Pen testers find weaknesses in banks’ cyber security

Humans are the biggest weakness in banks’ cyber defences, but there are several others that also need attention, penetration testers have revealed. Banks have formidable barriers to external cyber attacks, but some are still vulnerable to internal attacks using social engineering, vulnerabilities in web applications and the help of insiders, a report reveals. As soon as attackers access the internal network, they find friendly terrain that is secured no better than companies in other industries, according to a report on cyber attacks on banks by Positive Technologies. The weakest link in bank security is the human factor, the report said, with attackers able to bypass the best-protected network perimeter easily with the help of phishing. Phishing messages can be sent to bank employees both at their work and personal email addresses, and this method for bypassing the network perimeter has been used by almost every criminal group, including Cobalt, Lazarus, Carbanak, Metel, and GCMAN, the report said. In tests by Positive Technologies, employees at 75% of banks reviewed had clicked on links in phishing messages, and those at 25% of banks entered their credentials in a fake authentication form. At 25% of banks, at least one employee ran a malicious attachment on their work computer.