The 2024 State of Banking Security: Community and Regional Bank Edition

Regional and community banks have been steadily expanding over the past two decades, but the news isn’t all good. Cybersecurity has been a victim of banks’ success.

During that time, regional banks have grown by about 50%, and community banks have seen year-over-year growth in deposits. And although high interest rates have recently slowed things down, the path ahead is promising.

However, growing pains have become evident as banks modernize their systems to handle increased demand and improve services to keep up with other, larger financial institutions. Add in merger and acquisition activity, and the rapid growth has created lapses in security basics and gaps in protections that attackers can exploit.

If breached, banks must face the serious consequences of reputational risk, client data exposure, lawsuits, operational disruptions, and cyber insurance loss. However, there is also a significant risk of regulatory action in today’s banking landscape. Banks are subject to tight regulation requirements like the  Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and Federal Reserve. If weaknesses are not addressed, banks could face fines and sanctions for severe violations, require more frequent audits or even deal with consent orders.

To spotlight these challenges and showcase where banks are most vulnerable, Neovera compiled data from initial penetration tests at 350 regional and community banks. The tests occurred between August 2023 and August 2024 at organizations across the United States that manage anywhere from $200M to $45B in assets every day.

So, how are most regional and community banks leaving themselves open for attack?

Neovera broke the data into four distinct risk priority categories based on the MITRE ATT&CK Framework, the Common Vulnerability Scoring System, and Neovera’s experience based on tens of thousands of penetration tests. While MITRE and other governing bodies do not directly offer risk values, these frameworks provide common language, definitions, and descriptions for how issues can lead to certain exploitation. In addition, the priority levels are rated based on their impact if they were to be abused and their likelihood to be exploited.

Let’s dig into the data…

Priority Level: Critical

The most critical risk banks experience is Firmware that Contains Known Vulnerabilities. This means underlying software and/or hardware in a bank’s environment has known flaws that hackers can exploit, which can remain hidden unless patched. Neovera data shows that 5% of regional and community banks  have issues with known vulnerabilities. While the problem may seem small, this could have severe implications if regulators hold the bank responsible for not addressing it, leading to litigation and financial penalties.

Priority Level: High

In terms of high risk to banking institutions, NetBIOS/LLMNR/mDNS Enabled was the most pervasive, with 37% of tests flagging issues for this category. While legitimate, these network protocols are outdated and highly susceptible to exploitation. Attackers can spoof or poison these protocols, redirecting traffic or stealing credentials.

The second highest risk discovered was Blank or Default Passwords, with 26% of banks flagged for this issue. Blank or default passwords allow unauthorized users to access systems with administrative privileges or sensitive data. Attackers can also easily guess default passwords published in vendor documentation.

Following a similar trend, the third highest risk observed is Weak Passwords, such as short, simple, or commonly used terms, which are vulnerable to brute-force attacks, credential stuffing, or dictionary attacks. Data showcased a staggering 22% of banks have weak passwords throughout their systems. Strong password policies are crucial for protection.

Priority Level: Medium

Data shows that 30% of regional and community banks do not enforce SMB Signing, which is the most prevalent medium-risk. SMB signing helps protect against man-in-the-middle attacks by verifying SMB communication integrity. Without it, attackers can intercept and modify data, leading to credential theft or data corruption.

The second most common medium-risk issue is the Open Management Interface, which, like web-based administration portals, can be exploited by attackers if they are not secured. Twenty-four percent of financial organizations had issues with this category, which allows brute-force techniques or default credentials that grant administrative access to threat actors, providing them with sensitive data.

Last, but certainly not least, WPAD Used to Obtain Password Hashes issues were flagged in 23% of tests. In simple terms, WPAD is a system feature designed to find network settings. When exploited, this solution can be tricked into giving hackers parts of an organization’s password. By rule of thumb, WPAD should be disabled in environments where it’s not explicitly needed.

Priority Level: Low

Thirty-three percent of regional and community banks have issues with User’s Susceptible to Social Engineering. This tactic relies on manipulating individuals into divulging sensitive information or performing actions that compromise security. Phishing emails, pretexting, or impersonation are common examples.

In second, 23% of organizations have issues with Staff Information on Public Websites. Publishing staff information online can expose valuable intelligence to attackers. Names, titles, and emails can be used in spear-phishing campaigns or social engineering attacks.

And lastly, 21% of banks Open Ports for Review. Misconfigured and open ports provide threat actors with a dangerous entry point into the environment. By scanning, attackers can identify services running on a network and exploit vulnerabilities.

The Future of Banking Security

While Neovera’s data doesn’t reflect failing grades for regional and community banking firms, it highlights some basic shortcomings in several security fundamentals, especially passwords. With nearly 40% of banks using dated protocols and one out of every four banks still using blank or default passwords, there is room for improvement.

Banks need to take these flaws seriously, too, because the threat is real. About one-fifth of all cyberattacks target financial firms, with banks being the most frequently attacked, according to the International Monetary Fund.

And that’s what Neovera supports. Neovera is a trusted advisor who delivers end-to-end managed cybersecurity solutions for enterprises facing complex challenges and stringent regulatory demands. Regional and community banks depend on Neovera to identify weaknesses and then secure, optimize, and manage their critical infrastructure based on their unique needs to ensure resilience and compliance in an ever-evolving digital landscape.