News media in the U.S. are abuzz with stories about cyberattacks as financial institutions emerge as the prime targets ofcyber-criminals. Reports suggest that since September 2012, cyberattacks on bank networks have exploded.

Actually, banking and other financial institutions have alwaysbeen a top target of hackers. During the past few years, renownedbanking organizations across the globe have fallen prey to criminalhacks. Beyond huge financial losses, the victims suffer irreparabledamage to their trust and credibility, the hallmarks of financialinstitutions.

The hackers' predominant activities include spreading malwareinfections, siphoning login credentials and denial of serviceattacks that disrupt service to legitimate users. The traditionalsecurity attack channels include viruses, keylogger trojans andcross-site scripting. The trojans monitor keystrokes, log them to afile and send them to remote attackers. Scripting, on the otherhand, enables malicious attackers to inject client-side script intoWeb pages viewed by other users and exploit the information tobypass access controls.

Evolving Attack Patterns

Perimeter security software and traffic analysis solutions helpin combating traditional attack vectors. However, hackers arestarting to change their modus operandi. Cyber criminals are nowsiphoning off login credentials of employees and administrativepasswords of IT resources, using techniques that include spam andphishing emails, keystroke loggers and Remote Access Trojans(RATs).

Once the login credential of an employee or an administrativepassword of a sensitive IT resource is compromised, the institutionis vulnerable. The criminal can initiate unauthorized wiretransfers, view the transactions of customers, download customerinformation and/or carry out sabotage.

Another emerging threat is sabotage caused by the insiders atthe financial institutions. Disgruntled staff, greedy techies andsacked employees have all been involved in cyber securityincidents. Clearly, breaches of trust can occur anywhere, leadingto grave consequences.

In internal and external attacks alike, unauthorized access andmisuse of privileged passwords — the “keys to the kingdom” — haveemerged as the main activities. Administrative passwords, systemdefault accounts and hard-coded credentials in scripts andapplications have all become the prime targets of cybercriminals.

Overlooking Privileged Passwords

While internal and external hackers are exploitingadministrative passwords with increasing frequency, many financialinstitutions fail to recognize the importance of this crucialaspect of privileged password management. Passwords of enterpriseIT resources are often stored in spreadsheets, text files,homegrown tools, papers or even in physical vaults. Yet thesevolatile sources are inherently insecure and do little to enhancedata security or business reputation.

Passwords are further compromised in IT divisions that deal withthousands of privileged passwords, which are used in a sharedenvironment. This is a standard practice, which leaves a group ofadministrators to use a common privileged account to access a givenresource.

Apart from the “officially shared” passwords, users also tend toreveal administrative passwords to their colleagues, unofficially,for some reason or other. The most common reason for unofficialsharing of a password is to handle an emergency, e.g., an ITmanager may reveal the password to a senior member when the manageris on vacation.

Developers, help desk technicians and even third-party vendorsmay require access to privileged passwords purely on a temporarybasis. The passwords are often supplied via email or over thephone, both of which are highly insecure media. Worse, there is noprocess to revoke access and reset the password after the temporaryusage, leaving an even bigger security hole.

Privileged password negligence often proves costly. Haphazardpassword management makes the enterprise a paradise for hackersinside and outside the financial organization. Many securitybreaches stem from inadequate password management policies, accessrestrictions and internal controls. Tightening Internal Controls

Combating sophisticated cyber-attacks demands a multi-prongedstrategy incorporating an exhaustive set of activities. Financialinstitutions need to deploy security devices, enforce securitypolicies, control access to resources, monitor events, analyzelogs, detect vulnerabilities, manage patches, track changes, ensurecompliance and monitor traffic among other activities.

Of all the combat measures, bolstering internal controls holdsspecial significance in light of the recent attack trends. Accessto IT resources should strictly be based on job roles andresponsibilities. But access restrictions alone are not enough andmust be supplemented with clear-cut trails that reveal who accessedwhat and when.

Likewise, password sharing should be regulated, and awell-established workflow should be in place for release ofpasswords of sensitive resources. Standard password managementpolicies, including usage of strong passwords and frequent rotationshould be enforced.

One of the effective ways to bolster internal controls isautomating the entire lifecycle of privileged access management andsystematically enforcing best practices. Privileged passwordmanagers replace manual practices and automatically assist withsecurely storing privileged identities in a central vault,selectively sharing passwords, enforcing policies and above all,restricting access to and establishing total control overprivileged identities.

Enterprise-class password managers offer advanced protection ofIT resources by helping establish access controls to ITinfrastructure, and seamlessly video recording and monitoring alluser actions during privileged sessions, providing completevisibility on privileged access.

Bolstering internal controls as detailed above will ensure thatprivileged identities will not be compromised — even if a hackermanages to penetrate the perimeter. Similarly, the threats due toattacks by malicious insiders are greatly mitigated.

Staying Vigilant

Once internal controls have been tightened, financialinstitutions must remain vigilant and keep an eye on activitiesgoing on inside and around them. Logs from critical systems carryvital information that could prove effective in preventing securityincidents. For instance, monitoring activities like user logons,failed logins, password access, password changes, attempts todelete records and other suspicious activities could help identifyhacking attempts, malicious attacks, DoS attacks, policy violationsand other incidents.

Monitoring network activity to establish real-time situationalawareness is essential to enterprise security.

Of course, not all security incidents can be prevented oravoided. Nor can privileged password management thwart all cybersecurity incidents. However, too many security incidents occur as aresult of lax internal controls — poor password management, inparticular — and those violations can certainly be prevented. It'stime for IT organizations to take the bull's eye off of thefinancial community networks and data and enforce someenterprise-class password protection.

BalaVenkatramani is marketing manager for Password Manager Pro atManageEngine, part of Zoho Corp. in Chennai, India, and Pleasanton,Calif.