In this two-part series, CISO Anthony Scarola examines the elevated threats for both shoppers and financial institutions during the holiday season and offers best practices for ensuring your enterprise is protected during the time of increased risk. Read Part One here.

Part Two

Besides the required risk assessment and documentation efforts outlined in the first article in this series, you should have strong ‘key’ controls in place to mitigate risk. SANS outlines that security controls come in four types: preventative, detective, corrective and compensatory. NIST documents that each type comes in three categories: administrative, technical or physical.

I would argue that preventive and detective controls in the technical and physical categories are ‘strongest’ and should be considered ‘most effective’ for any security program; however, maybe not ‘key,’ as every security program should also include administrative controls (e.g., policies and procedures) to help correct or compensate for failures when things do go wrong.

The point here is to ensure you have considered all of these types and categories, selected, and implemented security controls to ensure your layered program is appropriate to combat threats and respond appropriately when incidents occur – and they will occur.

Still, you may be asking what security controls you should have in place to mitigate and appropriately respond to an attack. Although I am not going to provide specifics, there are many good sources to turn to which outline important controls.

As financial institutions, we must first look to the Agency guidance and requirements, including the FFIEC’s IT Examination HandBook InfoBase (http://ithandbook.ffiec.gov/), and specific guidance such as the FFIEC’s Authentication in an Internet Banking Environment. The FFIEC CAT, maturity section, will also have more details on the controls which should be implemented.

Also check out NIST Special Publication 800-53 Revision 4, which identifies controls for Federal entities based on information categorization, including sensitivity levels (i.e., low, medium, high). Another good reference is the SANS CIS Critical Security Controls for Effective Cyber Defense Now, aka SANS Top 20.

Of course, the basic preventive controls will include firewalls, intrusion prevention systems (IPS), endpoint anti-virus including anti-malware protection, Internet email filtering, Internet web filtering and vulnerability management (i.e., patching operating systems and applications, hardening devices).

Additional controls may include network-based anomaly prevention, mobile device management, network access controls, and security information and event management (SIEM) solutions. Again, seek the resources above to identify controls suitable for your environment and based on your institution’s risk appetite. If done right, your risk assessment should outline the specific areas of focus.

Do not forget to patch your employees! What?!?! Yes, employees (aka users, for those of you still stuck in the IT dark ages :)) must be patched too. How? With routine awareness training and education. Employees should be reminded to be overly cautious and detect suspicious emails and phone calls, and how to proceed.

Training should cover how to detect potentially-fraudulent email messages, and reasons for not immediately clicking on links, opening attachments, and wiring funds without first taking some key steps. Empower your help desk technician(s) to assist employees with validating emails and phone calls. This, as well as the other security layers in your arsenal, should help to significantly reduce the number of successful attacks and breaches in your environment.

Again, you, upper management, and directors should know that even this will not prevent every breach; however, considering your layered security program will include other strong, tested response mechanisms, the effects should be limited.

Many of your bank’s customers do not have the same security controls and protections in place that you do. Firewalls, email filters, and antivirus may be common across the board, but customers may lack advanced controls such as anti-malware protection, routine vulnerability scanning, patching and intrusion prevention systems. Some may even allow their employees, and subsequently any viruses they get, to have full administrative permissions on their workstations.

Because of this, they may be incredibly more prone to email social engineering, which may lead to either direct or indirect unauthorized wire transfers or ACH requests to the bank. To combat this risk, many smaller financial institutions have opted for performing more call-backs, or implemented advanced back-end analytics as outlined by the FFIEC’s Authentication in an Internet Banking Environment guidance. These controls, although not foolproof, should also help mitigate this risk.

Banking customers can help protect their accounts by checking account transactions and balances daily, or at least every few days. Patch your computer’s operating system and applications frequently and configure for auto-patching if possible.

Train your employees to use extreme care with email, not to click on links or open attachments in those from unsolicited senders as this is still the number one method for criminals to obtain full access to our computers and sensitive data, capture keystrokes and potentially access financial accounts.

Encourage employees and customers to refrain from connecting to your financial institution’s website when using mobile devices or from performing sensitive actions while connected to public WiFi hotspots. Also encourage them to use separate computers to perform Internet-banking, wires, and ACH, than for the device used for accessing email and web browsing, if possible.

Install an antivirus application that is also sufficient in detecting malware such as man-in-the-browser (MitB) banking Trojans. Combined products exist, or you can install one to perform each function, if they are compatible with each other. Change default passwords on all network devices. Use strong passwords everywhere and invest in a good, secure password vault. Again, these tips should help, but are not to be considered silver bullets as nothing is ever 100% protected from cyberattacks.

In conclusion, the reality is that we will experience cyber security challenges for many years to come. The evil in the world will always be opposed to good and we will remain at war. Artificial Intelligence (AI), including Deep Learning, may help as it should speed up the protection, detection and response phases; however, it is still years away and may only help speed up our adversary’s attack, to no avail.

