Just as has been the case in other industry verticals, the cybersecurity landscape in the financial sector is facing unprecedented challenges. The availability of advanced technologies has proven to be both a boon to banks as well as a curse. Nefarious actors are using these technologies to develop more complex threats to the digital infrastructure of financial services providers.
In a time where machine learning and artificial intelligence have exponentially increased the risk landscape, relying solely on perimeter security is no longer fit for purpose. Enterprises must work under the assumption that the adversary is already in the door. Quantum Xchange research has found that up to 80% of network traffic has some defeatable flaw in its encryption, meaning the adversary can eavesdrop on roughly four out of every five communications.
Even more sobering, 69% of the network traffic within the financial sector is unencrypted, despite existing policies that mandate encryption for authentication. This is of particular concern given how the financial sector is preparing to meet the upcoming PCI DSS 4.0 (Payment Card Industry Data Security Standard) compliance deadline, with full implementation mandated by March 2025.
These findings underscore a pressing vulnerability for organizations, urging serious consideration of how they monitor and manage their enterprise cryptography. Encryption is largely taken for granted and is “baked in” to every software program, across every server or cloud infrastructure with little oversight or an ability to be controlled. In most cases, information security professionals aren’t even aware of what algorithms are being used or where, assuming instead that it “just works.” This crypto-monoculture opens itself to single points of failure with unencrypted traffic being just one notable flaw.
As the PCI-DSS 4.0 deadline approaches, the financial industry needs to take a forward-thinking stance that addresses the current implications of cryptographic vulnerabilities while also remaining cognizant of the evolving cyber threat landscape and the fast-approaching quantum era of computing.
At a minimum, banks must conduct an annual cryptographic inventory for in-scope systems to pass PCI-DSS 4.0 compliance. Even so, I believe continuous monitoring and remediation must be adopted like any good cyber defensive strategy. Additionally, the upcoming quantum-safe migration offers a perfect time to adopt a crypto-agile stance where banks can take a proactive approach to managing cryptography.
There are several risk factors associated with doing just the basics.
The risk of ‘timeslice’
Traditional cryptographic monitoring, often implemented through periodic audits, can create a false sense of security. This ‘timeslice’ method captures only a momentary glimpse, potentially overlooking communications using weak crypto protocols, or evidence of compromised communications.
The danger here lies in the sporadic nature of these reviews, which may miss nuanced or transient vulnerabilities, especially when threat actors deliberately target off-peak times to exploit weaknesses. In contrast, continuous monitoring provides a more dynamic and vigilant approach. In doing so, banks can detect and respond to unusual activities or deviations from established cryptographic standards in real-time.
Risk of ‘scope’
The challenge in defining the scope of cryptographic inventory is not just about complexity; it’s about comprehensiveness. Often, the focus is on main systems, neglecting the fact that peripheral systems can have significant interconnections, leading to potential vulnerabilities.
Cyberattacks can exploit these less obvious entry points, which are frequently overlooked in narrowly scoped reviews. Therefore, a broader scope is essential, encompassing all systems that interact with or could impact the secure network.
Of course, this is not new to the concept of PCI and the data security standards community. However, the knock-on effects of compromised administrative accounts, re-use of passwords, or compromised networking gear mean they might all fall ‘out of scope’ even while having a clear and imminent risk to ‘in scope’ systems.
Risk of ‘sampling’
Sample-based compliance checks, a common practice in cryptographic assessments, operate under a significant assumption that a subset of data can represent the whole. However, this methodology often falls short in the complex world of cryptography. Just as testing a handful of passwords doesn’t confirm the security of all passwords in a system, assessing a selection of cryptographic elements doesn’t ensure the entire system’s integrity.
Each cryptographic element, whether it’s a protocol, algorithm, or key, has its unique vulnerabilities and requires individual validation. A comprehensive evaluation, examining every cryptographic component, is critical. This thorough approach is the only way to effectively identify and address the nuanced and varied risks in an organization’s cryptographic landscape, ensuring robust and reliable security across the entire network.
Risk of ‘legacy’
Legacy systems, often embedded deep within financial networks, pose a unique challenge. These systems may operate on outdated cryptographic standards, becoming latent vulnerabilities. The risk is not just in their active use but in their mere availability as exploitable gateways by malicious actors.
Unfortunately, it is not as simple as running an upgrade. Legacy systems become “legacy” because they work. They fulfill a function reliably and often newer or updated versions are not available. It’s therefore crucial to identify these systems and set a sensible plan to bring their communications into compliance. This process might involve a platform overhaul, patches, or even quarantine with a front-end proxy. Each case will be unique.
Risk of ‘ignorance’
Possibly the worst risk of all is the risk of ignorance in cryptographic security. Many in the financial sector lack a deep understanding of cryptographic risks, leading to vulnerabilities that hackers can exploit. One example of this is weak ciphers. But things like long-duration certificates and self-signed certificates are other common issues. Weak intermediary certificates are even less well understood by operators.
Any of these components will prove to be a natural entry point for skilled hackers. And then there’s the ongoing scourge of software bugs that must also be factored in. Fostering a culture of cybersecurity awareness that goes beyond the traditional and includes some of the intricacies of cryptography must be adopted by those in the finance sector.
Taking the next step
The introduction of the new PCI DSS 4.0 cryptographic quality standards will carry a significant number of potentially thorny issues that are not immediately and readily apparent. Compliance with regulation must be seen as the minimum burn. But remember, even fire-code-approved buildings can still burn.
The sector must cultivate a culture prioritizing continuous, in-depth cryptographic practices and security policies capable of managing organizational progress toward a fully diversified, quantum-safe, and crypto-agile network.
