How Banks Can Use the Dark Web to Shed Light on Cybersecurity


cybersecurity-9-5-19.pngCyberthreat intelligence, or CTI, can give bankers a deeper understanding of the potential threats that face their business.

Whether it is knowing your enemy or learning about the latest malware, CTI provides information that can help executives make prudent, risk-based decisions. This information comes from the open internet as well as closed sources, including the darknet and dark web. Analyzing this CTI can produce insights and identify signs of a potential breach, leaked data or pending attacks.

The darknet is the part of the internet that is not accessible through conventional browsers and requires specific software or configurations; the deep web is the part of the internet that is not accessible through search engines. Some nation states, cybercriminal gangs and threat actors thrive in this underground economy through illegal activity that includes the sale of personal information, financial goods and illicit services. For bank’s CTI, the deep web and darknet are a treasure trove of breached information and threat indicators.

A vast majority of these cyberthreat intelligence sources contain goods and sensitive data stolen from the financial services industry. Potential financial gain drives bad actors to maintain a thriving marketplace built on illicit items, including debit and credit card numbers, identity theft services and banking malware.

While no tool or service can completely eliminate the risk of a data breach, integrating CTI into a bank’s cybersecurity program can make it more difficult to target and lower the likelihood of a breach. To get value from CTI, a bank can:

  • Identify the threat actors that are leveraging potential vulnerabilities in systems used by the financial sector;
  • Understand whether a particular organization or client is being targeted directly;
  • Detect active malware campaigns that could target the bank;
  • Learn where its customer and employee information may exist;
  • Find breached credit or debit cards on deep web or darknet marketplaces; and
  • Understand emerging trends regarding data theft.

There are a variety of ways that financial institutions can leverage, and directly benefit from, CTI. Some examples include:

  • Incorporating technical indicators of compromise into the company’s security information and event management system;
  • Briefing high-level executives on industry trends and providing intelligence on potential future attacks;
  • Providing intelligence briefings to security operation centers (SOCs), increasing the situational awareness of technical campaigns and bad actors;
  • Developing incident response scenarios;
  • Achieving timely integration with fraud teams to deactivate stolen credit or debit cards;
  • Working with law enforcement to remove stolen credit, debit or other financial information from the deep or dark web;
  • Segregating and limiting internal access to systems if an individual’s credentials are exposed;
  • Communicating with social media and marketing teams about exposed data; and
  • Implementing patches for known vulnerabilities that are discovered on external-facing systems and applications.

What does a successful CTI program look like at financial institutions?
Deep analytical CTI is usually not possible at small- to medium-sized financial institutions using the internal resources of their existing security teams, and is often outsourced to a vendor or third party. Outsourcing can provide some value-added actions, such as:

  • Identifying breached credit and debit cards or other financial information;
  • Monitoring chatter about C-suite executives;
  • Assisting in fraud prevention through credential theft;
  • Thwarting attacks planned by adversaries that uses new financial theft malware, ransomware or Trojans;
  • Examining reputational damage or brand-related chatter for an organization;
  • Identifying large credential data dumps or breaches;
  • Identifying or ascertaining stolen or fraudulent goods like blueprints, skimmers and physical devices, or sensitive data such as tax forms, personally identifiable information and protected health information.

CTI can provide a variety of actionable information that executives can use to make better cybersecurity decisions and assess their risk appetite. With CTI, bankers can prioritize initiatives, address budgets and create business strategies for securing customer, employee and client data. A deeper understanding of the threats they face gives companies a firmer grasp of the tumultuous cyber landscape and a clearer vision of how to prevent problems.

The Newest Exposure Facing Community Bank Boards


cyberattack-8-30-19.pngCybercrimes continue to pose the greatest significant risk to the banking sector, ranging from standard phishing attack to a newer ATM jackpotting schemes that manipulate a machine to dispense larger amounts of money.

Many of the losses originate through human error, so it is critical to ensure all employees are trained on the newest phishing schemes and how to best avoid them. Cyber liability insurance claims represented the largest increase in the percentage of total liability claims, according to data from the American Bankers Association, rising from 19% in 2017 to 26% in 2018.

