written by Mike Alfaro 9/1/2021
The increase in severity and frequency of cyberattacks on all organizations in the U.S. has become a national crisis. Financial Institutions are disproportionately impacted by cyber attacks. The Boston Consulting Group estimates Financial Institutions are 300% more likely to be the target of a cyber attack. The increased sophistication and variety of the tools, techniques and procedures (TTP) employed by threat actors has only increased the difficulty Financial Institutions face in detecting threat identification to their enterprise platform. Regardless of these increased threats, it has been demonstrated that institutions with an active, engaged security culture in conjunction with active detection and response processes are the principal barriers to external and internal threats to any institution.
This blog post serves to highlight the four major cybersecurity threats to financial institutions where the root cause may come from gaps in the institution’s security policies and procedures.
- It’s always users. Always.
- Conformance to a standard is a start, but not good enough
- Failure to conform to principle of “least privilege”
- Ransomware
1. Users are your first line of defense and weakest link.
For small to medium sized institutions the “security team” may look eerily identical to IT and Engineering staff. Without the resources to support a structured endpoint detection and response effort, a scaled down security team may become overwhelmed by internal responsibilities to detect ongoing/active threats to the institution.
Penetration tests have repeatedly found the most resilient institutions provide their IT staff with ample opportunities to educate non-technical users on secure data handling and fostering an engaged security culture. While ongoing, meaningful education is critical, creating a culture that reinforces the importance of security procedures and incentivizes positive behavior is the foundation of a successful, long term security strategy.
Providing positive reinforcement to users who properly follow security guidelines is critical when building a culture of security for non-technical users. While many users can view ongoing education and reinforcement as an inconvenience, making a connection between user behavior and the security and success of the institution and its customers is vital in today’s environment.
This connection can help minimize user efforts to circumvent the institution’s procedures and guidelines that defeat the purpose of a culture of engagement and active participation. Experience has demonstrated that the most successful institutions in combating cyber attacks are those who emphasize the critical role each user plays in the overall security configuration of the institution. Encouraging all users to actively play their role and providing incentives for their vigilance provides all users a sense of empowerment and responsibility.
At the end of the day, institutions are humans and can not expect 100% security success rates. However, through establishing a culture of security awareness, user engagement, and encouraged reporting, the institution can go a long way toward the detection and prevention of security threats.
2. Conformance to a standard is a start, but not good enough
While most institutions have well established compliance frameworks and best practices guidelines, the fact remains institutions are still experiencing breaches. Could the PCI and HIPAA controls be inadequate?
The answer is it depends. Conformance to a security standard is critical especially to financial institutions. Small to medium sized institution’s IT staff are stretched just to achieve the standards established. After years of experience conducting network intrusions with institutions in diverse business verticals our experience has shown that while compliance with a security standard is a good start, it is insufficient to protect the institution, it’s customers and their reputation.
An approach using ongoing, proactive problem solving as opposed to reactive remediation is the most successful defense against breaches.
This does not involve stretching IT personnel even further, but rather instilling a mindset that achieving compliance is the foundation to a proactive versus a reactive approach. We’ve encountered many IT operations already overwhelmed with normal activities that receive penetration test reports identifying vulnerabilities that stem from a technical and organizational gap in their security procedures even though they are compliant with PCI or HIPAA.
The IT security resources of an institution should always be mindful that adherence to a compliance framework is the first step in building a proactive culture but not an end unto itself.
This connection can help minimize user efforts to circumvent the institution’s procedures and guidelines that defeat the purpose of a culture of engagement and active participation. Experience has demonstrated that the most successful institutions in combating cyber attacks are those who emphasize the critical role each user plays in the overall security configuration of the institution. Encouraging all users to actively play their role and providing incentives for their vigilance provides all users a sense of empowerment and responsibility.
As an alternative approach to adding more security education, the institution should consider increasing user awareness of active threats to the institution. Discussing these threats makes the threats real to the user and the role they play in combating them. It also provides practical examples of threats and how they impact the institution as a whole. Using real world exercises provides the user an understanding of the initial infection of the system and how they help combat the infection and why the security protocols are so important.
At the end of the day, institutions are humans and can not expect 100% security success rates. However, through establishing a culture of security awareness, user engagement, and encouraged reporting, the institution can go a long way toward the detection and prevention of security threats.
3. Failure to conform to principle of “least privilege”
Many institutions have established “business-justified” protocols giving users overly permissive access to sensitive resources and information to perform their duties. Without proper user education, access control restriction, and access monitoring, the institution opens itself to potentially catastrophic results when, not if, an initial foothold into the network is established.
A step towards institutional security may include the review of resources that are accessible to users from multiple areas within the institution. If accounting staff have higher privileged access, or access to greater assets than marketing staff, careful consideration should be given to reviewing the potential attack surface from the perspective of an attacker who has successfully compromised one of these areas.
While this step is more appropriate for the “threat modeling” process an institution should pursue, it is important to periodically revisit and reassess the internal attack surface as changes to resources and assets happen frequently. Depending on the institution’s rate of IT and organizational change, previously established threat modeling may not accurately represent the current internal attack surface.
By building this threat model early, IT staff are enabled to quickly re-assess threat and attack surface changes when permissions and controls are changed for a given institution’s critical assets. Everyone is aware of the reality of “temporary” fixes and workarounds eventually becoming “not-so-temporary.”
By periodically assessing the internal threat landscape, necessary workarounds may be more easily performed in a manner that does not compromise the security of the organization regardless of how temporary they may actually be.
4. Ransomware
In today’s environment blogs, forums, and news publications are rife with horror stories of institutions blindsided by a ransomware attack. At a time when the world’s governments are struggling to legislate and act in a timely and effective manner to stave off foreign and domestic ransomware groups, many institutions have misaligned expectations of the security solutions deployed in their networks.
Regardless of the size of the institution, the need to thoroughly understand and test their defensive capabilities are critical to the detection and prevention of threats. Establishing rules and detection functions for specific ransomware samples and its variants are a crucial step for proactive defense, but they are not sufficient to combat the ease and sophistication of repackaging or re-tuning offensive capabilities to bypass antivirus and defense technologies.
Endpoint security solutions must be continually tested to monitor their efficacy. Institutions will better understand their Endpoint Detection and Response (EDR) capabilities by periodically assessing their platform against open or closed-source unsignatured offensive security tools.
By testing tools, techniques, and procedures against defensive technologies, IT staff will gain a better understanding of detection and prevention gaps. This enables IT staff to fine-tune defensive solutions and employ other defensive strategies to mitigate security gaps and/or quarantine hosts and users exhibiting malicious behavior.
Detecting the TTPs behind ransomware is only one part of the solution. In the event the established protocols to detect and prevent infection fail, the institution’s success in surviving the breach is directly tied to their disaster recovery and data loss prevention strategy. The institution’s leadership can reduce the impact of an infection when everyone involved is familiar with the protocol for communication and action described in their disaster recovery plan.
It is vitally important to ensure the institution’s personnel are able to quickly identify and access disaster recovery procedures. Once an infection is observed and alerted, accessing procedural documentation and critical points-of-contact within the institution must be instantaneous. Monthly and quarterly disaster recovery protocol “dry runs” will provide the institution valuable insight that can identify areas of improvement in communication, technical asset management, and system quarantine/triage.
Users should also be educated on the proper escalation procedures when an infection is suspected. This goes back to the engaged security culture and makes users less hesitant to report a potential security incident and thereby enable the IT personnel to begin the triage process quickly.
It is the hope of all information security passionate people that security education and positive reinforcement will build a security-aware culture to enable rapid communication between IT and non-IT personnel.