Financial Services eBook

Protecting
the financial services
sector from attacks
exploiting Salesforce
Closing off an overlooked attack
path in the Salesforce CRM
 Protecting the financial services sector from attacks exploiting Salesforce 2

Contents
Introduction ........................................... 3
The threats and obstacles specific to
financial services .................................. 4
The critical role of Salesforce for
financial services .................................. 5
How can Salesforce be exploited in
cyber attacks?....................................... 6
Case study: How WithSecure Cloud
Protection for Salesforce creates
a secure channel for customers ........... 7
The need for added security .............. 8
How WithSecure provided a
frictionless solution for customers .... 9
Regaining control of the Salesforce
environment .................................... 10
Introducing the shared
responsibility model ........................ 11
 Protecting the financial services sector from attacks exploiting Salesforce 3

Introduction
Data is the lifeblood of the modern enterprise. Without a reliable way to store, manage and
access digital information, organisations simply cannot function. The financial services sector is a
prime example, with the flow of data facilitating the millions of daily transactions that sustain our
economy.

The rapidly advancing field of cloud storage has become the
cornerstone of a successful data strategy. Migrating data
to the cloud provides a host of benefits, including improved
accessibility and usability and better cost efficiency. The
agility to access resources from any location allows large
organisations to synchronise assets and activity on a global
scale. More recently, this has become pivotal for digital
transformation projects and for enabling remote and
flexible working.
While many businesses are still getting to grips with securing
their cloud, the financial services sector has long had the
leading edge when it comes to secure data management
There is an established confidence within the sector of the
flexibility and agility afforded by cloud migration and as such,
financial institutions are likely to be advanced in their cloud
journey, including more advanced security strategies than
other sectors.

However, organisations investing in the cloud must be aware

that it introduces new risks as well as benefits. The cloud
infrastructure is a primary focus for cyber criminals, with
Verizon’s 2021 Data Breach Investigation Report (DBIR)
finding that around 90 percent of data breaches target external
cloud assets.
The threats and obstacles specific to
financial services
Despite its advancements in cloud and the security thereof,
the financial services industry still contends with being a
primary target for threat actors. Criminals will go where the
money is, so banks and other financial service firms have
been the natural target since the concept of finance has
existed, and today firms must face a daily onslaught
of attacks.
In the digital age, physical bank robberies have been replaced
with endless cyber attacks. Criminals target financial infra-
structure to directly access customer accounts or to steal
valuable personal and financial information.
Alongside criminal gangs looking to make a profit, the finan-
cial sector is also in the sights of nation state actors aiming to
strike at the heart of economies and to disrupt entire financial
infrastructures. Firms must also be on guard against mali-
cious insiders attempting to access accounts or conduct
insider trading.
Financial firms are required to adhere to some of the strict-
est data privacy and security compliance demands of any
industry. This includes specific regulatory controls such as the
Payment Card Industry Data Security Standard (PCI DSS)
for any organisation that stores or processes payment infor-
mation, as well as broader rules such as the EU General Data
Protection Regulation (GDPR) that apply to all businesses
handling personally identifiable information.
Financial regulatory demands are also continuing to shift and
evolve to match developing technology and the threat land-
scape. Most recently, the FCA introduced new operational
resiliency requirements, which came into effect on March 31st
2022. The new requirements cover multiple key areas includ-
ing mapping key assets, implementing testing plans, and
identifying the potential impact of disruption on customers
and the wider financial ecosystem.
All this means is that financial services must be one of the
most security-conscious industries. It also faces a tough
balancing act in which powerful security measures cannot
come at the cost of cloud-powered agility.

The critical role of Salesforce for
financial services
As the cloud has continued to grow in importance, Salesforce
has emerged as one of the most critical tools in many organi-
sations’ cloud strategies. More than 150,000 businesses rely
on the cloud data platform to engage with their customers. The
platform’s omni-channel integration functionality and adapt-
ability mean it can meet a wide variety of strategic needs.
The platform is particularly ubiquitous in the financial industry
thanks to the rich integration of data and the insights it can
provide to improve customer relationships. The majority of
the leading global banks use Salesforce, and it is relied on by
many other financial services firms of all sizes and functions.
Wealth and asset management firms use Salesforce to
capture data on a customer’s full household and produce
bespoke financial plans to match their circumstances
and needs.
Protecting the financial services sector from attacks exploiting Salesforce 5
One of its most valuable features allows customers to quickly
and easily upload and download files themselves, helping
business users to manage customer relationships more
effectively. For example, insurance firms use it to provide an
accessible way for customers to upload key documentation to
verify their identity or launch a claim. This capability is critical
to modern digital strategies, creating a much more efficient
and user-friendly process than older methods involving fax
machines and hard copies of documents sent through the post.
However, this same functionality is increasingly abused by
threat actors. Salesforce enables third parties, such as part-
ners and customers, to upload documents directly into the
platform, but Salesforce itself does not have native functional-
ity to scan these files for potential threats. Unless the organisa-
tion has adequate security in place, criminals can potential-
ly use Salesforce to deliver malicious files directly into the
company’s cloud infrastructure.
 Protecting the financial services sector from attacks exploiting Salesforce 6

How can Salesforce be exploited in cyber attacks?