Several of the most-recent examples of covered cyber claims began when a bank employee succumbed to a phishing attack. This is where the employee clicks on a link provided by what is perceived to be a trusted source, which downloads malware. The malware often causes a breach of network security, providing the perpetrators with complete access to a bank’s networks. In some scenarios, the malware freezes the bank’s systems, and extorts executives for a “consulting fee” to return access of the internal systems. The fee is often in the form of bitcoin or another form of untraceable cryptocurrency.

While that can be a significant expense to the bank, the more-common claim scenario includes the expenses associated with the breach of network security. These can include, but are not limited to:

  • Notification costs
  • Forensics expenses
  • Credit monitoring costs
  • Establishing of a call center
  • Hiring a public relations firm
  • Obtaining legal advice, ensuring all discovery is protected by attorney-client privilege

Most cyber liability policies will cover to both breach remediation expenses, as well cyber extortion costs, as long as the third-party providers are approved by the carrier.

However, the loss scenario does not have to be limited to extortion or post-breach remediation expenses. As reported in 2018, a regional Virginia bank fell victim to an ATM heist for a total loss of $2.35 million. The fraud was initially caused by an employee who fell victim to a targeted phishing email, which allowed culprits to install malware on bank servers. The malware allowed thieves to disable the anti-theft and anti-fraud protections, including 4-digit PIN numbers and daily withdrawal limits thresholds. The bank succumbed to two separate instances of ATM thefts from this intrusion into their computer systems. The first resulted in a loss of $550,000 over a holiday weekend; the second resulted in a loss of over $1.8 million.?

Recommendations:

  • Make sure your employees are trained, and retrained, on how to detect a phishing e-mail and what to do if they suspect the e-mail may not be legitimate.
  • If you have any network security third-party providers, confirm if they are already included under the cyber carrier’s panel counsel list, which is a list of pre-approved vendors with pre-negotiated rates. If not, try to get them added on a pre-approved basis. This would typically occur during the renewal of the cyber policy, not during a claim.
  • If there is a breach of network security, make sure the cyber carrier approves all third-party expenses in writing, in advance, to ensure they will indemnify the bank for those expenses.
  • If cybersecurity, cyber risk or cyber insurance is discussed during a board meeting, make sure to document that in the minutes of the meeting. We suggest that boards show that such discussions take place on a quarterly basis, which can result in those boards being viewed in a better light in the event of a cyber-attack.

Cybersecurity: What You Need To Know


cybersecurity-10-29-18.pngAsk most top bankers one thing that keeps them up at night, and many of them will say cyber threats and risks to their company’s cybersecurity is chief among them.

Even the biggest banks wrestle with this important issue, and breaches can have serious financial, reputational and regulatory ramifications.


security-10-29-18-tb.pngBasic Cybersecurity Protections
For most companies, the question of a cyber-attack is when or how many, not if. There are basic protections to have in place to prepare and defend against the risk of an event, but with ongoing and persistent risk of threats, its best to have a strategy practice for any potential event.

data-10-29-18-tb.pngUse Data To Protect Data
To mitigate the risks of cyber events and threats, using data-based model can be effective. Data can quantify the risk to the institution and make regulatory reporting more efficient. It can also make the threat identification process more efficient by highlighting areas of risk more easily.

cyber-10-29-18-tb.pngWhat is “Threat Intelligence?”
One of the toughest challenges in cybersecurity is maintaining an edge against potential attackers who are continually making their attempts more sophisticated and difficult to defeat. One way many companies maintain that edge is to collect and use “threat intelligence,” which is information that can help prepare and preempt potential incoming cyberattacks. But, you have to use the intelligence effectively.

talent-10-29-18-tb.pngThe Cybersecurity Talent Threat
Research, including that conducted by Crowe and Bank Director, has indicated that bank executives and boards have concerns about the capability and readiness of the bank and its employees to identify, prevent and respond to cyberattacks. Regardless of asset size, there are ways to find and prepare your employees for real and perceived threats.

finances-10-29-18-tb.pngFinancial implications
Just one breach can cost a company millions of dollars and untold more in other areas, potentially wiping out any projected revenue gains for the quarter, or longer. Analyses conducted my major firms have estimated a wide range of potential per-record costs for data breaches, making it difficult to truly project what any single event could carry in terms of financial impact. But some have been estimated to cost tens of millions of dollars, making the threat highly worrisome.

