio bring to the table?

Cas­sidy: When a bank buys our prod­uct, they send all of their secu­ri­ty data to our cloud ser­vice, and we use advanced anom­aly detec­tion and threat intel­li­gence to detect when there are sus­pi­cious actors on their net­work and then inform them about it.

 3C: How do you sell this to a bank pres­i­dent who thought some­body was already doing this?

Cas­sidy: Tra­di­tion­al solu­tions real­ly just mon­i­tor your fire­wall and your exter­nal gates, but that’s not enough. You need to mon­i­tor your inter­nal net­work traf­fic, as well. We’ve seen a lot of attack­ers that piv­ot with­in the net­work. And from the out­side, it doesn’t look like any­thing real­ly bad is hap­pen­ing. So we have inter­nal net­work sen­sors mon­i­tor­ing all end­points. We take all those logs and data up to our cloud ser­vice to be analyzed.

More sto­ries relat­ed to secu­ri­ty of finan­cial institutions:
Why com­mu­ni­ty banks, cred­it unions must address secu­ri­ty risks
Small banks, cred­it unions on front lines of cyber­se­cu­ri­ty war
Anato­my of an attack: Lever­ag­ing Twit­ter to dis­rupt bank­ing websites