Endpoint

4/5/2017
02:00 PM
Dr. Mike Lloyd
Dr. Mike Lloyd
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Banks Must Focus More on Cyber-Risk

Recent guidelines from the Federal Reserve are aimed at stemming the tide of successful exploits.

In late 2016, just after the distributed denial-of-service attack on the DNS infrastructure, I sat in my hotel room staring at a cryptic URL error on my laptop after attempting to buy a train ticket, wondering what it meant. Was my credit card compromised? Did I have a ticket? Should I do anything to protect my identity and financial security?

Every day, millions of Americans conduct billions of digital financial transactions with the corner grocery store, online retailers, and banks. We buy things and pay for them; we pay rent, credit card, and utility bills; and we scan smartphone screens at payment readers. Online financial interactions are continuous, intertwined, and essential to everyday life. They are also under ever-more threats from cyberattack. What can be done to defend against the constant barrage of successful exploits?

Recently, the Board of Governors of the Federal Reserve, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation released guidance for most US financial institutions. The new rules for midsize and large banks are designed to intensify their focus on cyber-risk mitigation and cyberattack resilience.

In their Enhanced Cyber Risk Security Standards, they encourage self-assessment using the FFIEC Cybersecurity Assessment Tool, adhering to the NIST Cybersecurity Framework and CPMI-TOSCO Guidance on cyber resilience for financial market infrastructures plus the adoption of sound practices as outlined in the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System." These documents state that cyber infrastructure is critical, that there are vital best practices, and that each organization needs to take on a greater, focused effort toward cyber resilience.

According to the Enhanced Cyber Risk Security Standards, "The enhanced standards would emphasize the need for covered entities to demonstrate effective cyber-risk governance; continuously monitor and manage their cyber-risk within the risk appetite and tolerance levels approved by their boards of directors; establish and implement strategies for cyber resilience and business continuity in the event of a disruption; establish protocols for secure, immutable, transferable storage of critical records; and maintain continuing situational awareness of their operational status and cybersecurity posture on an enterprise-wide basis."

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

While these are certainly important areas to address, the details are left to the institutions. In addition, there are aspects of maintaining situational awareness across a sprawling organization that require more advanced analytics than many organization have.

There is one other area that should also be part of the new guidance, and that is how all the systems connect to each other. To take a page from Sun Microsystems' John Gage, "The network is the firewall." Yet the new guidance ignores the reality that the network creates the greatest risk, the greatest opportunity for resilience, and the greatest need for clear analysis. The thing that makes the online financial marketplace work so well — that you can buy and pay for anything from just about anywhere — is what makes it so vulnerable.

While it's certainly important to focus on addressing key individual systems and their potential vulnerability to attack, the network as a whole — its interconnectedness — provides the path by which attacks occur. And the uncomfortable truth is that it's virtually impossible to make all systems impervious to attack.

However, there is more that can be done to build resilience into networks than is currently being done by most organizations. There are three areas that need immediate attention: system vulnerabilities that are accessible across the network, issues with the configurations of network devices, and an incomplete inventory and model of the network, which limits the visibility of potential attack paths.

Accurate Picture Needed
Unfortunately, most organizations don't have a complete and accurate picture of their entire network. And because their picture is incomplete, their approach to security controls and protections is also incomplete. They've been protecting an illusion.

The reality is that not only are endpoint systems at risk, but so are core network devices. And, as every network engineer knows, taking over a network device means you have access to everything connected to it. By focusing attention and effort on protecting endpoints, many organizations are failing the key test of their cybersecurity defenses: can they protect high-value assets? When you ask a company if your credit card information is secure, you don't only want to know that it has the latest and greatest firewall protecting its network. You want to know what the company is doing to keep the hackers who get in from accessing high-value targets.

The steps created by the new guidance from the Federal Reserve are an important start. It's critically important that organizations communicate attack scenarios, work together to coordinate responses and improved defenses within and across organization boundaries, and continue to develop more sophisticated and automated approaches to creating and maintaining an accurate picture of how everything connects together. To avoid relying on what you think your network is doing and instead committing to reality, objective and comprehensive analysis is key. From there, you can develop a strategy for addressing the gaps, maintaining network segmentation, and ensuring resilience without the illusions of the past.

The only way to maintain the flow of international finance to support everyone from individuals doing their daily activities to businesses and governments interacting across the planet is to protect the endpoints, the network, and the entire infrastructure as a complex, interconnected system. The only way to do that is with automated analysis of the system that allows engineers to identify and address access risk and vulnerabilities as they arise rather than after they're compromised.