Cybersecurity should be if it is not already among the pinnacle talking points and areas of focus for your board. Without that preparation and ongoing discussion, your institution can find itself at risk that can harm your customers and your institution. But remember there is plenty of opportunity to prepare, secure yourselves and respond in the event of a cyber event.

How Financial Institutions Should Prepare For and Respond to a Cybersecurity Incident


cybersecurity-7-2-18.pngCybersecurity incidents and data compromises continue to plague financial institutions on a seemingly daily basis. Without a proper response plan in place, financial institutions risk significant damage to their reputation and operations, as well as serious potential liability from regulators and class-action litigation. This guide outlines the procedures financial institutions should implement to prepare for and respond to a cybersecurity incident.

It is crucial that financial institutions adopt a response policy to mitigate the harm of a cybersecurity incident. This policy should establish a response team, including an executive officer and technical and operational personnel, charged with handling all cybersecurity incidents.

Time is of the essence during any cybersecurity incident, and communication is vital to the response team’s effective handling and investigation of the situation. Each employee should know how to report an incident. Notification processes, responsible personnel, and other elements of the communications plan should be as seamless as possible to enable the cybersecurity response team to immediately investigate the potential incident and determine whether an incident actually occurred. As soon as the incident is confirmed, the team must immediately respond.

Determine the severity of the incident. The response team should first determine the severity of the harm and the type of incident that occurred. This will help determine the scope of response necessary to appropriately address the incident. The team should be sure to create a detailed record of all investigations and responses.

Mitigate the harm. The response team next should work to mitigate the harm on its systems. For example, the team can quarantine or isolate the compromised system, install security patches to prevent further incidents, update anti-virus signatures, and conduct a vulnerability analysis to identify elements of the system potentially at risk of a similar incident.

Establish lines of communication. Pre-determined and clear lines of communication, both internal and external, are critical to responding to an incident. The response team should also be in communication with appropriate auxiliary teams in the financial institution. For example, if the cybersecurity incident led to customer information being compromised, the response team should coordinate with the customer relations team to facilitate customer notification. Senior management should also inform the board of directors of the incident so that the directors can assist in developing a response strategy as appropriate.

When deemed necessary, the response team should also be in contact with third-party advisors, such as legal counsel or forensics experts. If the response team determines an incident has potentially compromised personally identifiable information or other legally protected information, the team should immediately contact legal counsel and the institution’s insurance carrier (unless instructed otherwise by legal counsel).

Review and repair vulnerabilities. After a financial institution has experienced a cybersecurity incident, it should evaluate system vulnerabilities by identifying the incident’s source and method. The financial institution should rectify or mitigate the risk of the vulnerabilities as soon as possible.

After addressing the incident, the financial institution should also evaluate its response team’s efficiency and effectiveness. Are there aspects of the plan that can be improved? Were the communication lines clear and efficient? How long did it take for the team to spring into action? How long did it take to implement the mitigation? Was the response team appropriately staffed? Answers to these and other probing questions will serve to better prepare the institution for the next incident and should provide the basis for improvements to policies and procedures.

Preparing in advance for a cybersecurity incident can mean the difference between quarantining the release of sensitive data and having the sensitive data released to the public; and because preparations help control damage even if a breach happens, they can also make the difference between a small, manageable cybersecurity incident and a large, cumbersome data breach that could severely damage the reputation and operations of the company.

Shelter From the Cyber Storm


cybersecurity-11-16-17.pngIn 2014, the Federal Financial Institutions Examination Council issued a statement on behalf of its members—including the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau—recommending that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), an organization focused on threat intelligence analysis and sharing. Cybersecurity has been a growing issue for the U.S. economy and the banking industry, and cyber intelligence is a significant focus of the organization, as well as natural disasters, such as the recent hurricanes that hit Texas, Florida and Puerto Rico. “Participating in information-sharing forums is an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents,” the FFIEC said in the statement. “Financial institutions participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyberattacks on their systems. Additionally, these institutions have gained deeper insight into specific vulnerabilities and collected methods for identifying vulnerabilities on their systems and enhancing controls.”

Resources like FS-ISAC help banks learn from each other about the cybersecurity threats facing the industry. But what happens when hackers hit your bank, and customers’ data is compromised?

