Bolted Down Tight

Independent Banker -- Jan 2015 -- Bolted Down TightFive steps for sustaining rigorous network security against constant cyberattacks

Hackers are using sophisticated, automated tools to cast a wider net than ever before. Even small and medium-size community banks need to continually review their security procedures. This is especially true this year, with major breaches showing that nobody is safe.

Here are five best practices that IT system security experts recommend to stay on top of the cyberattacks continually aiming against your community bank.

FFIEC Reports on Summer IT Security AssessmentsThe Federal Financial Institutions Examination Council issued general findings of the joint-agency cybersecurity assessments conducted last summer of 500 community banks and credit unions. The FFIEC said more information will be released in the future, but the early findings should help community banks prepare for future IT examinations.

In addition to evaluating the overall cybersecurity risks of those institutions, the exploratory assessments focused on how well those institutions were managing five areas related to cyber and data security:

  • risk management and oversight–defined as the overall governance of resources and employee training;
  • threat intelligence and collaboration–defined as the acquisition and analysis of information to enhance decision making;
  • cybersecurity controls–which encompass preventive, detective or corrective controls;
  • external dependency management–which includes how bank information networks are connected to outside organizations, including service providers; and
  • “cyber-indicated” management and resilience–which encompasses incident detection, response, mitigation, escalation and reporting.

“While most financial institutions understand the need to train employees on cybersecurity risk management, the outcome and benefits improve when training and awareness programs are kept current and are provided on a routine basis,” according to the FFIEC preliminary report.

The FFIEC provided several questions for community bank executives and boards of directors to consider while managing the security of their institution’s information systems from outside attacks. Those questions include these:

What is the process to gather and analyze threat and vulnerability information from multiple sources?

How do your bank’s overall connections, products and services, and technologies affect its overall vulnerability to cybersecurity risks?

Would reducing the types and frequency of network connections improve your bank’s cybersecurity risk management?

How are employees trained to avoid, notice and respond to cyber risks?

How does your bank ensure that third parties are properly managing cybersecurity risks that could harm your bank?

How would your bank respond internally and externally in the event of a cyber incident?

How is the accountability for addressing cyber risks determined at your bank?

The FFIEC said it was reviewing and updating its current IT security guidance in response to what the agencies learned from last summer’s assessments. For the five-page preliminary report,

A Short List of ResourcesSeveral companies offer network security monitoring systems. Here’s a list of a few of those companies.
AlienVault Inc. (–AlienVault’s Unified Security Management is available both as software and appliances at a lower cost than many competitors.

D+H (–D+H’s Compushare Managed Network Security software includes wirewall, intrusion detection and prevention, external and internal vulnerability management, Web content filtering, and security information and event management.

EMC Corp. (–EMC’s RSA Security Analytics provides log and full-packet data capture, security monitoring forensic investigation and analytics.

Hewlett-Packard Co. (–HP’s ArcSight Express is an appliance-based offering for mid-sized companies with preconfigured monitoring and reporting.

IBM Corp. (–IBM Security Qradar analyzes raw data from devices and applications to distinguish real threats from false positives.

LogRhythm Inc. (–LogRhythm’s Security Intelligence Platform combines log management and machine analytics with network forensics.

McAfee Inc. (–McAfee Network Threat Behavior Analysis monitors and reports unusual network behavior to detect worms, botnets, zero-day threats, spam and reconnaissance attacks.

SolarWinds Inc. (–SolarWinds Log and Event Manager is a good fit for small and medium-size companies looking for technology that’s easy to deploy.

Splunk Inc. (–Splunk, a big data startup, is widely used for log management analytics and monitoring

Tenable Network Security Inc.(–Tenable Network Security monitors networks and system logs.

Trustwave Holdings Inc.(–Trustwave offers a managed anti-malware service that protects against zero-day threats–and offers a “zero malware guarantee.”

The Budget FactorOne common cybersecurity problem in the corporate world is that network defenders are significantly understaffed. According to a survey sponsored by Hewlett-Packard Co., 40 percent of security positions went unfilled this year, and the top reason for the shortfall was the inability to offer competitive salaries to necessary IT staffers.

“No matter what technology we use, no matter how we try to secure our systems, if we’re going into this war with almost half of our army unstaffed, we’re going to see our adversaries be successful,” says Jacob West, chief technology officer for Hewlett-Packard.

And the banking industry isn’t immune, West maintains. “Not only do they have a problem allocating budget and justifying talent, but you also see a very small team of very talented individuals who just don’t have the human resources or the technology to do the job effectively,” he says.
–Maria Korolov

1. Know your software environment. This sounds fundamental, but some banks may not have a complete handle on tracking all of the systems they have in place. Old, out-of-date, unpatched software could be quietly running in the background, presenting a convenient backdoor for hackers to enter a network.

