[BreachExchange] Learning from the Financial Sector's Cybersecurity Regulations

Thu Jul 27 19:24:09 EDT 2017

https://www.infosecurity-magazine.com/opinions/learning-financial-
cybersecurity/

Once upon a time, a bank was just a bank, a place where you kept your money
until you needed it, and maybe went home with a toaster or a calendar once
in a while. Not anymore; today, the bank is a unit in a carefully weaved
financial infrastructure; if it falls, others may as well, compromising
even business, government, and society as we know it.

That's the attitude of the US Department of Homeland Security, which is
designing cyber-protection regulations for the financial industry. Are
banks the only institutions that need such regulations? If a cyber-attack
puts 100,000 people out of work for two weeks, is that not as serious a
threat to the stability of society as a hacked bank?

That financial institutions have become critical to the functioning of
society is clear with just a glance at the headlines. “Petya Ransomware
Creates Global Chaos” is typical of the storiesabout the latest mega-cyber
threat the world faces - as they were typical of May’s mega-threat, the
WannaCry ransomware attack. Global chaos, it seems, is actually the result
of many of the recent cyber-attacks that have plagued the business world.

As alarmist as these headlines may be, the DHS is not taking chances. The
agency is developing a Financial Services Sector-Specific Plan, designed to
ensure that a cyber-attack does not bring the financial sector to its
knees. “The Financial Services Sector faces a complex and evolving risk
environment,” says DHS in its report, and protecting the system is going to
require great effort by financial regulators on all levels. The Group of
Seven industrial nations has issued a similar plan - like the DHS plan,
based on nonbinding guidelines.

Unlike the DHS and G7, European Union guidelines have legislative teeth.
Its General Data Protection Regulations (GDPR) require institutions to
ensure that data is protected (and that the financial system is secure),
with sanctions built in for those who fail to provide accurate protection.

In all three systems, the recommendations include collaboration and
information-sharing between relevant institutions (government, banks,
regulators) on attacks and defense systems, education efforts to ensure
that employees do not admit malware in-to the network, involving experts
who can best recommend how an institution can defend itself, and adopting
tough standards, such as the NIST Framework for Improving Critical
Infrastructure Cybersecurity, in order to keep the system safe. In
addition, firms have to appoint an expert who will be responsible for
cybersecurity, meaning they will have to be familiar with the products and
services available that can provide solutions for specific needs.

What about other areas, like government, communications, or healthcare?
Regulations are starting to appear at the federal government level. In May,
President Trump issued an executive order requiring agencies to submit
their cyber-defense plans to the Office of Budget and Management. That is
just for federal agencies; local and state governments are more or less on
their own, and those organizations have suffered many breaches and
ransomware attacks.

It’s the same for hospitals, which are prime targets for hackers and
ransomware-mongers. What if a hacker managed to shut down a data center for
even a day? Forget about a day; all it took was five hours of an AWS outage
to bring business to a screeching halt for thousands of organizations.

All these institutions and organizations are at risk – great risk – despite
the fact that they, too, are regulated to an extent, like financial
institutions. What about businesses? What about the manufacturers, retail
outlets, and supply chain members that are the fabric of society? What
would happen if, for example, hackers were able to disable the system where
meat and dairy is distributed to supermarkets from distribution centers for
a week? That, too, is critical for the functioning of society – but unlike
with banks, there is no one to tell them what to do to defend themselves,
and how to do it.

For some, that will mean adopting the regulations and methods that banks
themselves will be required to deploy – information sharing, compliance
officers, thorough examination of solutions, etc. One idea that can help
these organizations is network segregation, where internal corporate
networks containing information on the organization’s business and budget
are kept separate from the external network, used for internet, email, etc.
Financial institutions are already required to do this, and other
businesses and organizations would do well to adopt this practice.

Regardless of what system they adopt, these organizations need to step up
their cyber-security game and stand to gain inspiration from their
financial counterparts. While banks are part of everyone's critical
infrastructure, the auto assembly plant, real estate office, hotel, or any
other business where an individual earns an income to feed his or her
family is part of their own ‘critical infrastructure’. Seen from that
perspective, the people responsible for cybersecurity in those
organizations have a great deal to think about.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170727/ea76654d/attachment.html>