The NTT Security 2019 Global Threat Intelligence Report (registration required) is out. It reveals that 32% of all attacks observed globally, targeted web applications. It also shows that finance is the industry sector that drew the most attacks globally (17%) although it was not in top place in each region.
One reason why finance and web application attacks may have topped the list is the growth in new entrants into the sector. These are predominately web-based organisations who see their competitive advantage as lower costs and better mobile access.
Kai Grunwitz, SVP NTT Security EMEA, said: “Finance is yet again on the top spot when it comes to targeted attacks, which surely is enough evidence to convince the board that cybersecurity is a must-have investment. Sadly, many financial organizations are moving forward with digital transformation but without security built-in.
“While legacy methods and tools are still quite effective at providing a solid foundation for mitigation, new attack methods are constantly being developed by malicious actors. Security leaders should ensure basic controls remain effective but they must also embrace innovative solutions if they provide a good fit and true value.”
Finance and web applications – a perfect storm
In recent years, there has been an explosion in the number of web applications allowing users to monitor their finances. The finance industry has seen this and responded to customer demand. So, too, have cyber criminals. Last year, the majority of attacks against finance relied on key-loggers and spyware.
The shift in 2018 to attacks on web applications also mirrors a significant uptake in the use of mobile banking and shopping apps. Users are being asked to use the wallets on their mobile devices to speed up online purchases. They are also being bombarded with apps designed to make shopping easier. Most of these ask the user to store a credit or debit card inside the app.
In the last month separate reports from Positive Technologies and one from Aite Group and Arxan Technologies (registration required), showed that many bank applications had built in vulnerabilities. One report claimed to have identified over 180 vulnerabilities in banking apps running on Android. The result is that the user is being put at risk by the very applications that are supposed to protect them.
What the GTIR recorded was that 46% of the attacks against finance were focused on web applications. Given the numbers above, it is likely that next year, there will be a significant increase in that number.
Manufacturing, technology and healthcare also under fire
Finance is not the only industry to see itself heavily targeted. Three other sectors have come under sustained attack over the last year, manufacturing, technology and healthcare.
In the case of manufacturing this is believed to be more focused on intellectual property than disruption. However, last year, the NTT Security Risk:Value report revealed that companies were paying up when they became victims of ransomware. For manufacturers whose business comes to a stop, paying up is often the easier solution. There are exceptions to this as seen with the recent Norsk Hydro attack but they are few.
For technology vendors the attack surface is far wider. It ranges from attempts to obtain source code through to information about vulnerabilities. IoT vendors have been particular targets as cyber criminals look to get their source code onto devices as early in the cycle as possible.
Healthcare has been a target of cyber criminals for several years. The data it holds, both on the administrative and clinical side is highly prized. Admin data often contains details of payments, insurance policies and next of kin. This is used in phishing attacks to gain access to money. Clinical data is also used to deliver an air of verification to the attacks. After all, who is going to ignore an email from their consultant.
What makes the GTIR numbers important?
In a single word, volume. Volume of raw data, volume of attacks seen and of actionable intelligence generated. As part of the larger NTT Group, NTT Security is able to draw on the traffic passing through NTT Communications. This accounts for up to 40% of the global Internet traffic. From a security research perspective this means:
- 3.5 trillion log files analysed per year
- 6.2 billion events detected
- 10,000 alerts per day
- 20-60 incidents per day
The massive reduction from log files to incidents comes through the use of machine learning, AI and advanced analytics. Each of the actual incidents is investigated by a security analyst and a report sent to customers. Those reports contain details of the alert, what the alert means and what the customer needs to do next.
The volume of data also plays a key element in the ability of machine learning and AI technologies to be effective. While the entire security industry appears to be consumed by the promise of AI, most are working with limited data sets. The danger of that is they end up only seeing attacks against customers infrastructure and endpoint devices.
The ability of NTT to pull that data off of the Internet traffic that flows through NTT Communications, means it has a very different view of attacks. What it sees is not determined by its customer base but by traffic volume. It means that the learning algorithms are working with much more diverse data than virtually any other security vendor.
For once, size really does matter.
Enterprise Times: What does this mean
There are 50 pages in the 2019 GTIR. Despite this, the detail is sparse given everything that NTT Security has to say. What is clear is that some sectors are coming under sustained pressure and not handling it well. Importantly, the findings from the GTIR are reflected in surveys and reports from other vendors. This not only adds veracity to the GTIR but also reinforces its findings. We will look at some of the other findings in separate pieces.
For industries such as finance and healthcare, there is a long way to go before they can call themselves secure. Finance in particular has a problem, not least given the problems in the proliferation of banking apps containing vulnerabilities. As an industry that likes to position itself as a trusted advisor, it is not performing well.
It is time for finance and its developers to sort out their security. Governments are working on legislation that will increase the number of third-party apps that can access financial records and data. What is now required is evidence that those apps are secure, that the data exposed to those apps is kept secure and that the focus is on protecting the customer.