In this two-part series, CISO Anthony Scarola examines the elevated threats for both shoppers and financial institutions during the holiday season and offers best practices for ensuring your enterprise is protected during the time of increased risk. Read Part One here.
Part Two
Besides the required risk assessment and documentation efforts outlined in the first article in this series, you should have strong ‘key’ controls in place to mitigate risk. SANS outlines that security controls come in four types: preventative, detective, corrective and compensatory. NIST documents that each type comes in three categories: administrative, technical or physical.
I would argue that preventive and detective controls in the technical and physical categories are ‘strongest’ and should be considered ‘most effective’ for any security program; however, maybe not ‘key,’ as every security program should also include administrative controls (e.g., policies and procedures) to help correct or compensate for failures when things do go wrong.
The point here is to ensure you have considered all of these types and categories, selected, and implemented security controls to ensure your layered program is appropriate to combat threats and respond appropriately when incidents occur – and they will occur.
Still, you may be asking what security controls you should have in place to mitigate and appropriately respond to an attack. Although I am not going to provide specifics, there are many good sources to turn to which outline important controls.
As financial institutions, we must first look to the Agency guidance and requirements, including the FFIEC’s IT Examination HandBook InfoBase (http://ithandbook.ffiec.gov/), and specific guidance such as the FFIEC’s Authentication in an Internet Banking Environment. The FFIEC CAT, maturity section, will also have more details on the controls which should be implemented.
Also check out NIST Special Publication 800-53 Revision 4, which identifies controls for Federal entities based on information categorization, including sensitivity levels (i.e., low, medium, high). Another good reference is the SANS CIS Critical Security Controls for Effective Cyber Defense Now, aka SANS Top 20.
Of course, the basic preventive controls will include firewalls, intrusion prevention systems (IPS), endpoint anti-virus including anti-malware protection, Internet email filtering, Internet web filtering and vulnerability management (i.e., patching operating systems and applications, hardening devices).
Additional controls may include network-based anomaly prevention, mobile device management, network access controls, and security information and event management (SIEM) solutions. Again, seek the resources above to identify controls suitable for your environment and based on your institution’s risk appetite. If done right, your risk assessment should outline the specific areas of focus.
Do not forget to patch your employees! What?!?! Yes, employees (aka users, for those of you still stuck in the IT dark ages :)) must be patched too. How? With routine awareness training and education. Employees should be reminded to be overly cautious and detect suspicious emails and phone calls, and how to proceed.
Training should cover how to detect potentially-fraudulent email messages, and reasons for not immediately clicking on links, opening attachments, and wiring funds without first taking some key steps. Empower your help desk technician(s) to assist employees with validating emails and phone calls. This, as well as the other security layers in your arsenal, should help to significantly reduce the number of successful attacks and breaches in your environment.
Again, you, upper management, and directors should know that even this will not prevent every breach; however, considering your layered security program will include other strong, tested response mechanisms, the effects should be limited.
Many of your bank’s customers do not have the same security controls and protections in place that you do. Firewalls, email filters, and antivirus may be common across the board, but customers may lack advanced controls such as anti-malware protection, routine vulnerability scanning, patching and intrusion prevention systems. Some may even allow their employees, and subsequently any viruses they get, to have full administrative permissions on their workstations.
Because of this, they may be incredibly more prone to email social engineering, which may lead to either direct or indirect unauthorized wire transfers or ACH requests to the bank. To combat this risk, many smaller financial institutions have opted for performing more call-backs, or implemented advanced back-end analytics as outlined by the FFIEC’s Authentication in an Internet Banking Environment guidance. These controls, although not foolproof, should also help mitigate this risk.
Banking customers can help protect their accounts by checking account transactions and balances daily, or at least every few days. Patch your computer’s operating system and applications frequently and configure for auto-patching if possible.
Train your employees to use extreme care with email, not to click on links or open attachments in those from unsolicited senders as this is still the number one method for criminals to obtain full access to our computers and sensitive data, capture keystrokes and potentially access financial accounts.
Encourage employees and customers to refrain from connecting to your financial institution’s website when using mobile devices or from performing sensitive actions while connected to public WiFi hotspots. Also encourage them to use separate computers to perform Internet-banking, wires, and ACH, than for the device used for accessing email and web browsing, if possible.
Install an antivirus application that is also sufficient in detecting malware such as man-in-the-browser (MitB) banking Trojans. Combined products exist, or you can install one to perform each function, if they are compatible with each other. Change default passwords on all network devices. Use strong passwords everywhere and invest in a good, secure password vault. Again, these tips should help, but are not to be considered silver bullets as nothing is ever 100% protected from cyberattacks.
In conclusion, the reality is that we will experience cyber security challenges for many years to come. The evil in the world will always be opposed to good and we will remain at war. Artificial Intelligence (AI), including Deep Learning, may help as it should speed up the protection, detection and response phases; however, it is still years away and may only help speed up our adversary’s attack, to no avail.
There may be no silver bullets, but there are many silver linings. This holiday season, gift yourself with the tips, methodologies, and security control suggestions outlined above, and along with a few prayers, you should fare well. I wish you great success on your voyage and wish you very safe, secure, and Happy Holidays!