There may be no silver bullets, but there are many silver linings. This holiday season, gift yourself with the tips, methodologies, and security control suggestions outlined above, and along with a few prayers, you should fare well. I wish you great success on your voyage and wish you very safe, secure, and Happy Holidays!

The post ‘Tis the Season for Cybercriminals – Part Two appeared first on Security Current.

In this two-part series, CISO Anthony Scarola examines the elevated threats for both shoppers and financial institutions during the holiday season and offers best practices for ensuring your enterprise is protected during the time of increased risk.

Ho, Ho, Ho! Happy Holidays to the security executive protecting banks across the US! Are you ready for the time of joy and giving? Are you ready to handle the increased cyberattacks and fraud?

‘Tis the season for celebrating, spending quality time with family and friends, enjoying delicious home-cooked meals, and for giving unconditionally. Hundreds of billions of dollars will be spent this year to purchase gifts in stores and online, and sadly, many Internet purchases will be performed from hacked computers.

If they are not already pwned, many will be after their employees open social engineering (aka phishing) emails and click on links or attachments containing malware. This will allow criminals to access computers remotely, steal sensitive data capture keystrokes or even access the webcam. Or, more commonly, to encrypt valuable documents and pictures for a hefty ransom.

So, you can say ‘tis also the season for criminals to receive! Bah humbug is right! How can you prepare to address the increased fraud and cybercrime against your computer systems and your customers’ this season? My friend Dennis Teague, CISO for MainSource Bank, said it best: “You must apply security control ‘layers’ like onions and ogres.” Applied appropriately, individual security control layers will work together to better protect your entire computing environment.

Ransomware malware allows cyber criminals to encrypt data on computer hard drives and shared network folders, locking it with a ‘key,’ and prompting you to pay a ransom. The ransom is typically requested in Bitcoin due to its anonymity and un-traceability. After a ransomware attack, some customers may call you, their banker, asking for your help and guidance.

Law enforcement and the FBI generally suggest paying the ransom as the cybercriminals usually will send you the decryption key after, but not always. Recommendations for customers to combat this threat, besides the standard message of not clicking on links or opening attachments in unsolicited emails, are to have good response plans including backups of their important data files, documents and pictures. Customers should also file a report with the FBI’s Internet Crime Complaint Center at www.IC3.gov.

You might be asking yourself how to stay on top of the latest cyber threat tactics. The best tool in my opinion is information sharing. This is nothing new in the physical world. Without it, our medical field would have never left the dark ages of the eighteenth century; a time when bedside manners, ill-conceived notions of “unique illnesses,” and demanding patients, prevented much headway.

The field only advanced after doctors began working together and sharing information about illnesses, diseases and remedies. The Financial Services Information Sharing and Analysis Center (FS-ISAC) is recommended by the Federal Financial Institutions Examination Council (FFIEC) and can help by providing the secure channels required – anonymized if you wish – for giving and receiving threat intelligence and indicators.  Memberships start at $250/year for institutions with less than $1 billion in assets / $10 million in revenue. You might also sign up for US-CERT vulnerability advisories, FFIEC press releases and Better Business Bureau (BBB) scam alerts.

How do you protect your own financial institution from cyber threats? The National Institute of Standards and Technology (NIST), Cybersecurity Framework (CSF), specifies that a five-tiered approach works best: identify, detect, protect, respond and recover.

Combined with your regulatory requirement to protect information and systems from confidentiality, integrity and availability-related attacks, commensurate to your institution’s risk tolerance (appetite), you get an information security program able to withstand the majority of attacks.

I agree, those are a lot of generalized terms without much operational content, so it is really best to begin at the top, with an inventory of information and systems, and then perform a risk assessment.

An inventory is vital because it is nearly impossible to protect information you do not know you have. Inventory should include information and systems located in your data center and hosted elsewhere (i.e., with vendors or 3rd party providers). Review the FFIEC’s recently-updated Information Technology (IT) Examination Handbook on Management, which provides additional guidance and requirements on the processes and procedures to help mitigate risk.

If you do not already have a risk assessment, the FFIEC provides the Cybersecurity Assessment Tool (CAT) to help. After you read through the CAT documentation, before using it, you will want to download the Automated Cybersecurity Assessment Tool, a Microsoft Excel spreadsheet to apply the CAT, from the Financial Services Sector Coordinating Council (FSSCC) website.

This assessment will give you and your management and directors an Agency-approved method to identify your current inherent risk level and ensure your cyber security maturity and controls are appropriate.

Whichever assessment tool you use, you will want to outline gaps and areas requiring enhancement, and develop a roadmap for your directors for enhancing your security controls, commensurate to your institution’s risk. Add the results to your information security program risk reduction strategy and incorporate costs in your budget plan.

In the next article, I will examine key security controls and training opportunities to help mitigate the season’s increased risk, as well as offer best practices to share with customers and employees to protect their own information and your enterprise.

The post ‘Tis the Season for Cybercriminals – Part One appeared first on Security Current.