The risk to the financial sector is extremely high, and due to the high value of financial data, cybercriminals are increasingly targeting customer banking credentials when carrying out attacks. Below, we speak to Robert O'Connor, Chief Information Security Officer (CISO) for Neocova Corporation, about the cybersecurity challenges within financial institutions and best practices to safeguard financial data and prevent attacks.
Security magazine: What is your title and background?
O’Connor: I am the Chief Information Security Officer (CISO) for Neocova Corporation, which provides modern and secure technology to community banks and credit unions without the traditional contracts and fees. I have 30 years’ experience in both the private sector and government aligning global information infrastructure to business requirements incorporating cyber and physical security. In the private sector, I founded three IT companies and worked at Adobe conducting security architecture, engineering and gap analysis for the Intelligence Community and the financial services industry. My government service included roles as Chief Information Security Officer (CISO) and Chief Privacy Officer (CPO) for the third largest County in the U.S. and Deputy Director of Enterprise Information Security at the Central Intelligence Agency (CIA). Prior to that, I studied at Washington University in St. Louis; Georgetown University, Washington, DC and the University of Vienna, Austria with degrees in Electrical Engineering, Computer Science, German and Music. I have been a Certified Information System Security Professional (CISSP) for 20 years.
Security magazine: What are some of the current challenges banks are experiencing around their cybersecurity?
O’Connor: The banking sector is considered one of the most vulnerable as far as cybercrime is concerned. Cybercriminals are increasingly targeting customer banking credentials when carrying out attacks.
The risk to the financial sector is extremely high for three reasons: 1) We are dealing with well-organized cybercrime syndicates and nation-state actors, who are focused on exploiting or disrupting the banking system. After all, banks are where the money is. 2) They have developed new ransomware payloads that many of our existing security controls are not detecting, and 3) banking is national security.
According to a report by the Federal Reserve Bank of New York in June 2020, a single cyberattack on just one large U.S. bank (> $50 Billion in assets) would have a major effect on the global financial system. Attacks on two midsize banks would have the same effect. Interruptions from six community banks (< $10 Billion in assets) are sufficient to impair the system. There are about 137 large and midsize banks and 4,440 community banks. The U.S. financial system is complex and highly interconnected, making it very vulnerable to a cyberattack. Community banks are more vulnerable because they have fewer resources to address cyber security. A cyberattack as described above could result in a liquidity crisis - a cascading failure of interbank funding and the inability to clear transactions. In total, the annual economic cost of cybercrime is over $1 trillion, compared to $300 billion from natural disasters.
Although IT teams at banks have increased the protection of customer data and reduced credit card fraud, the security of most banks' internal systems still needs to be greatly enhanced. This perspective was reinforced recently by The Office of the Comptroller of the Currency (OCC) in their report Semiannual Risk Perspective, Fall 2020, "examiners continue to identify concerns in banks related to bank information technology (IT) systems ... and information security." More specifically, banks need "to identify and respond to new threats in a timely manner to prevent ... significant impacts." I see that banks today face seven primary challenges in security:
- Improving security of legacy systems. How do you protect systems that are 20 or 30 years old against new threats that are evolving every day?
- Being more nimble. How to put more resources into new features that solve customers' security and business needs rather than maintaining aging systems. The OCC says banks are at increased risk due to pressure to compete with "new entrants to the marketplace".
- Increasing the resiliency of their systems to reduce the impact of an incident and make recovering faster.
- Enhancing fraud detection while also incorporating a cyber element.
- Demonstrating proactive due diligence to regulators in banks’ security efforts and reducing labor-intensive compliance reporting. The OCC says, "Compliance risk is increasing, driven by ... mandates related to the CARES Act and state government requirements.”
- Identifying, prioritizing and implementing improved security without the budget for hiring experienced people.
- Going beyond security training to instill a sense of responsibility in every employee.
Prominent threats that highlight these challenges are ransomware, phishing, hacking and insider threats, both malicious and accidental, in addition to compliance costs and fines.
The TrickBot trojan is one example of an exploit designed to target the banking sector. A descendant of Dyre malware, TrickBot provides its operators a full suite of tools to conduct myriad illegal cyber activities. These include credential harvesting, mail exfiltration, cryptomining, and the deployment of ransomware, such as Ryuk and Conti.
