US-Council News

Banks Must Focus More on Cyber-Risk

Recent guidelines from the Federal Reserve are aimed at stemming the tide of successful exploits.

In late 2016, just after the distributed denial-of-service attack on the DNS infrastructure, I sat in my hotel room staring at a cryptic URL error on my laptop after attempting to buy a train ticket, wondering what it meant. Was my credit card compromised? Did I have a ticket? Should I do anything to protect my identity and financial security?

Every day, millions of Americans conduct billions of digital financial transactions with the corner grocery store, online retailers, and banks. We buy things and pay for them; we pay rent, credit card, and utility bills; and we scan smartphone screens at payment readers. Online financial interactions are continuous, intertwined, and essential to everyday life. They are also under ever-more threats from cyberattack. What can be done to defend against the constant barrage of successful exploits?

Recently, the Board of Governors of the Federal Reserve, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation released guidance for most US financial institutions. The new rules for midsize and large banks are designed to intensify their focus on cyber-risk mitigation and cyberattack resilience.

In their Enhanced Cyber Risk Security Standards, they encourage self-assessment using the FFIEC Cybersecurity Assessment Tool, adhering to the NIST Cybersecurity Framework and CPMI-TOSCO Guidance on cyber resilience for financial market infrastructures plus the adoption of sound practices as outlined in the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System." These documents state that cyber infrastructure is critical, that there are vital best practices, and that each organization needs to take on a greater, focused effort toward cyber resilience.

According to the Enhanced Cyber Risk Security Standards, "The enhanced standards would emphasize the need for covered entities to demonstrate effective cyber-risk governance; continuously monitor and manage their cyber-risk within the risk appetite and tolerance levels approved by their boards of directors; establish and implement strategies for cyber resilience and business continuity in the event of a disruption; establish protocols for secure, immutable, transferable storage of critical records; and maintain continuing situational awareness of their operational status and cybersecurity posture on an enterprise-wide basis."

While these are certainly important areas to address, the details are left to the institutions. In addition, there are aspects of maintaining situational awareness across a sprawling organization that require more advanced analytics than many organization have.

There is one other area that should also be part of the new guidance, and that is how all the systems connect to each other. To take a page from Sun Microsystems' John Gage, "The network is the firewall." Yet the new guidance ignores the reality that the network creates the greatest risk, the greatest opportunity for resilience, and the greatest need for clear analysis. The thing that makes the online financial marketplace work so well — that you can buy and pay for anything from just about anywhere — is what makes it so vulnerable.

While it's certainly important to focus on addressing key individual systems and their potential vulnerability to attack, the network as a whole — its interconnectedness — provides the path by which attacks occur. And the uncomfortable truth is that it's virtually impossible to make all systems impervious to attack.

However, there is more that can be done to build resilience into networks than is currently being done by most organizations. There are three areas that need immediate attention: system vulnerabilities that are accessible across the network, issues with the configurations of network devices, and an incomplete inventory and model of the network, which limits the visibility of potential attack paths.

Accurate Picture Needed
Unfortunately, most organizations don't have a complete and accurate picture of their entire network. And because their picture is incomplete, their approach to security controls and protections is also incomplete. They've been protecting an illusion.

The reality is that not only are endpoint systems at risk, but so are core network devices. And, as every network engineer knows, taking over a network device means you have access to everything connected to it. By focusing attention and effort on protecting endpoints, many organizations are failing the key test of their cybersecurity defenses: can they protect high-value assets? When you ask a company if your credit card information is secure, you don't only want to know that it has the latest and greatest firewall protecting its network. You want to know what the company is doing to keep the hackers who get in from accessing high-value targets.

The steps created by the new guidance from the Federal Reserve are an important start. It's critically important that organizations communicate attack scenarios, work together to coordinate responses and improved defenses within and across organization boundaries, and continue to develop more sophisticated and automated approaches to creating and maintaining an accurate picture of how everything connects together. To avoid relying on what you think your network is doing and instead committing to reality, objective and comprehensive analysis is key. From there, you can develop a strategy for addressing the gaps, maintaining network segmentation, and ensuring resilience without the illusions of the past.

The only way to maintain the flow of international finance to support everyone from individuals doing their daily activities to businesses and governments interacting across the planet is to protect the endpoints, the network, and the entire infrastructure as a complex, interconnected system. The only way to do that is with automated analysis of the system that allows engineers to identify and address access risk and vulnerabilities as they arise rather than after they're compromised.