[BreachExchange] Staying Ahead of the Threat
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Apr 15 14:19:25 EDT 2016
http://www.dsnews.com/daily-dose/04-14-2016/staying-ahead-of-the-threat
Data is the lifeblood of banking and financial services organizations.
Lenders, appraisers, real estate brokers, and property preservation
companies each have the responsibility of protecting and securing financial
data. Almost all data generated or used by financial services firms is
regulated. The responsibility of managing account information, cardholder
data and transactions, and non-public personal information makes this
industry, arguably, one of the largest collectors of sensitive and privacy
protected data.
The financial services industry continues to invest in new technologies
that allow for efficient management of client information with increasing
oversight capabilities. However, a concurrent effort to protect information
from attack is critical, as evidenced by recent data breaches at high
profile organizations including hospital facilities, large retailers, and
health care insurers.
In today’s world, most organizations, regardless of size, will experience a
security incident in the form of social engineering, a data breach, or
malware. Social engineering attacks will continue to be the easiest way for
cyber criminals to compromise corporate networks. The advanced technology
and systems used to protect networks makes the front door approach less
appetizing to would be attackers. With social engineering, the attacker can
mass engineer an attack with the knowledge that one user can compromise an
entire network. Here are a few examples of the types of external security
incidents of which organizations should be aware.
- Spear Phishing: email spoofing fraud attempt, targeting an organization,
seeking unauthorized access to data;
- Whale Phishing/Whaling: targets C-level users, or users with elevated
access to sensitive data;
- Malware/Anti-virus: malware is software that disables or damages a
computer system;
- Distributed Denial of Service (DDoS): multiple infected systems are
targeted at a corporate network or website causing a denial of service;
- Hacktivism: the act of compromising a system for socially or politically
motivated purposes;
- Extortion Hacks: cybercriminals threaten to release sensitive data if an
organization does not meet some demand;
- Ransomware: prevents access to data on a PC by encrypting it and
requesting a ransom to unencrypt it.
Identifying internal vulnerabilities
A data breach occurs when sensitive, confidential, or protected information
is obtained by an unauthorized individual or organization. Organizations
can improve the security of sensitive data by focusing on controlling how
employees access, transmit, and manage documentation. Here are three common
areas where, when controlled, organizations can strengthen the protection
of sensitive data.
- Spreadsheets: ensure files are password protected, saved on network
drives instead of local hard drives, and access is restricted to authorized
users
- Email and File Attachments:effective email policies, spam filters,
scanning email attachments, and encryption improve email security
- Identity Lifecycle: as users join the organization, move within the
organization, and leave the organization their access is always appropriate
to their job role and function
Identity is a major attack vector for advanced threats, with compromised
credentials being a significant enabler in successful attacks.
Organizations need a reliable way to continuously determine that users are
who they say they are before allowing access to sensitive data. Attempts to
lock down systems and resources with strong authentication too often
detract from the user experience, encouraging users to find workarounds
that further increase risk. Today’s authentication solutions need to be
easy to implement wherever authentication is required and allow
organizations to optimize the right level of security and convenience for
the risks that are present. Organizations with successful authentication
strategies will greatly strengthen their security posture while making
users’ lives easier in the process.
Determining where an organization is vulnerable to the occurrence of a data
breach or attack is the first step in protecting sensitive data. However,
organizations need to invest in a proactive and flexible strategy that can
evolve at the same pace of potential, and inevitable, threats to security.
The financial services industry interacts with a myriad of third-party
vendors to perform a variety of business services. Collaborative
development, extended supply chains, and outsourced services are just a few
ways in which third parties help deliver a competitive advantage. But these
third-party interactions create new sources of risk that can significantly
impact the organization if not managed proactively. Organizations who work
with third parties must develop a systemic process for assessing, tracking,
and managing third-party risk. In addition, they must incorporate
information regarding risk into their organization’s overall risk
assessment and management strategy. Organizations that harness this risk
are positioned to take advantage of the opportunities afforded by working
with third parties to safely drive their business forward.
Proactive Security
The goal of any security program includes proactive protection against
attack, a reduction in time to detect a breach, maintaining systems to
protect sensitive data, and to have the appropriate procedures and systems
in place for business continuity.
