Security Talk Column / Banking/Finance/Insurance

Would You Pass the Cyber Test?

About 200 banks in New York took part in a cybersecurity “exam” in which they were made to respond in real time to questions about their cybersecurity policies and procedures.

Cyber Test
Tom Kellerman

 

Late last year about 200 banks in New York took part in a cybersecurity “exam” in which they were made to respond in real time to questions about their cybersecurity policies and procedures. The test was designed to help the banks see how they compare with their peers in terms of being ready for attacks by cybergangs looking to break into their networks.

According to one cybersecurity expert, it’s not the test that is needed. Instead, what’s required is a change in focus from trying to stop distributed denial-of-service attacks to prevention.

Tom Kellermann, managing director with global professional services firm Alvarez & Marsal and former Commissioner on the Commission on Cyber Security for the 44th Presidency, says, “These banks also need to be focused on how to preserve their payments systems, insulating their organizations from credential theft and, most importantly, how to identify when a modern-day bank robber is already in the vault. In the past these smaller community banks were not on the radar of these global cybergangs, but they are now, and because they have fewer resources to put into this area than their large commercial bank counterparts, they are deemed more attractive targets.” The issue, he says, is how to prevent account takeovers, attacks on payments systems and wire-transfer systems and how to protect the IDs of users.

In addition, Kellermann suggests that the banks need to ensure that their third-party partners that store their data in the cloud are aware of threats and are shoring up their own systems. Another suggestion, he says, is giving their CISOs more autonomy, more money and the resources necessary to have current technology and practices. “The safety and soundness, trust and confidence of these financial institutions is directly proportional to the cybervision of the organization,” Kellermann says. “They should be viewing cybersecurity not as an expense, but as a function of doing business.”

 

How does one “insulate” a bank from credential theft?  

Financial institutions must manifest continuous monitoring of their security controls to ensure that they have cognizance when they are under attack and particularly aware of when sensitive data is being exfiltrated. CISOs must reevaluate their security paradigm. The security architecture of “castles in cyberspace” must shift to one of a “prison” that is inwardly focused and one that limits the leakage of credentials. We need to move beyond perimeter defenses like firewalls and encryption, for although these security controls are foundational, they’re insufficient to combat organized cyber bank heists. The following 13 strategies should be enacted:

  1. Develop a current Cyber Protection Strategy based on cyber reality.
  2. Conduct penetration tests of all third parties.
  3. Use two-factor authentication.
  4. Conduct egress filtering.
  5. Assign multiple personnel to review logs.
  6. Deploy file integrity monitoring.
  7. Implement virtual shielding for zero day exploits.
  8. Deploy a data loss prevention (DLP) solution.
  9. Implement whitelisting.
  10. Use a custom sandbox.
  11. Access global threat intelligence.
  12. Refine Incident Response plans. 
  13. Retain a forensics partner.

 

How does a smaller bank, with fewerresources, accomplish this? 

Start by crafting a forward leaning cybersecurity strategy wherein offense informs defense. Limit administrator privileges; deploy two-factor authentication; deploy a DLP; and assess the security of your shared service provider and cloud provider. All of these things will be paramount.

 

How does educating bank staff play a role in these efforts? 

Security is only as strong as your personnel’s cyber hygiene. Educational efforts must be robust and include the continuing education of cybersecurity professionals as well as the monthly education of the board per how the institution’s risk posture has changed due to events in cyberspace.

 

How should a bank audit its third-party providers? 

Begin by educating your general counsel to move away from standard Service Level Agreements. These are far too focused on “up time” and must extend your security into the providers network to prevent the “island hopping” cyber attacks that use third-party systems to transit into your network. Conduct a security gap analysis with a vulnerability assessment of the third-party provider systems with mandatory timely remediation.

 

Are there other sectors that could or should conduct a cyber test? 

Outside of the financial sector, the most targeted businesses are Biotech, Pharma and Hi-Tech. All of these sectors must begin to “scrimmage” more as they are under attack now.    

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Diane Ritchey

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

August 2014

2014 August

In the August issue of Security Magazine, read about the public-private partnerships and the future of DHS with Frank Taylor, sneak a peek at the ASIS 2014 security products, and read a special report on cyber risk and security. Also in this issue find out why America is in desperate need of a CSO and the most common mistakes in Cyber incident response. The security game has dramatically changed since September 11th, read about what enterprises are doing to keep Americans safe and sound.

Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+