posted on December 20, 2020 16:10
The FireEye security breach discovered last week underscores the diligence required to secure the global financial system in its current fragile state. The malware-infected software was downloaded by an estimated 18,000 customers which undoubtedly resulted in thousands of compromised networks.
Although the banking regulators have already proposed requirements to supposedly address the enhanced risks brought about by last week’s events, it falls squarely on every financial services institution to ensure the security of their own infrastructure and collectively the integrity of the global financial system.
There has already been plenty of discussion on the far-reaching implications of the current infestation. Nonetheless, I want to focus on the five must-do initiatives to maintain the integrity of our global financial system.
- Incident Response: The key to successful response is having a well-defined and communicated incident response plan. Proper planning and action will help organizations facilitate the detection, response, and recovery components necessary to quickly and appropriately respond to a breach or incident. Although it has been determined that the malware was designed with a kill switch that is activated once the communication to the botnet server domain was removed, this does not mean that we are out of the woods. As my friend and colleague Steve Ursillo has written extensively on this topic, it is not uncommon for an attacker’s tactics, techniques, and procedures (TTPs) to broaden their access and foothold by compromising multiple layers of the systems, networks, and trusted environments through privilege escalation, pivoting, and lateral movement. As a result, it is critical that organizations conduct a proactive and timely incident response to ensure the confidentiality, integrity, and availability of their data, systems, and environments.
- Cybersecurity Risk and Gap Assessment: Organizations should have a formalized cybersecurity risk assessment methodology that includes FFIEC, NIST, PCI, NCUA, and SOC standards. It is a common mistake to think of these as perfunctory regulatory requirements. These should be thought of as using proven frameworks to understand the true residual risk of an asset. If executed appropriately and taken seriously such evaluation will prioritize efforts and resources to support increased controls maturity in areas that require enhanced safeguards to protect covered assets and data. Steve Ursillo has a methodology he uses which is a solid pre-emptive defense approach.
- Third-Party and Vendor Risk Management: With the popularity of managed services, technology outsourcing, and cloud solutions, firms need to be more vigilant than ever to ensure that third parties are actively assessing and providing proof of the proper cybersecurity risk management protocols. Ensuring that appropriate supply-chain risk assessments are conducted to minimize the risk of a supply-chain attack has become critical. In addition, verifying that the appropriate third parties are receiving the coverage of a sufficient cybersecurity report to validate their cybersecurity maturity becomes a necessary element in this process. From an IT perspective, minimizing third party risk starts with tools that include SOC, PCI, HITRUST, CMMC, and ISO. In addition, there are ways of monitoring third party risk using advanced AI using both commercial and open source tools. In a future blog, I’ll highlight an effective a number of effective tools developed for third party risk, including one developed by a team of researchers at The George Washington University.
- Identity and Transaction Monitoring: The implications of this breach on the global banking system will likely involve an epic level of identity and account theft. Although individual consumers will need to be vigilant with regard to monitoring their account and credit data, it will fall on the global financial institutions to ensure the integrity of its transaction-related data. The traditional counter-fraud processes rarely provide ongoing, real-time reviews of the identity or account-level data outside of the one-time KYC and traditional rules-based transaction monitoring processes. Tools such as IBM’s Safer Payments and Verituity enable the utilization of AI in identity and transaction monitoring. In future blogs I’ll dive further into these capabilities.
- Business and accounting controls: A major problem I have observed and that has also been highlighted in a series of very recent OCC Enforcement Actions is the lack of codification of the data, technology, and financial controls required to ensure the secure operation of the banking system. Many of the major financial services organizations have tens of thousands of controls in their controls inventories and GRC systems. It may seem like if they have so many controls then all the risks must be covered. Instead, resources are being wasted on testing duplicative controls leaving other controls, such as cyber security and data privacy untested or even missing. As a starting point, I often end up recommending a thorough assessment, rationalization, and fortification of financial services organizations’ controls. This usually results in saving costs and lowering the organization’s risk profile. For more ideas and a solid methodology, my friend and colleague Stephen Masterson has written extensively on this topic.
Over the next few weeks I will dive into a few of the above topics in some more actionable detail.