Have you heard of Sutton’s Law?
It’s the principle of focusing on the obvious answer to a problem. You might recognize it better from its source, the convicted bank robber Willie Sutton, who is alleged to have answered, “Because that’s where the money is,” when asked why he robbed banks. In his autobiography, Sutton says that while he probably would have said it if asked, he actually robbed banks because he enjoyed it, loved it even. Well, that’s where the money still is – in financial institutions – and it stands to reason that the attackers targeting them enjoy what they do and find it profitable. The methods used by the attackers may have moved on, with cybercrimes rising at an alarming rate, but the end result is the same: financial loss. So what is security in the financial services industry? More to the point, how do you know if you’re being effective with your approach to security?
To answer those questions, we first need to explore the attack surface – what are the things at a financial institution that have value and how are they captured? Money is still a primary target, of course, and it can be acquired in several ways: via transactions (for example, by taking advantage of vulnerable systems, using compromised credentials, or weak authentication); by extortion and blackmail; or through social engineering. Another target is things that have value and can be exchanged for money: data, intellectual property, personally identifiable information (PII), and compromising emails and pictures. Asset capture can also occur through the continued use of obsolete technology, unpatched software, and zero day attacks (an unpatched vulnerability that an attacker can exploit until a patch is released).
All these assets must be secured, so start by inventorying what you have – and, please, delete the compromising emails and pictures! In addition to your institution’s primary application processing database, you likely have extracts, duplicates, and manipulations of that data in backup files, reports, emails, views, data stores, analytics, imaging, vaults, failover, disaster recovery systems, customer relationship management (CRM) systems, business intelligence (BI) systems, the cloud, and so on. Identify all those instances and build your security plan to include procedures for the storage and handling of the data. Good strategies include encryption of data at rest and in flight, and enforcement of data retention policies. A Ponemon study revealed that “the most valuable data featured in most breaches is unstructured data such as emails and documents.” Vexingly, unstructured data is the most abundant at most organizations, and known the least about.
Some of the data is shared with vendors and partners needed to provide the products and services that keep financial institutions competitive. At the start of a relationship with a third-party vendor, conduct an initial review of the vendor. Annually perform assessments of all vendors, including a risk ranking, to determine if they are high risk to you due to their providing a critical business function, or because they access or store your sensitive data. Conduct further due diligence and continued monitoring on those vendors which are considered high risk.
Data theft can be from the lack of deploying and enforcing the principle of least privilege – providing access only to the data a person or program needs to successfully complete a task. Wide employee and vendor access to sensitive data, and failure to monitor access and activity around email and file systems is a leading cause of data exfiltration. Identity management including creation and deletion of accounts for new and terminated employees is required to manage access. Use access controls to protect data, monitor activity and use industry standard hashing for password storage to avoid credential exposure.
There are other dangers to critical data that may not include theft, but are just as costly. Ransomware is a type of malicious software (malware) that disrupts businesses by locking data files, usually via encryption, unless a ransom is paid. There are technical controls including anti-virus software which can be used to detect or prevent such infections. Additionally, user education is effective in weeding out such attacks by training employees not to open suspicious emails and attachment, or click on links. Threat intelligence groups are available for deeper research, for instance, providing knowledge of a particular malware strain being used to attack a fellow financial institution, which can be used to beef up security scanning and pre-notify employees of the attack methods to look out for. In the event that a ransomware attack is successful, the best solution is to restore from a recent backup.
As we lift the lid further on vulnerability management, what are the key attack vectors and solution approaches? As useful as hardware and software has become, it is still prone to human error – network misconfiguration and unpatched network devices, unpatched operating systems and software, antivirus software that is not updated and obsolete technology including outdated hardware, software or services that are no longer supported by their vendor. A solid approach here is to establish a vulnerability management program. Identify the vulnerabilities and evaluate the risks, correct the vulnerabilities and remove or accept the risk. Organizations such as NIST and SANS provide excellent resources for establishing a vulnerability management program. Have an obsolete technology plan to ensure the removal of vulnerable systems from the organization.Perhaps we can use Sutton’s Law in our favor? Understanding what the attacks on financial institutions are looking for and how they are executed allows us to focus on the obvious answer to the problem. Protect financial institutions and reduce losses by securing data and managing vulnerabilities. After all, that’s where the money still is, and we want to keep it that way.