Cyber security for banks: Preventing data breaches
This guest post by Douglas Jambor, Vice President and Director of Technology Consulting at Turner and Associates, Inc., summarizes his recent presentation in the Sageworks Webinar. His whitepaper is available here.
Data breaches come in many forms and everyone is getting worse at stopping them. Larry Ponemon (chairman and founder) of Ponemon Institute explains that this is due in part to the lack of security fundamentals. Most executive and C-level officers have a simplistic view of how security works, how data is protected, and what’s required to manage constantly changing and evolving attack strategies by hackers. Ponemon Institute determined that managers’ lack of understanding of the security fundamentals often causes a big disconnect between the people performing information security to protect an organization’s data and the top level executives in many organizations. This disconnect causes a gap and when this gap becomes too large, there is never going to be adequate funding or support from the top down for security initiatives. Repeated studies show that security is trending downward and being pushed to lower levels; meaning, security is less important.
The primary motive behind data breaches is financial and personal gain and they are typically caused by either hacking or the use of malware. Most organizations became victims of data breaches because they often had easily exploitable weaknesses; they were not targeted prior to the attack. In most data breach incidents, the time between initial attack to initial compromise and the time from initial compromise to data exfiltration is just minutes. However, the time from initial compromise to discovery is typically months and the time from a data breach discovery to its containment and restoration typically takes days, weeks, and sometimes months. The last alarming fact is that most organizations are notified by a third-party e.g. law enforcement, of their own data breach.
Although, the insider threat and business partners are declining in the root cause for data breaches, it’s important to remember that they are among the most costly to get resolved. This is due in part by the fact that most external threats can be resolved within 14 days; whereas the insider threat can typically take up to 42 days to resolve during a data breach at an average cost of almost $17,696 per day.
So what steps should financial institutions take to prevent a data breach? Simple, be prepared…“Hope for the best and prepare for the worst!” We have provided a sample check list of items you may want to review to see how your organization stacks up. See below:
1) Make sure management and top executives are sponsors and support of security initiatives at your organization.
2) Perform due diligence on penetration testers, i.e. are the recommendations in the report deliverable clear, concise, and easily implemented, do they test all traffic is encrypted across the entire network, etc.
3) Perform due diligence on internal auditors. Additionally, when you see bad behavior, call it out.
4) Perform due diligence on critical vendors, especially to service level agreements (SLAs).
5) Perform a gap analysis against the SANS ‘Top 20 Critical Controls. Click here for more information on the top 20 specific technical security controls effective in blocking currently known/high-priority attacks.
6) Ensure you have a well-developed ‘Incident Response Plan.’
7) Perform an annual information security risk assessment and ensure it is kept up to date.
8) Ensure you have an information security program and keep it up to date, while designating responsibility.
9) Implement information security controls and regularly test and monitor effectiveness of these controls.
10) Perform annual end-user awareness training for all staff members.
11) Enable technologies such as System Information and Event Management (SEIM) and enterprise threat and risk management solutions, enabling organizations to automate detection and recovery.
What if your organization does not have the budget for a high-end SIEM system or IDS/IPS? Your auditor(s) should be well-informed of these free tools. We recommend implementing a free LAN scanning tool which can detect and notify network administrator(s) when rogue device are plugged into the internal LAN. We also recommend using a free automated event log solution. This automated event log solution should be configured to notify the network administrator(s) when predetermined thresholds are hit e.g. creation of a localdomain administrator account(s), failed login attempt against administrator account(s), etc. These tools would go a long way in strengthening an organization security posture without any extra expenses.
Douglas Jambor is Vice President and Director of Technology Consulting for Turner and Associates, Inc. He has extensive experience in the information technology field specializing in penetration testing, digital forensics, information systems security, and information security risk management. He is also the firm’s digital forensics chief investigator, performing on-site seizures for investigating criminal activity involving computers and computer-based systems, including, FDIC regulatory investigations.
He is an active member of The International Society of Forensic Computer Examiners ISFCE and holds the Certified Computer Examiner CCE forensic certification.
Sageworks, a financial information company that provides risk management solutions to financial institutions, hosts monthly webinars in its 2012 webinar series. These free, educational webinars are led by consultants and leaders in the banking industry who share best practices for financial institutions. Webinar topics include issues that are getting the most focus in banking today and advice to help institutions.
Access archived webinar recordings and sign up for future webinars here.