Next-Generation Solutions for Next-Generation Security Risks

By Kumar Patel, Founder and CEO of Omnidya

In an increasingly digital age, the greatest risks to consumers are digital – with data breaches topping the list. Cyberattacks are launched on financial service companies 300 times more than companies in any other sector. In 2017, KPMG reported that at least 81% of healthcare and health insurance companies within the US had suffered a data breach; and a Financial Times report in 2018 stated that financial service companies in the UK had experienced a 500% increase in cyberattacks from the year before.

The data collected and stored by financial service companies is a popular target as it provides the greatest rewards for cybercriminals. Financial service companies store mass amounts of consumers’ personally identifiable information (PII) such as social security numbers and payment information. Once PII is breached, hackers can easily commit identity theft and leverage it in any other way imaginable: The possibilities are endless if you’re creative and devious enough.

Devastating Impacts

Even when a breach is immediately addressed and handled appropriately, it might be too late. Not only has sensitive data been accessed, but your company’s image is irreparably damaged. An example of this would be Equifax, which announced in September 2017 a massive data breach that affected 147 million of its customers. Repercussions are ongoing and the company recently reached a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories that allots $425 million to reparative measures for individuals affected by the data breach. Despite these efforts, the majority of the public still views Equifax in a negative light and scathing media attention continues.

Though phishing, ransomware, and distributed-denial-of-service (DDoS) are still common attacks, methods are evolving. Not only is there a new crop of ingenious attacks to deal with, but techniques that fell to the wayside are being refined and given new life. The rising popularity of incorporating artificial intelligence (AI) into cyberattacks has even led to the creation of the most advanced class of malware yet – known as “DeepLocker.”

Identifying and closely monitoring possible vulnerable points such as customer portals, as well as implementing technical and administrative security measures throughout the company (e.g. making sure all software and firmware are up-to-date, mandating the use of intranet company-wide, restricting access to rooms within company buildings) are important components of a standard security strategy.

However, a company’s responsibility to protect their consumers’ data can only be fulfilled if the internal security measures implemented progress proportionally to the risks faced. Here, we’ll review security risks and advanced methods of attack, appropriate countermeasures, and the importance of instilling acute awareness of data protection into employees.

Upgraded Attacks

Polymorphic and Metamorphic Malware

Polymorphic and metamorphic malware, forms of malware that were the go-to methods historically, have now been upgraded with new technology. Webroot reported that 93% of malware in 2018 was polymorphic. A simple way of communicating the concept of polymorphic malware would be to say that it’d be similar to Mystique from X-Men if she could also clone herself, as it constantly changes key attributes such as file names and self-encryption to avoid detection as it duplicates.

Metamorphic malware is similar to polymorphic malware because both evolve to avoid detection. The form of evolution for metamorphic malware differs, however, in that it re-codes itself as it spreads. Only 20% of its structure is actually malicious, the remaining 80% is devoted to transforming or “morphing” itself.

The first malware virus that employed polymorphic encryption, known as “1260,” was created in 1989 as part of a research project by Mark Washburn. Polymorphic malware did end up being abandoned by many in favor of newer forms of cyberattacks, but now the malware has gotten its second wind, spurred along by artificial intelligence. While polymorphic malware was previously only able to “shape-shift” a limited number of times per day, hackers now utilize AI to allow the malware to constantly mutate, making it exponentially more lethal.

Smart Phishing

Have you ever opened your email inbox to find a message from a Nigerian prince claiming to be your long-lost cousin, who also happens to be requesting payment in order to escape a tricky political situation? Or perhaps you’ve received a call that was supposed to be from your bank, but probably not from your bank, that asked you to confirm payment and account details. These attempts to obtain your sensitive information are a form of social engineering known as phishing scams.

Now, phishing scams have received a smart upgrade. In addition to leveraging personal information (sometimes acquired on the DarkWeb) to launch highly targeted phishing scams, hackers now apply AI and machine learning to quickly identify trends and patterns, increasing the efficacy of their attacks.

Employees within your company can be easily targeted as emails within organizations are normally simplistic (e.g. john.smith@thiscompany.com). If an employee falls prey to a phishing scam, their information can be used to access company files and trigger a spiral of security problems. Thus, not only should your IT team and security experts be involved in preventing this problem, but employees at every level should be aware that they may be targeted with this tactic.

A New Class

DeepLocker

Described as a “new breed of highly targeted and evasive tools powered by AI,” DeepLocker was actually created by IBM Research in an effort to better understand how AI can be combined with existing forms of malware, and the challenges that would arise as a result.