Related Content:

Dr. Mike Lloyd, CTO of RedSeal, has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 21 patents on security, network assessment, and dynamic network control. Before joining RedSeal, Mike was CTO at RouteScience ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rayray2016
50%
50%
rayray2016,
User Rank: Apprentice
4/7/2017 | 12:57:31 AM
Twenty Motion
awesome post very engaging
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
4/6/2017 | 9:29:59 PM
Re: Network-centric view of cyber risk, but what about identity-driven threats?
Sorry i did not mean to suggest you did not do a good job in your article, i actually think you did from a network perspective and of course no one can cover cyber risk mitigation in a short article.  That being said, your analogy of "identity management = badge reader" is simplistic.  Access management can be compared to a badge reader: "get in or stay out".  But full identity management includes governance that establishes the policies that define who can access which floor and within each floor what area, i.e. data center room, vs cube or offices, in addition to what application/system and what segmentation of that system/app (i.e. SFDC americas only or global) and that is a far more deeper "segmentation" than anything you can establish through a network. That being said, if your article was all about identity mgmt and did not talk about network and network segmentation, i would also have said that an important perspective is missing :-).  Today, it is about implementing various layers of security in the hopes that hackers will be detected before they get to the crown jewels. 

Lookign forward to reading more articles from you. Juliette
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
4/6/2017 | 9:20:05 PM
Re: Network-centric view of cyber risk, but what about identity-driven threats?
I'm happy to agree that I didn't cover all possible aspects, Juliette, but in my defense, the article wouldn't get published if it were infinitely long :-)

You are quite right that many attacks START via social engineering, or with a stolen credential.  But that often means the attacker's first hand-hold is not already on the crown jewels - they have to move laterally, across the network, to achieve their ends.

So I certainly do not claim that identity management is irrelevant.  But as you say, the users are a perenially weak link, and so what most organizations do is put some distance (in the network) between the user space and the really important stuff.  This creates opportunity for controls appropriate to what is being protected.

By way of analogy, think of securing a building.  Someone might say "a focus on internal building segmentation is pointless if most bad guys get in through exterior doors - we need more badge readers to make sure the bad people don't get in!".  But badge readers are routinely defeated, so it's worth planning ahead for a breach at the level we all agree is weak, and making sure the most important parts of the building are segmented.  You can escalate the control methods as you get to more critical parts of the building.  And that, ultimately, requires understanding the building.  Likewise, a focus on identity management is sensible, but it's a Sisyphean problem - you still need to understand the blast radius and lateral movement across the network, because the identity tracking will invariably be breached by hacking the human.
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
4/6/2017 | 6:20:47 PM
Network-centric view of cyber risk, but what about identity-driven threats?
Though i agree with the content of this article, i think it misses a big aspect of the resilience and mitigation a bank needs to build to counter cyber risk. Threats that are not network-based but rather identity-driven are totally ignored.  Many breaches today involved compromised credentials, social engineering leading to orphan accounts takeover and other identity-driven attacks. Users are the weakest link and are being targetted everyday by hackers aiming to get to coporate sensitive data they can monetize.  No firewall nor security gateway can help with that, rather a strong identity management platform and governance processes can help mitigate that part of the banks cyber risk.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/6/2017 | 4:22:46 PM
Re: Collaborative Defense in the financial sector
> or put another way "what is the blast radius if I am hit with the same attack?".  

Great way to put it.  A rising tide lifts all ships -- and, conversely, if a smaller competitor is compromised, attackers will be emboldened by their proof of concept as the bigger enterprises are put at risk.
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
4/5/2017 | 9:09:55 PM
Re: Collaborative Defense in the financial sector
Quite right, Joe.  At one time, it seemed the tragedy of the commons might be a big issue here - everybody wanted threat data from others, but was reluctant to give up info on their own battles.  Fortunately, the "enlightened" part of enlightened self interest seems to have kicked in, so that sharing can proceed.  One challenge that remains is to bring that data home and ask "where am I vulnerable to the same issue?", or put another way "what is the blast radius if I am hit with the same attack?".  These are still hard questions for many organizations to answer.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/5/2017 | 3:36:55 PM
Collaborative Defense in the financial sector
The ACSC -- of which the Fed is a member -- has been especially important in helping to unite banks and the rest of the financial sector in their cybersecurity efforts.  Threat sharing used to be often avoided among the big banks -- leading to the same criminals cyber-robbing multiple banks more millions of dollars!  Today, threat sharing has evolved to collaborative defense -- and the industry is more welcoming of others to the table while contributing in turn (although I still see some signs, from my own perspective, that smaller organizations/enterprises aren't quite as welcome where they don't have as much to add as, say, a SWIFT or a PwC).
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Get Serious about IoT Security
Derek Manky, Global Security Strategist, Fortinet,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.