Without additional security in place, Salesforce’s docu-
ment-sharing and engagement capabilities can be compro-
mised by adversaries for a range of malicious activity.
The most direct threat is posed by adversaries uploading
malicious files into the platform, bypassing the usual layers
of security in place to stop malware reaching the network.
Ransomware is one of the gravest risks here, as the most
advanced variants can begin spreading mere seconds after
executing inside the target network. Such an outbreak can
quickly cripple the organisation as critical data and systems
are encrypted and locked down. Ransomware recovery costs
were estimated to have more than doubled in 2021, averaging
around $2 million per incident.
hijacked by a threat actor. For example, a PDF containing a
passport scan for verification purposes may have been covert-
ly infected with malicious code.
Communication services such as community web portals and
the Chatter chat tool can also be abused in phishing attacks,
with actors posting malicious links that may otherwise be
caught by secure email gateways.
Platforms like Salesforce are also increasingly targeted as
part of supply chain attacks. The solution’s capabilities around
filesharing with external systems allows multiple different
organisations to work together more easily, but also provides
attackers with a shortcut to jumping to other networks.
Either way, such an incident would inflict serious reputational
damage on the organisation.
These attack vectors apply to any cloud platform offering
similar levels of document sharing and communication.
However, the near ubiquity of Salesforce makes it one of the
most prominent targets for threat actors.
Despite these threats, platforms like Salesforce are absolutely
essential for a successful digital strategy. So, how can financial
organisations mitigate these risks?
The anonymised case study below demonstrates how a
leading credit card provider was able to counter the threat.

Other significant malware threats include keylogging, data
exfiltration and the creation of backdoors for command-and-
control servers. More sophisticated attackers may make use
of zero-day malware, abusing previously unseen exploits to
increase their chances of bypassing other defences.
In many cases, the user may be uploading a malicious docu-
ment without being aware of it, or may have had their account
It should also be noted that the threat goes both ways as cyber
criminals can also exploit Salesforce to attack the organisa-
tion’s customers. Users can unwittingly click on malware-lad-
en downloads or phishing links via chat functions to compro-
mise their machines or give threat actors access to their login
details. This could be the work of a malicious insider, or an
employee account compromised by an external threat actor.
Case study:
How WithSecure Cloud
Protection for Salesforce
creates a secure channel
for customers
 Protecting the financial services sector from attacks exploiting Salesforce
The need for added security
A leading UK-based credit card and loan provider had incor-
porated Salesforce into its customer management strategy.
The company utilised both Salesforce Experience Cloud to
facilitate document uploads, and Service Cloud to assist with
customer profiling and engagement.
Customers used the platform to request applications for credit
cards and loans and subsequently to submit forms and any
required documentation.
Alongside this, the credit card provider made extensive use
of Salesforce’s Chatter webchat tool to directly engage with
customers, for example providing support on which documen-
tation is required for an application.
As such, the platform routinely handled highly sensitive data,
including financial documents from bank statements to pays-
lips, as well as personal information like medical records and
driver’s licenses.
8
These documents, loaded with personal information, are high
value targets for cyber criminals. The organisation implement-
ed multiple layers of security to protect data within its cloud
infrastructure from cyber attacks. However, like many enter-
prises, they assumed that Salesforce had inbuilt capabilities
to scan incoming content, or that other security tools such as
Endpoint Detection and Response (EDR) would catch any
threats. After further investigation, they discovered the growing
threat posed by cyber criminals abusing the Salesforce upload
function to share malware-laden files, as well as the Chatter
tool’s potential as a vector for phishing. It also became appar-
ent that Salesforce did not have native functionality around file
scanning, and that malicious content introduced through this
channel may bypass traditional tools like EDR. The company
decided to close off these attack paths with a
specialised solution.