Central databases also need to be kept under tight security controls. Some banks might have workflows that require employees to make printouts or send faxes. Until these processes are fully digitized, this paper needs to be kept secure as well.

“You need to know what’s in your environment,” advises Jeff Man, security expert at Tenable Network Security Inc., a company in Columbia, Md., that offers network security monitoring systems.

It’s not just software that companies need to stay on top of. Too many banks focus disproportionate security time and effort to their one most critical system, such as their online banking system, says Jacob West, chief technology officer for the enterprise security products division of Hewlett-Packard Co., a technology company in Palo Alto, Calif. “And they forget about all the other systems and components their employees and customers depend on.”

Not all systems require the same levels of security and, given limited budgets, community banks need to allocate resources based on risk levels. Compiling a list of all the systems and applications, and tracking workflows and data flows, is a labor-intensive job, but it needs to be done vigilantly. And, depending on the size of the organization, automated tools can help banks with some parts of the task.

2. Stay on top of patches and alerts. The Heartbleed and Shellshock malware that emerged last year revealed vulnerabilities in widely used open source software. The National Institute of Standards and Technology and the National Vulnerability Database issues alerts about known vulnerabilities that your community bank can use to check its own code and components.

In addition, individual vendors will issue announcements about the security patches for their own software. So it’s a matter of assigning employees to be consistent about applying patches as they come out, keeping software up to date, and keeping antivirus protections current. One way that some banks reduce this workload is using cloud-based software when feasible, which allows a vendor to handle all the updates and patches.

3. Monitor third-party vendors.One potential security problem for many businesses, including many community banks, is that they often outsource many of their systems or processes. Security audits need to extend to all of these providers as well because these days, hackers can come in from any direction, as the Target Corp. retail data breach showed last year.

In addition to asking each software vendor about its security policies, community banks also need to keep an eye out for any weak areas that they should follow up on in person, says Sean Cronin, general manager for risk management solutions for the IT auditing software firm ProcessUnity Inc. in Concord, Mass.

“You can say, ‘We believe that you have locks on the doors and are patching the software, but let’s go in and do a sampling,’ ” he says.

4. Don’t forget the weakest link: people. These days, hackers aren’t just launching brute-force attacks against network firewalls. They’re making friends with bank employees on social media, sending enticingly worded phishing emails, and making direct phone calls and even visits to physical locations–they are attacking not just on the technical front, but the human one, as well.

To address these social engineering attacks, employees need to be trained to report unusual behavior, to spot suspicious communications and to never, ever use computer equipment not authorized, including any USB stick, that they encounter or receive outside of the bank.

5. Consider automated network monitoring software.Unfortunately, even if all of your community bank’s systems are patched and up-to-date, and even if its vendors and employees maintain a solid wall of defense, it could still be fighting last year’s cyberwar. Your community bank can only train its employees to guard against the threats it knows about, and its antivirus software will only protect against known viruses.

But hackers will keep inventing new viruses and finding new security weaknesses. Meanwhile, the interval between the time a hacker discovers a security vulnerability or invents a new virus, and the time the security community reacts could be a long one. After all, it’s in a hacker’s best interest to get the most value out of his vulnerability by attacking high-value targets first. So staying on top of cyberthreats requires continually monitoring network activity for unusual behaviors or patterns.

Certainly, several kinds of malware detection software–including anomaly detection, heuristics, behavioral analytics and machine learning–are increasingly available and can learn what a typical computing and transaction day at the bank looks like and spot anything out of the ordinary. However, because these systems can generate a large number of alerts, community banks should consider systems smart enough to detect minor changes that could be a sign of a critical breach. Otherwise, security staffers could be flooded with too many alerts to deal with. In addition to zero-day attacks, such systems can also detect unusual behavior by employees.

“It’s called unsupervised machine learning. It will learn what are normal patterns of behavior and focus on the things that are abnormal,” says Kevin Conklin, vice president of marketing and product strategy at Prelert Inc., an anomaly detection software company in Framingham, Mass. “This is artificial intelligence technology that’s evolved in the last decade. It’s not mandated, and not a lot of security teams know about it.”

According to Conklin, some of Prelert’s customers have reduced the number of security alerts from thousands a day to just a few.

However, many technology and security vendors offer intelligent monitoring systems. Some companies that sell intrusion detection and prevention systems, for example, are adding analytics to make their systems smarter. Big data vendors offer tools to analyze system logs and network traffic, looking for unusual behaviors. The security information and event management space, which tracks systems alerts, is evolving quickly by adding artificial intelligence to prioritize these alerts.

Check with your community bank’s security vendors to find out how they, or their partners, are making their systems smarter to get ahead of the crooks.

Read full article at Independent Banker.