Financial Services Are Still The Most Targeted Victim

Financial Services Are Still The Most Targeted Victim

Are you sure that bank is a secure place to safe your money? Think twice! Our money in the bank is changed to numbers that is written on the paper. It is technically digitally printed, instead of physical money. The bad news is, when digital criminals screw up the number, then boom! We lose our money.

What even worse is, based on IBM report index, finance and insurance are still the number one industry that potentially being attacked by the hackers. As expected, the most favorite thing is still credit card identity stolen, with United States as the number one market of this type of criminality as the target. The probable reason is that American use credit card a lot for daily transaction.

Knowing this fact, it is important for every bank to check their system on regular basis. Financial institutions must meet regulatory requirements, and this is frequently the driver for contracting a penetration test. Penetration testing should identify vulnerabilities that arise from improper configuration and patch management processes.  This is not an indictment that corporations cannot manage their infrastructure, but a testament to the reality that attackers only need to be right one time to exploit a vulnerability, whereas the IT organization needs to be right 100% percent of the time when managing vulnerabilities.  Penetration testing is a tool in the vulnerability management arsenal that helps bridge the gap between human fallibility and the need to be right 100% percent of the time.

Banking has to take care of their web based application and their internal banking application. Web-based applications should be coded using secure coding practices and should be tested using automated  code scanners that can identify vulnerabilities.  There are a number of vendors that provide automated web -application testing suites, as characterized by the growing maturity and functionality of tools in this space.   Also, to compliment the efficiency of automated scanners, manual code review of high risk Web based banking applications is a necessity.   Automated scanners should be used to test code in the development phase. Internal banking applications can be compromised in the same fashion as Web -base banking applications.  Secure coding practices, application testing and t he use of strong authentication mechanisms are methods to minimize the risk of running internal banking applications.  In this case we also have to consider enforcing segregation of duties as a vital control necessary to protect the financial institution.

Testing is costly, so companies may perform a thorough penetration test once a year and then rotate between other firms for the remaining quarters of the year. This allows the hiring financial institution to compare results between vendors, and to confirm previous results by doing a retest to ensure that new faults have not been introduced or uncovered as a result of changes to the environment.   All penetration testing artifacts should be stored securely and encrypted, including hard -copies that should b e shredded after a period of time.  Hard copies are helpful when making comparisons from quarter to quarter  when regression testing is done.