Sheltered Harbor, an affiliate of FS-ISAC based in Reston, Virginia, was established following a series of cybersecurity simulation exercises, called the Hamilton Series, which were conducted by the Financial Services Coordinating Council, in coordination with the U.S. Dept. of the Treasury and with support from FS-ISAC. “These exercises are tabletop simulations of possible events with the goal to exercise, in the classic sense of practice, and to identify vulnerabilities that should be addressed by the industry,” says Steven Silberstein, the chief executive of Sheltered Harbor. “Sheltered Harbor is the industry’s response for one of these vulnerabilities: to ensure business continuity for retail banking customers if an attack happens, and all defenses fail.” The organization partners with member banks to ensure their customers’ accounts are safe should a cyberattack damage the bank’s data. If a bank is unable to recover from such an attack in a timely manner, the bank’s customers would still be able to access their accounts through another member financial institution. The data is encrypted and remains private, and there is no disruption in service for the customer.

Much like its parent organization, FS-ISAC, Sheltered Harbor helps banks work together to ensure the safety of consumer data. Regulators don’t require that banks join, but Sheltered Harbor already represents 63 percent of U.S. retail bank and brokerage accounts, according to the organization. Membership fees are based on a sliding scale and are determined by the size of the financial institution.

In this interview, Bank Director Director of Research Emily McCormick asks Silberstein about lessons learned from recent cyberattacks, and the policies and procedures that institutions should have in place to protect customers if a cyberattack damages account data.

BD: What are some lessons that bank boards should take to heart following recent cyberattacks, including the Equifax data breach?

Silberstein: Bank boards should have a tight pulse on the organization’s cybersecurity preparedness and cyber hygiene. Many corporations have cybersecurity scorecards that are updated and shared with the board of directors. These scorecards enable the board to assess the security of the enterprise and make appropriate decisions about strategy, staffing and internal standards.

In this rapidly evolving cyber environment, it’s important to use the most advanced technology to protect all of the “doors” to your company. Utilize scorecards as living and evolving tools to maintain a pulse on preparedness, and always ask what could happen from a business point of view, not just a cyber point of view. I call this healthy paranoia.

BD: What information should be included on those cybersecurity scorecards?

Silberstein: Each organization needs a consistent framework to continually assess risks, report on them, and respond to current and future risks. These include internal and external risks, existing vulnerabilities and remediation programs underway, recent events and lessons learned, organizational challenges, and third-party risk. Additionally, an organization can measure its cybersecurity implementation using frameworks like the Integrated Adaptive Cyber Defense, or IACD, framework and/or the National Institute of Standards and Technology [NIST] cybersecurity framework. Using the IACD framework, financial institutions can quickly prevent, detect and respond to attacks that may impact customers using technical guidelines for application of commercially available automation technology tools and systems. The NIST framework is about assessing risk and developing a risk management plan. The two frameworks complement each other.

BD: What does it mean when a financial institution becomes Sheltered Harbor ready?

Silberstein: When a financial institution becomes Sheltered Harbor ready, it means that it has implemented the additional resiliency prescribed by the Sheltered Harbor specification. At a high level, the model empowers financial institutions to securely store and rapidly restore customer account information using an industry standard format. Consumers would then benefit by having access to their accounts and basic transactions rapidly restored after a major incident at an institution.

BD: What policies, systems and personnel does the bank need to have in place in order to make this work?

Silberstein: First, most institutions are using a service provider for core banking services. Most large service providers are already implementing Sheltered Harbor capability, so for these institutions the focus is mainly on the business continuity planning that is specific to the Sheltered Harbor Model.

For institutions running their own core processing, an additional process of extracting customer account data, then putting the data into a standard format, encrypting it and finally storing the data in a very secure fashion per the specification encompasses most of the work. The institution must do some resiliency planning and organize a backup core service provider. The Sheltered Harbor specifications provide the controls and processes needed to ensure interoperability.

BD: The initiative helps member financial institutions store secure customer data above and beyond existing practices. Why should banks, particularly community banks, invest in putting this into in place?

Silberstein: Our industry’s investment in protecting everyone connected to financial institutions is second to none. Nevertheless, we cannot guarantee 100 percent protection. So if a financial institution is severely disabled, we need a safety net like Sheltered Harbor to protect consumers, allowing them to continue to manage daily financial transactions in their lives.

