Vulnerable Legacy Systems Used By Banks, Need A Careful Review

The legacy-dependence of the financial sector is very evident, many banks are still using legacy hardware and software to perform their day-to-day operations. Such a legacy system performs admirably when it comes to the aspect of reliability and uptime, old mainframe and old Unix boxes really do run 24/7 until power is cut. Unfortunately, the operation of banks become too embedded in the consumer-driven society we have become in the last four decades.

This fact has been verified by the latest State of Software Security Report, released by Veracode recently. It reveals the sad state of the financial sector is a highly vulnerable target by cybercriminals, yet the industry has not made itself more cyber attack resilient as they wish to be. One such glaring stat is it takes almost a month (29 days) in order for them to discover a vulnerability in the applications. Resolving them is much worst, 573 days to establish a fix for their known vulnerabilities. Take a note on the fact about having unfixed ‘known’ exploits, let alone those unknown attacks that have not yet discovered.

If GDPR will only be enforced with a strong focus on the banking sector, 67% of the time the very critical banking apps used every day will not even pass the strict requirements of the EU law. Information breaches from banks are readily beneficial to any cybercriminal organizations, as it both provides rich user data and banking information that can be stolen from the depositors.

“We would presume financial services would address flaws and potential doorways to data breaches promptly as it’s a highly regulated industry. However, we have observed several downfalls over the last year that suggest banks may not as be as technically robust as they like to make out. Historically, we’ve witnessed the likes of the TSB IT outage occur due to legacy infrastructures and code left over from multiple mergers, which lead to IT outages. These banks are large organisations with high headcount so it’s possible that banks are not raising of the importance of these crucial data leakages internally,” explained Paul Farrington, Veracode Director for Asia Pacific and Eastern Mediterranean Region.

Vulnerable systems are nightmares for any IT team to maintain, however, other than the government, banks maintain legacy bureaucracy as well. A bureaucracy of various levels of complexity where even small purchases and equipment change requires a lot of approval and authorization from people many levels higher into the chain of the bank’s corporate commands.

Until such time that this unnecessary bureaucracy becomes less complex, much more autonomy is given to the IT Team to decide how fast the equipment upgrades will be done, hence a safer banking community will become possible.