back to article Finance sector is littered with vulns, and guess what – most can be resolved by patching

Security vulnerabilities across the finance sector have increased more than fivefold (418 per cent) in the last four years, according to a study by NCC Group. The most common high and medium-risk vulnerabilities were found in customer-facing web apps. NCC categorised vulnerabilities found in 168 financial services …

  1. 0laf

    All these things apply to all sectors. It's just the Finance sector is a particular target so the risks are a bit higher.

    1. Scott Broukell

      True enough. I suppose that when the banks etc begin to 'engage with their customers' regarding increasing amounts of compen$ation as a result of sloppy apps, only then will they get off their fat arses and actually do something about it (IT).

    2. ecofeco Silver badge

      It's actually a bit more than that. The finance sector is notoriously cheap. Scrooge cheap. And not as smart as they think they are.

      So, yes, it's where the money is at, but... they are also ripe for the picking.

      1. Notas Badoff
        IT Angle

        Eye opening

        "And not as smart as they think they are."

        After working through some 'improved' 'secure' connection options for enabling credit card processing for a $company, I discovered that the two banks involved didn't know which SSH programs they were using over the wire, then with that answered they couldn't say what versions they were running. Then that they hadn't thought to check for reasons to update, like vulns listed by version. Epochs of vulns given the age of those versions.

        They didn't know, they didn't know, they didn't know - reads just like "they didn't care", eh? As bad as the phone companies I'd worked with and swore off. All big companies have soft spots. Start with the heads...

  2. Aodhhan

    Of course it's BUNK

    This goes against reports from Verizon, Gemalto, FFIEC, PCI, etc.

    Unless this report by NCC Group is only on undeveloped financial sectors.

    Also be weary of reports which you can't view unless you become a member. Most security reports are in the open... and this means open to scrutiny and review.

    This report is provided more as a phishing scam, behind doors.

    As someone who is a pen tester in the banking industry, I can tell you information security has improved greatly over the past 2 years.

    Notas... if you think you were talking to an administrator, security analyst, or developer... then you're mistaken. Banks don't waste these employees time by answering questions from the general public. A helpdesk person isn't technical. Their job is to write up tickets for the experts to deal with.

    Not to mention, if someone asks me what we are using for a firewall, protocol communication app, etc... do you really think I'd tell them? THINK man.

  3. fnusnu

    PHP and tomcat

    Does this report eliminate the false positives where the indicated version does receive backported security fixes?

  4. Anonymous Coward
    Anonymous Coward

    They dont care

    After all, it is YOUR problem.. they just paid for the compliance report and all is ok.

  5. Slx

    This is the same sector that seems to think it's completely fine to process the majority of our financial transactions using a 16 digit card number + expiry date and a number printed on the back and very little else other than trust.

    They also seem to think it's completely fine to protect your bank accounts with a 1960s magnetic stripe card and a 4 digit numeric pin number.

    From what I can see, we get all up in arms if our email accounts don't have two-factor security and complicated anti-hacking measures, but we're fine with the whole notion of banks that have about as much real security as the piggy bank you had when you were 6.

  6. Anonymous Coward
    Facepalm

    Out of scope vulnerabilities

    'The stats look at vulnerabilities on systems "out of scope" for pen-testers but not hackers'

    I'm not familiar with the concept, would anyone care to enlighten me?

    "David Morgan, executive principal at NCC Group, said:"

    What exactly is an 'executive principal', does s/he maintain systems, write code or test for security vulnerabilities?

    "Since they are a frequent target for cybercriminals, financial services companies should be continuously monitoring for vulnerabilities and regularly updating their software, particularly when these tools form the building blocks of what are often business-critical web applications."

    If you work in information technology and this is news to you then maybe you should find another career. And if your IT people aren't already doing the above then maybe you should get rid of them and hire on some competent people.

  7. Claptrap314 Silver badge

    What I don't get is why the big players are using off-the-shelf solutions at all. Experian uses Struts? Why? At least make the bad guys research your specific software.

    I know--that would cost money.

  8. Anonymous Coward
    Anonymous Coward

    FS security

    I have seen some Rolls Royce, no-expense-spared, state of the art security in financial services, with so much headcount people had time to sit and watch the footie on the big screens. I've also seen bad practice that would shame your Aunty Mabel in organisations turning over mindbogglingly vast sums of money on a daily basis, with the litany of excuses I used to think had gone out of fashion twenty years ago - "it's alright, it's inside the firewall", "we've always done it this way", "well how else do you expect me to do my job?!??" and the rest. The main difference seems to be the very good orgs had retail customers, whilst the bad ones only have similarly clueless orgs - big enough to pay for a few hundred mansions and customised Range Rovers, not big enough to care about security.

    When it's good, it's very very good. When it's bad... "I've seen things you people wouldn't believe". Real jawdroppers. I thought I'd seen egregious incompetence and wilful blindness -- before I got into finance I'd seen an entire database team with admin passwords taped under their keyboards and server rooms that could be opened with an Oyster card -- but the bad fin serv firms? OHHHH...

    I do sometimes wonder whether my liver will pop like an overripe tomato before the massive systemic risks blow up the world or not. The ghastly thing is that the only hope I have lies in regulators. The regulators attitude is "you'll know you broke the regs if you get hacked and lose a lot of money, or your firm blows up. If that happens, we'll carry out a big investigation and then bar you from the City, five years later. " If _I_ was senior in one of those firms, I dare say that would sound like a poor trade off against another £1m bonus in the new year.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like