Effective cybersecurity means more than protecting your perimeter
Coordinated response to detect and contain breaches is vital
Too many financial institutions focus the bulk of their cybersecurity efforts on preventing infiltration of their systems. Which isn’t to say that preventing penetration should not be a key security focus; it should. But being overly reliant on your perimeter defenses doesn’t address the full threat. According to - Trustwave Global Security Reports, Verizon Data Breach Investigations Reports, Symantec Internet Security Threat Reports, and Cisco Annual Security Reports, only 1-2 percent of breaches are detected in the first 24 hours, and over 14 percent are not detected for two years or more. In fact, in 80 percent of cases, financial institutions didn’t even discover breaches themselves; instead they learned of them from third parties. When you consider the volume and sophistication of today’s cyberthreats, and the fact that that 64 percent of breaches result in data loss within the first 24 hours, the need for your financial institution to be ready to uncover, contain and address attacks that get past your first line of defense is clear.
Cyberattacks generally are carried out in four stages:
Infiltration (breaching your perimeter defenses)
Propagation (spreading through your systems to gain access to targeted data)
Aggregation (gathering targeted data)
Exfiltration (transferring data out of your system)
Looking beyond your perimeter
Your controls need to be deployed throughout your environment in order to impede cybercriminals at every stage of the breach cycle. And you need to break down silos and communication barriers that prevent various parts of your security apparatus from coordinating their response to attacks. Focus on prevention, yes. But also plan for your prevention to fail.
Where to focus beyond the perimeter? At the propagation stage of an attack, you need three effective sets of controls:
Network controls, including access control lists (ACLs), which selectively permit or deny traffic to specific areas, intrusion prevention systems (IPSs) which detect and drop malicious traffic and block further traffic from those sources, and network access controls (NACs) which control access to various areas of your network based both on appropriate configuration of the requesting device (such as updated anti-virus software) and on the role of the requesting party
Domain controls, such as secure password storage and effective group policies
System and application controls, such as endpoint security, vulnerability management and application security
Make it as hard to get out as it is to get in
At the exfiltration stage of an attack, financial institutions need effective egress monitoring and controls, including:
Data loss prevention (DLP) tools
Security information and event management (SIEM) tools
Monitoring and alerts to spotlight and quickly communicate concerning suspicious activity
An early and effective response to any attack is vital. That is how you keep a minor breach event from becoming a major incident that might result in significant financial and reputational risk for your financial institution. As attackers are attempting to breach your perimeter and as they attempt to propagate through your network, they are the easiest to detect. Failed logins and other clues should raise red flags. If those clues are recognized and communicated quickly, your chances of thwarting a penetration—before real damage is done—are high. Focus on breaking attackers’ access to data and on their ability to remove it from your environment.
Just as financial institutions have been overly focused on preventing penetration, they are often only marginally focused on preventing exfiltration. Many financial institutions take corrective actions only after they have lost data. By using egress filters tuned to recognize suspect IP addresses, URLs and domains, and ports, you can detect and prevent exfiltration efforts as attempts crash against those barriers. When exfiltration incidents occur, focus both on repairing any weakness and on preserving evidence.
Common configuration failures
Following are four configuration issues that financial institutions commonly miss in their cybersecurity efforts:
Having default administrative passwords for systems such as routers, switches, printers or security systems. All passwords should be strong, unique and updated regularly.
Enabling services that you are not using, such as simple network management protocol (SNMP), file transfer protocol (FTP), hypertext transfer protocol (HTTP) and Telnet. If you are not using these tools, leaving them enabled provides unnecessary, and probably poorly monitored, penetration, propagation and exfiltration avenues for cyberattacks.
Not enforcing strong encryption on your systems. With most systems, you have to explicitly disable weak encryption options.
Not ensuring that weak configuration items were not re-enabled during operating system updates.
Don’t forget your people
Another too-common weakness? Forgetting that your people are frequently the weakest link in your cybersecurity effort. If attackers are specifically targeting your financial institution, they will target your people, not just your technology. Consider these steps to improve your employees’ awareness:
Have mandatory online security training with required testing
Issue monthly updates on security issues affecting your industry
Recognize and celebrate instances where employees have thwarted an attack
Perform social engineering testing on at least a quarterly basis
Finally, break down silos in your system architecture. Too many financial institutions have multiple security controls deployed but have no or insufficient interaction among those controls. The result? Suppose the firewall blocks an infected file. Does it automatically inform your antivirus software to block the same file? If your IPS blocks a workstation from repeated attempts to known CNC, can it inform the switch to remove the workstation from the network? True security comes from the ability of all your tools to work in concert.
To learn more about effective cybersecurity, and about RSM’s seven-step PROTECT lifecycle cybersecurity approach, download our webcast, How to protect your financial institution against today's top cyberthreats.