The majority of security incidents are caused by human error related to
lack of employee awareness and training. Organizations should take a
holistic approach to security, however, the first line of defense begins
with continual training. Establishing a ‘Culture of Security’ with your
executive management and employees is critical. While investing in IT
security is necessary, the best security teams in the world cannot protect
against employee failure to recognize targeted attacks. The nature of
social engineering means that the cybercriminal has to succeed only once,
while your organization has to be successful in protecting against such
attacks every time.
Some suggestions to educate your workforce include:
- Communicate regularly using relevant news articles to highlight security
as a real threat to business
- Use a variety of mediums to reach your entire audience
- Spread the importance of safe online practices
- Enforce adherence to security policies and procedures at all times
Having security policies and procedures in place will provide your
organization with a solid framework when it comes to managing security
incidents. The ISO 27001 Information Security Management System (ISMS)
provides such a framework for Information Security Management best
practices helping organizations to:
- Protect client and employee information
- Manage risk to information security
- Achieve compliance requirements
- Protect the organization’s brand image
While ISO27001 will not necessarily prevent a security incident from
occurring, it will help ensure that all risks related to security are
considered and appropriately managed.
Minimizing the impact of advanced attacks requires a robust capability to
detect and respond. Having a formal incident response plan, and carrying
out regular Business Continuity Plan (BCP) exercises, help ensure that
organizations are prepared for such events. In an environment of persistent
attack, and near-constant compromise, incident response must be a priority
for any organization responsible for financial information, personally
identifiable information, or intellectual property. Organizational
strategies must be based on proven best practices, and they must leverage
expertise where required. Security programs must incorporate opportunities
to automate and to constantly improve. Organizations with a robust incident
response and business continuity capability will have the best chance of
minimizing damage or loss from attack.
While social engineering attacks are currently prevalent, threats continue
to evolve and take many other forms. Today’s workforce is more flexible,
cross-functional, and mobile than ever. IT-driven organizations require
rapid on-boarding of employees to apps, systems, and resources so that they
can be productive right away. Traditional firewall approaches to network
security are not enough anymore and organizations must secure data whether
it resides inside or outside of the network.
A holistic approach must be taken to consider all points of entry into
proprietary systems and all software integrations. The traditional closed
network is no longer a reality for today’s businesses. The need to connect
to clients, vendors, and third-party systems creates a complex network
which spans outside of the organization. Protecting these expansive
networks requires a multi-disciplined approach to manage organizational
risk and meet compliance requirements.
Networks can be compromised without an organization’s knowledge. These
attacks can be silently mining data without raising any alerts or alarms.
It is through regular audits across the network environment that this can
be avoided.
Auditing organizational processes and procedures is a not a new requirement
for loan servicers, asset managers, appraisers, and property preservation
providers, all of whom are all subject to the audit provisions established
by the Dodd-Frank Act. Ensuring that regular audits are performed on
internal and external systems is as important as the audits required for
compliance within the industry. These audits will highlight anomalies on
the network, your property platform, and in relation to user access and
activity within systems. Audit trails for sensitive data are vital in any
system. Knowing how, when, and who last updated a particular sensitive data
point can give a degree of comfort when it comes to understanding potential
security flaws and preventing them in the future.
Loan servicers, asset managers, appraisers, and property preservation
providers require anytime, anywhere access to borrower and asset
information. Technology solutions must enforce secure access consistently
across internal IT systems, third-party applications, mobile-based apps,
and infrastructure. These solutions must balance security and convenience,
while ensuring users have access to any information appropriate to their
role. Secure access will empower employees and ensure that valuable
information remains protected.
Taking measures for physical security
Organizations can minimize their exposure to data breach by taking an
inventory of physical opportunities to reduce vulnerabilities. Physical
procedures include:
- Locking laptops in cabinets and/or car trunks
- Locking screens when employees leave their workstations
- Providing privacy screens on computer monitors
- Disabling ability to download data onto external drives
- Monitoring data sent to unauthorized and/or personal email addresses
In today’s security landscape, a security breach is not a matter of “if”
but “when.” While risk tolerance is up to each individual organization, the
way risk is managed is important, and there are definitely best practices
to follow.
With increased regulatory pressure, and the cost involved, the financial
services industry must carefully consider each investment decision and the
impact it will have on the end consumer, regulatory requirements, and their
bottom-line. The good news is that there are many opportunities for
organizations to create win-win situations that improve customer
interactions, preparedness, and resilience against security threats, while
also helping to achieve long-term cost savings.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160415/61cd3a61/attachment-0001.html>
More information about the BreachExchange
mailing list