With these tools, attackers can target systems as well as employees and customers to find exploits and use the bank's own systems against them to transfer funds to the attacker. And remember, the internet enables attackers to work at scale vs. a non-cyber threat actor.
Security magazine: What measures can banks put in place to mitigate some of these challenges?
O’Connor: Enacting the following will put banks in good stead regarding the seven primary challenges:
- Digital Transformation - Move from legacy software and infrastructure to modern cloud-based ecosystems - and not simply adding a web interface to the same enervated backend components. This simultaneously erases hardware, software and networking maintenance debt while increasing agility, resilience and security.
- Deploy advanced authentication techniques. These commonly fall into five authentication types: passphrase, multi-factor, certificate-based, biometric and token-based.
- Employ Artificial Intelligence (AI) to identify and alert on fraud. This produces more accurate results more quickly by enhancing traditional tells with new cyber elements. It also carries the attendant benefit of reducing a traditionally labor-intensive process (read slow and expensive) with a streamlined approach that can readily keep pace with new and potentially burdensome compliance requirements.
- Completely isolate customer processing and employee processing environments.
- Employ a next-generation Endpoint Detection and Response system (EDR) to find malware across the entire network and augment traditional signature-based antivirus tools.
- Implement DNS protections for employee web-browsing.
- Configure the triumvirate of email protections - Sender Policy Framework (SPF); DomainKeys Identified Mail (DKIM); and Domain-based Message Authentication, Reporting and Conformance (DMARC).
- Greatly restrict what applications are allowed to execute and tightly restrict application account privileges.
- Leverage a CISO-as-a-Service (CaaS) or Virtual CISO (VCISO) capability focused specifically on the needs of financial sector businesses.
- Implement the FinTech Security Officer (FSO) framework or similar program to unify people, process and technology for protecting sensitive client and employee information.
Security magazine: What is the five-point FinTech Security Officer framework?
O’Connor: The FinTech Security Officer (FSO) program instills a responsibility on every employee to implement the five components of the Neocova Security Framework in their daily work: Protect and Secure personal information of teammates and clients' business information; Identify risks and security gaps; Mitigate risks; Report security breaches, and Measure effectiveness of mitigations. These actions protect confidential information from leaking or causing harm.
Neocova’s five-point FSO framework is deeply rooted in industry standards and regulatory authorities for security and privacy. This provides a holistic means of protecting sensitive client and teammate information, in addition to a robust and ever-evolving cybersecurity posture.
The essence of the FSO program is risk management, i.e. teaching employees how to think about and integrate risk analysis into their every day jobs, no matter what role they play in the company. By infusing risk management into our corporate cultural fabric, we have established a culture of security.
Security magazine: How does this framework unify people, process and technology, as well as protect sensitive client and teammate information?
O’Connor: This successful risk management approach unifies people, process, and technology in the following way.
- People Security:
We address people security in three layers: employees, the security team and strategic security partners:
- All employees are FSOs.
- The Information Security Team comprises subject matter experts in security program development, cloud computing security, secure coding and security awareness. They provide prowess garnered from storied careers protecting our county's most sensitive national intelligence information.
- Strategic partners complement the cadre of in-house information security professionals. We have selected strategic security partners to perform certain complementary functions, such as independent security reviews, penetration testing and formal attestation. This purposeful appointment of partners exceeds industry best practices by both obtaining premier capabilities in these respective fields and ensuring independent oversight by separating responsibilities. This impartial oversight extends to our vendors as well.
- Process Security:
Less is more. Process security is built around the concept of lean management. According to W. Edwards Deming, if you improve quality, you automatically improve security. At its core, Lean is a business methodology that promotes the flow of value to the client. The Lean approach starts by ensuring everyone aligns around a common purpose, answering the question, “Why does this business exist?” and building on this shared identity to create ownership and motivation around collaborating on positive organizational transformation.
- Technology Security:
The framework has helped in building technical infrastructure from the ground up across multiple cloud services. Through automation, checks and balances and layers of technical controls, it ensures a robust environment for processing clients’ information that mirrors the same rigorous standards as those keeping our vital national security information safe.
Securing customer information is critical to the success of any company. This is even more true for banks as they are entrusted with highly sensitive and confidential information from clients, team members, regulators and vendors. Financial services form the backbone of our economy and are a National Security priority. A framework such as this ensures their success.