Professional Documents
Culture Documents
Protecting
the financial services
sector from attacks
exploiting Salesforce
Closing off an overlooked attack
path in the Salesforce CRM
Protecting the financial services sector from attacks exploiting Salesforce 2
Contents
Introduction ........................................... 3
The threats and obstacles specific to
financial services .................................. 4
The critical role of Salesforce for
financial services .................................. 5
How can Salesforce be exploited in
cyber attacks?....................................... 6
Case study: How WithSecure Cloud
Protection for Salesforce creates
a secure channel for customers ........... 7
The need for added security .............. 8
How WithSecure provided a
frictionless solution for customers .... 9
Regaining control of the Salesforce
environment .................................... 10
Introducing the shared
responsibility model ........................ 11
Protecting the financial services sector from attacks exploiting Salesforce 3
Introduction
Data is the lifeblood of the modern enterprise. Without a reliable way to store, manage and
access digital information, organisations simply cannot function. The financial services sector is a
prime example, with the flow of data facilitating the millions of daily transactions that sustain our
economy.
The rapidly advancing field of cloud storage has become the While many businesses are still getting to grips with securing
cornerstone of a successful data strategy. Migrating data their cloud, the financial services sector has long had the
to the cloud provides a host of benefits, including improved leading edge when it comes to secure data management
accessibility and usability and better cost efficiency. The
agility to access resources from any location allows large There is an established confidence within the sector of the
organisations to synchronise assets and activity on a global flexibility and agility afforded by cloud migration and as such,
scale. More recently, this has become pivotal for digital financial institutions are likely to be advanced in their cloud
transformation projects and for enabling remote and journey, including more advanced security strategies than
flexible working. other sectors.
Without additional security in place, Salesforce’s docu- hijacked by a threat actor. For example, a PDF containing a Either way, such an incident would inflict serious reputational
ment-sharing and engagement capabilities can be compro- passport scan for verification purposes may have been covert- damage on the organisation.
mised by adversaries for a range of malicious activity. ly infected with malicious code.
These attack vectors apply to any cloud platform offering
The most direct threat is posed by adversaries uploading Communication services such as community web portals and similar levels of document sharing and communication.
malicious files into the platform, bypassing the usual layers the Chatter chat tool can also be abused in phishing attacks, However, the near ubiquity of Salesforce makes it one of the
of security in place to stop malware reaching the network. with actors posting malicious links that may otherwise be most prominent targets for threat actors.
Ransomware is one of the gravest risks here, as the most caught by secure email gateways.
advanced variants can begin spreading mere seconds after Despite these threats, platforms like Salesforce are absolutely
executing inside the target network. Such an outbreak can Platforms like Salesforce are also increasingly targeted as essential for a successful digital strategy. So, how can financial
quickly cripple the organisation as critical data and systems part of supply chain attacks. The solution’s capabilities around organisations mitigate these risks?
are encrypted and locked down. Ransomware recovery costs filesharing with external systems allows multiple different
were estimated to have more than doubled in 2021, averaging organisations to work together more easily, but also provides The anonymised case study below demonstrates how a
around $2 million per incident. attackers with a shortcut to jumping to other networks. leading credit card provider was able to counter the threat.
Other significant malware threats include keylogging, data It should also be noted that the threat goes both ways as cyber
exfiltration and the creation of backdoors for command-and- criminals can also exploit Salesforce to attack the organisa-
control servers. More sophisticated attackers may make use tion’s customers. Users can unwittingly click on malware-lad-
of zero-day malware, abusing previously unseen exploits to en downloads or phishing links via chat functions to compro-
increase their chances of bypassing other defences. mise their machines or give threat actors access to their login
details. This could be the work of a malicious insider, or an
In many cases, the user may be uploading a malicious docu- employee account compromised by an external threat actor.
ment without being aware of it, or may have had their account
Case study:
How WithSecure Cloud
Protection for Salesforce
creates a secure channel
for customers
Protecting the financial services sector from attacks exploiting Salesforce 8
A leading UK-based credit card and loan provider had incor- These documents, loaded with personal information, are high
porated Salesforce into its customer management strategy. value targets for cyber criminals. The organisation implement-
The company utilised both Salesforce Experience Cloud to ed multiple layers of security to protect data within its cloud
facilitate document uploads, and Service Cloud to assist with infrastructure from cyber attacks. However, like many enter-
customer profiling and engagement. prises, they assumed that Salesforce had inbuilt capabilities
to scan incoming content, or that other security tools such as
Customers used the platform to request applications for credit Endpoint Detection and Response (EDR) would catch any
cards and loans and subsequently to submit forms and any threats. After further investigation, they discovered the growing
required documentation. threat posed by cyber criminals abusing the Salesforce upload
function to share malware-laden files, as well as the Chatter
Alongside this, the credit card provider made extensive use tool’s potential as a vector for phishing. It also became appar-
of Salesforce’s Chatter webchat tool to directly engage with ent that Salesforce did not have native functionality around file
customers, for example providing support on which documen- scanning, and that malicious content introduced through this
tation is required for an application. channel may bypass traditional tools like EDR. The company
decided to close off these attack paths with a
As such, the platform routinely handled highly sensitive data, specialised solution.
including financial documents from bank statements to pays-
lips, as well as personal information like medical records and
driver’s licenses.
Protecting the financial services sector from attacks exploiting Salesforce 9
Cloud providers hold responsibility for protecting the data they Many organisations operating in the financial services sector
store and manage, a fact set out in law by regulations such as are still unaware of both the potential risk posed by malicious
the GDPR. However, the organisations utilising these cloud content entering cloud CRM platforms, and their responsibility
services to store critical data must also play their part. in mitigating the threat. Even large financial organisations with
mature, well-resourced security strategies are vulnerable to
The organisation using the cloud platform bears responsibility attacks that exploit their CRM in order to bypass other layers of
for ensuring the integrity and security of all content residing security.
in it. Organisations using SaaS cloud services such as
Salesforce, Microsoft 365, and Google Workspace must The case study demonstrates how the shared responsibility
ensure they have the capability to secure any and all assets approach can be achieved in a way that ensures the protection
they add to the cloud. In the case of customer-facing of all parties without impacting business operations.
organisations, this extends to any material that may be
uploaded by users in addition to the company’s personnel. As the only content security tool built in cooperation with
Salesforce, WithSecure CPSF enables organisations to close
this attack path and concentrate on reaping the benefits of the
cloud.
Who We Are
WithSecureTM is cyber security’s reliable partner. IT service providers,
MSSPs and businesses along with the largest financial institutions,
manufacturers, and thousands of the world’s most advanced
communications and technology providers trust us for outcome-based
cyber security that protects and enables their operations. Our AI-
driven protection secures endpoints and cloud collaboration, and our
intelligent detection & response is powered by experts who identify
business risks by proactively hunting for threats and confronting live
attacks. Our consultants partner with enterprises and tech challengers
to build resilience through evidence-based security advice. With more
than 30 years of experience in building technology that meets business
objectives, we’ve built our portfolio to grow with our partners through
flexible commercial models.