How WithSecure provided a frictionless solution
for customers
After investigating several different options, the firm decided
to implement WithSecure’s Cloud Protection for Salesforce
(CPSF) solution, a content security tool built in co-operation
with Salesforce.
CPSF automatically scans all content uploaded into Sales-
force before it arrives in the network. Any suspicious docu-
ments are quarantined and flagged for further investigation
by the organisation’s security team. The customer service
team can then reach out to the customer who uploaded the
document and explain that there was an issue with the file and
attempt to determine if it was malicious or accidental.
The CPSF solution also offers URL protection, blocking
harmful links being shared through Chatter and the documents
themselves.
Documents and URLs are scanned using WithSecure’s repos-
itory of threat intelligence, continually updated as malware
variants and attack techniques are discovered.
Protecting the financial services sector from attacks exploiting Salesforce 9
When implementing this solution, the user experience was
one of the most important considerations for the credit card
provider. As a customer-facing company in a highly competi-
tive market, it could not afford any lag in the process. An overly
slow or complex system would be frustrating for customers
and could lead to them seeking out other providers.
Clean documents will rapidly pass through the system with no
noticeable delay to the customer or the service team. Further,
because it was developed in collaboration with Salesforce,
CPSF functions as a native solution, complete with matching
graphical user interface (GUI). For customers and employ-
ees alike, the solution looks and feels exactly like Salesforce,
rather than an off-putting bolt-on. Its native functionality also
ensured a quick roll out of the solution with no additional
resources required for implementation.
 Protecting the financial services sector from attacks exploiting Salesforce 10

Regaining control of the Salesforce

environment
CPSF provided the lender with three important business Had Salesforce been used as an attack vector without this
outcomes: protection, visibility, and control. protection in place, it would have had a dramatic effect on the
business, potentially halting its operations and putting the data
Most importantly, the firm could be certain that any threat of millions of customers at risk.
posed by the abuse of Salesforce was closed off. All content
entering Salesforce is scanned in real time using the most But, enabled with CPSF, the credit card lender and loan
up-to-date threat intelligence available. provider has been able to develop its use of Salesforce without
being held back by the threat of a disastrous cyber attack deliv-
Secondly, the solution provides full visibility of all activity. ered through the platform.
When a malicious file or link arrives at the system, the security
team can immediately determine where it came from and who
interacted with it. This visibility goes both ways, instantly iden-
tifying unusual activity that may point to a malicious insider or
compromised employee user account.

Finally, CPSF provides the organisation with a high level of

control in how data is secured and managed. Its native func-
tionality ensures that the solution never interferes with the
Salesforce platform whilst enabling a high degree of interop-
erability with the existing security stack. The firm was quickly
able to implement CPSF as an integral part of the platform and
re-establish confidence that customer data is fully protected.
 Protecting the financial services sector from attacks exploiting Salesforce
Introducing the shared responsibility model
This case study exemplifies the shared responsibility model, a cloud security framework set out
by many of the most prominent players in the cloud industry, including Amazon and Microsoft.
Cloud providers hold responsibility for protecting the data they
store and manage, a fact set out in law by regulations such as
the GDPR. However, the organisations utilising these cloud
services to store critical data must also play their part.
The organisation using the cloud platform bears responsibility
for ensuring the integrity and security of all content residing
in it. Organisations using SaaS cloud services such as
Salesforce, Microsoft 365, and Google Workspace must
ensure they have the capability to secure any and all assets
they add to the cloud. In the case of customer-facing
organisations, this extends to any material that may be
uploaded by users in addition to the company’s personnel.
11
Many organisations operating in the financial services sector
are still unaware of both the potential risk posed by malicious
content entering cloud CRM platforms, and their responsibility
in mitigating the threat. Even large financial organisations with
mature, well-resourced security strategies are vulnerable to
attacks that exploit their CRM in order to bypass other layers of
security.
The case study demonstrates how the shared responsibility
approach can be achieved in a way that ensures the protection
of all parties without impacting business operations.
As the only content security tool built in cooperation with
Salesforce, WithSecure CPSF enables organisations to close
this attack path and concentrate on reaping the benefits of the
cloud.
Who We Are
WithSecureTM is cyber security’s reliable partner. IT service providers,
MSSPs and businesses along with the largest financial institutions,
manufacturers, and thousands of the world’s most advanced
communications and technology providers trust us for outcome-based
cyber security that protects and enables their operations. Our AI-
driven protection secures endpoints and cloud collaboration, and our
intelligent detection & response is powered by experts who identify
business risks by proactively hunting for threats and confronting live
attacks. Our consultants partner with enterprises and tech challengers
to build resilience through evidence-based security advice. With more
than 30 years of experience in building technology that meets business
objectives, we’ve built our portfolio to grow with our partners through
flexible commercial models.

WithSecureTM is part of F-Secure Corporation, founded in 1988, and

listed on the NASDAQ OMX Helsinki Ltd.