"The bottom line, however, is that current levels of information sharing are insufficient to address the cyber threats we face, specifically with regards to the financial sector. The U.S. is currently facing sophisticated, wellresourced adversaries, and minimum security requirements are needed to harden our critical infrastructure networks," Demarest stated.
Demarest also outlined the cyber threat landscape noting a number of issues including:
- "Botnets, which can harness the power of an enormous web of computers for malicious purposes, continue to evolve as well. As I speak, estimates place the total damages caused by botnets at more than $9 billion in losses to U.S. victims and over $110 billion in losses worldwide. Approximately 500 million computers are infected globally per year--translating to 18 victims per second. As botnets become more sophisticated, our techniques must evolve to keep pace. The FBI and our partners may take down one botnet, for example, but coders may alter code and rebuild their bots in fairly short order. The power and scale of botnets is particularly worth noting, as botnets have been used to attack the financial sector through DDoS attacks, and the FBI has been deeply involved in preventing such attacks and in keeping such attacks from inflicting lasting damage."
- Vulnerabilities in mobile banking pose another new and highly sophisticated danger, as mobile banking vulnerabilities may exist on mobile devices that are not patched, and malware can be developed to specifically target the use of mobile devices. One example of this type of vulnerability is the Zeus-in-the-Middle malware, a mobile version of the GameOver Zeus malware, which itself was one of the most sophisticated types of malware the FBI ever attempted to disrupt. GameOver Zeus was designed to steal banking credentials that criminals could then use to initiate or redirect wire transfers to overseas bank accounts.
- All told, the malware infected over 1 million computers worldwide and caused over $100 million in estimated losses. Zeus-in-the-Middle has not caused the same level of damage or losses as GameOver Zeus, but its very existence illustrates the risk posed to mobile platforms, where devices can be infected by malicious apps or via spear phishing e-mails, and which can then enable cyber criminals to utilize the banking credentials of targeted users on a grand scale. Current open source reporting suggests that Android OS devices remain a prime target for mobile malware--according to the 2014 Cisco Annual Security Report, for example, 99% of mobile malware in 2013 targeted the Android platform, Demarest stated.
- Recent high-profile attacks, such as those on eBay, Sony, J.P. Morgan Chase, and others, highlight vulnerabilities in some of our nation's largest companies. Regarding the threats to the financial sector in particular, such threats range in complexity, and we continue to work closely with the Secret Service, DHS, and other partners across the government. Point of sale thefts, also known as POS scams, for example, are not new, but continue to pose serious threats to the financial services industry. According to Verizon's 2014 Data Breach Investigations Report, the physical installation of a "skimmer" on an ATM, gas pump, or POS terminal to read credit card data has targeted ATMs with an overwhelming specificity--87% of skimming attacks in 2013, for example, were on ATMs.
Sign up for Computerworld eNewsletters.