Though combined with existing malware, IBM Research’s method of incorporating AI differentiates the tools from previous malware enough to categorize DeepLocker as “a novel class.” The AI in these tools grants them next-level evasive measures – making them nearly impossible to detect – and allows them to only deploy attack measures when they counter specific targets. The tools can covertly hide in common applications such as video conference software – and facial recognition, geolocation, and voice recognition are a few of the factors used by the AI for target identification. For example, the developers from DeepLocker trained an AI model to recognize a specific individual and only execute ransomware once the individual had been recognized.

Ransomware is a type of malware that blocks access to data or a computer until a ransom is paid by the target of the attack. This can prove devastating for organizations like insurers where accessing and utilizing customer data is essential.

While DeepLocker was created ethically, its very existence is proof that hackers can eventually reach this level of finesse – or have already, undetected by us.

Next-Generation Security Measures

In a 2017 survey by Enterprise Strategy Group, only 30% of cybersecurity professionals believed themselves to be knowledgeable about leveraging machine learning and artificial intelligence in cybersecurity analytics and operations. Of the survey group, only 12% had implemented or were planning to implement AI-enhanced security measures. Yet, the majority of new or emerging security risks have only developed because of AI. Advanced tools such as DarkTrace and CogDat can help mitigate these risks, but a robust security strategy starts with an innovative, accountable team.

DarkTrace

Darktrace is pitched as the “world-leading Cyber AI,” while the company labels itself “the creators of autonomous response.” The platform leverages AI for real-time threat detection – and can even protect cloud, SaaS, and IaaS environments. 2018 research conducted by Novarica showed that 70% of insurers use cloud-computing at the time, making real-time threat monitoring of these environments a must for robust security strategy.

AzosAI – CogDat

AzosAI, based in Virginia, created the world’s first intelligent data known as, “CogDat.” The CogDat data type is combined into existing data with a form of AI called “Intelligent Agents” that embed self-protection and intelligence. The result is data that can autonomously make informed decisions in regard to its own actions and fate, implementing security on an additional level.

An Innovative Team

Advanced security tools such as DarkTrace and AzosAI can be implemented, but its imperative that your information privacy and security team is fully fleshed, with a combined expertise that leaves no gaps in essential IT risk management and data protection.

Hiring team members that have their thumbs on the pulse of innovations in risk management technologies and cybersecurity will keep your data security robust. If you feel that your team might not be able to handle your company’s security requirements, but lack the resources to make the necessary hires, then explore working with consultants or firms that specialize in risk management, data protection, or cybersecurity.

If you do have the resources and want to put together a data protection team that will be envied by other financial service companies, you can follow the lead from executives at JPMorganChase and PNC and scout potential recruits at international hacking competitions. But be prepared to make lucrative offers.

What’s Next

Post-Quantum Cryptography

Quantum computing, which differs greatly from classical (binary) computing in that it utilizes quantum mechanical phenomena, is still in the early stages of being leveraged. As development progresses, however, targeted security measures will need to be implemented due to the advanced cyberattacks quantum computing’s extraordinary capabilities will enable. One tactic of defense currently being explored is post-quantum cryptography. The US National Institute of Standards and Technology (NIST) made a public call in December 2016 for submissions of quantum-resistant public-key cryptographic algorithms and narrowed the selection down to 26 algorithms in January of this year. Though widespread use of quantum computing in cyberattacks is most likely not an immediate concern, ensuring that your information privacy team is well-informed on the threat’s development and prepared to develop or deploy countermeasures will keep you on the cutting-edge of security.

Preventing Employee Error

The best cybersecurity measures can be completely undone by employee error. On July 8th, a former employee of Wells Fargo, Gary Sinderbrand, received sensitive information on tens of thousands of high net-worth clients of Wells Fargo and Wells Fargo Advisors. The data was sent erroneously by Angela A. Turiano, a lawyer with a firm hired by Wells Fargo, and included names and Taxpayer Identification Numbers, as well as information on assets under management, portfolio performance, and more.

Sinderbrand’s past with the bank was stormy, having filed lawsuits against Wells Fargo and his brother (a Wells Fargo employee) the preceding year related to compensation and defamation. With no written confidentiality agreement or protective orders in place, a less principled individual could have freely shared the data to the public. Fortunately, Sinderbrand did not share the information he received publicly, though a judge quickly ruled that he return the client data to Wells Fargo.

Ensuring that training and supervisory measures are in place for internal employees and any consultants that have access to sensitive data can prevent disastrous events such as the one just described. Offering employee training incentives when relevant, such as the Certified Information Privacy Professional (CIPP) certification from the IAPP, can help encourage the value of information privacy and data protection in company culture. It is important for company members of every level to be constantly conscious of the importance of data protection.

Protecting your financial services company in a rapidly innovating world requires great effort and continuous monitoring. Not only must progressive and new threats be monitored, but the latest advancements in countermeasures must be monitored – and implemented. After all, your company’s reputation can only be as good as your data security.