Tom Kellerman

Late last year about 200 banks in New York took part in a cybersecurity “exam” in which they were made to respond in real time to questions about their cybersecurity policies and procedures. The test was designed to help the banks see how they compare with their peers in terms of being ready for attacks by cybergangs looking to break into their networks.

According to one cybersecurity expert, it’s not the test that is needed. Instead, what’s required is a change in focus from trying to stop distributed denial-of-service attacks to prevention.

Tom Kellermann, managing director with global professional services firm Alvarez & Marsal and former Commissioner on the Commission on Cyber Security for the 44th Presidency, says, “These banks also need to be focused on how to preserve their payments systems, insulating their organizations from credential theft and, most importantly, how to identify when a modern-day bank robber is already in the vault. In the past these smaller community banks were not on the radar of these global cybergangs, but they are now, and because they have fewer resources to put into this area than their large commercial bank counterparts, they are deemed more attractive targets.” The issue, he says, is how to prevent account takeovers, attacks on payments systems and wire-transfer systems and how to protect the IDs of users.

In addition, Kellermann suggests that the banks need to ensure that their third-party partners that store their data in the cloud are aware of threats and are shoring up their own systems. Another suggestion, he says, is giving their CISOs more autonomy, more money and the resources necessary to have current technology and practices. “The safety and soundness, trust and confidence of these financial institutions is directly proportional to the cybervision of the organization,” Kellermann says. “They should be viewing cybersecurity not as an expense, but as a function of doing business.”

How does one “insulate” a bank from credential theft?  

Financial institutions must manifest continuous monitoring of their security controls to ensure that they have cognizance when they are under attack and particularly aware of when sensitive data is being exfiltrated. CISOs must reevaluate their security paradigm. The security architecture of “castles in cyberspace” must shift to one of a “prison” that is inwardly focused and one that limits the leakage of credentials. We need to move beyond perimeter defenses like firewalls and encryption, for although these security controls are foundational, they’re insufficient to combat organized cyber bank heists. The following 13 strategies should be enacted:

1. Develop a current Cyber Protection Strategy based on cyber reality.
2. Conduct penetration tests of all third parties.
3. Use two-factor authentication.
4. Conduct egress filtering.
5. Assign multiple personnel to review logs.
6. Deploy file integrity monitoring.
7. Implement virtual shielding for zero day exploits.
8. Deploy a data loss prevention (DLP) solution.
9. Implement whitelisting.
10. Use a custom sandbox.
11. Access global threat intelligence.
12. Refine Incident Response plans. 
13. Retain a forensics partner.

How does a smaller bank, with fewerresources, accomplish this? 

Start by crafting a forward leaning cybersecurity strategy wherein offense informs defense. Limit administrator privileges; deploy two-factor authentication; deploy a DLP; and assess the security of your shared service provider and cloud provider. All of these things will be paramount.

How does educating bank staff play a role in these efforts? 

Security is only as strong as your personnel’s cyber hygiene. Educational efforts must be robust and include the continuing education of cybersecurity professionals as well as the monthly education of the board per how the institution’s risk posture has changed due to events in cyberspace.

How should a bank audit its third-party providers? 

Begin by educating your general counsel to move away from standard Service Level Agreements. These are far too focused on “up time” and must extend your security into the providers network to prevent the “island hopping” cyber attacks that use third-party systems to transit into your network. Conduct a security gap analysis with a vulnerability assessment of the third-party provider systems with mandatory timely remediation.

Are there other sectors that could or should conduct a cyber test? 

Outside of the financial sector, the most targeted businesses are Biotech, Pharma and Hi-Tech. All of these sectors must begin to “scrimmage” more as they are under attack now.