How Big Data is Helping Live Oak Bank Prevent Hacking


hacking-8-9.png

While there’s a myriad of technologies and companies on the market trying to make banking data more secure and prevent hacking, knowing which technologies and partners to choose from can be a daunting task. With cyber criminals looking for any conceivable way to get into banking systems, monitoring for potential threats can seem almost impossible. Think of cyber security as a house with multiple “points of access” for potential burglars, like windows or doors. The problem is that each digital access point, from branch networks to remote data centers, presents a distinct set of cyber security problems. This often leads banks to involve multiple software, solutions and partners. The result can be a disjointed cyber security strategy where banks are spread thin dealing with multiple vendors and systems.

That’s precisely the issue that Live Oak Bank—a North Carolina institution specializing in small business loans—faced as the bank’s employees were looking to improve their cybersecurity. Part of Live Oak’s promise to its customers is top-notch cyber security, but with their systems, the bank struggled to gain visibility into every potential point of access that cyber criminals might seek to exploit.

“We really wanted to protect ourselves across the board,” recalls Thomas Hill, chief technology officer at Live Oak. “But we had to address each potential security issue with separate technologies, which quickly became overwhelming. You’ve got to monitor all these devices and systems all the time, and be on top of them if—and when—a hacker comes in.”

Hill and Live Oak began evaluating options to respond to breaches quickly when they happen, and possibly detect them ahead of time. They decided to partner with Seattle-based cybersecurity company, DefenseStorm.

“Live Oak needed visibility into all areas of its network to support company-wide security and operational activities,” explains DefenseStorm chief technology officer Sean Cassidy. “With branches, staff and data centers located across the U.S., [employees] had multiple systems to monitor each point of access. They needed a way to consolidate visibility into each system, while still allowing the systems to continue operating as intended.”

DefenseStorm’sstack of cybersecurity capabilities includes real-time incident reporting, automated initial threat response and—most importantly—a proprietary big data engine built specifically for banks to analyze metadata patterns that could be indicative of a hack. Live Oak was then able to aggregate all their cyber security logs and event data into one analysis engine—with the objective of increasing visibility of security threats, and speeding up reaction time to potential breaches. They did this by implementing software that aggregates data from existing systems, and places it all into a single, easy-to-monitor dashboard. Incident tracking for compliance purposes also became more efficient, allowing the bank to report cyber incidents to state and federal regulatory agencies sooner than before.

“DefenseStorm’s incident response system allows me to not only easily see data indicating a potential hack, it allows me to immediately assign it to one of our engineers,” says Hill of Live Oak. “It really empowers them to focus in-depth on potential threats and dig deep to see if there’s a hack underway.”

DefenseStorm also continues to provide Live Oak with 24-hour monitoring and support through its so-called Guardian team, who are also responsible for offering assistance in investigating—and uncovering—potential threats. The Guardian team provides advice and recommendations to Live Oak on how to better secure its network in the future. This underscores the trend of“threat hunting,” as businesses and organizations seek to be more proactive in how they monitor systems for potential hackers.

Live Oak’s previous security system was unable to perform accurate and timely security analyses, mainly due to the increasingly large amount of data traffic occurring on the bank’s networks. Reaction time to security incidents has been greatly reduced, says Cassidy.

Finally, one of the most unique parts of this partnership is that Live Oak has chosen to participate as a proof of concept customer for features and capabilities of DefenseStorm’s software that are in the final stages of development. “With all the tools and support they provide, DefenseStorm is really turning out to be a Swiss Army knife for us—and potentially the entire banking industry,” says Hill. “This partnership has been a huge win.”

Are Directors Tone Deaf on Cybersecurity?


cybersecurity-3-27-17.pngAre the boards of directors at U.S. banks taking the cybersecurity threat seriously enough?

In Bank Director’s 2017 Risk Practices Survey, 85 percent of the 167 respondents—a group that includes bank directors, CEOs, chief risk officers, and chief information and chief technology officers—identify cybersecurity as the risk category they are the most concerned about. And that heightened level of concern is evident across all sizes of institutions in the survey, from banks under $1 billion in assets to those greater than $10 billion.

After all of the high profile, highly successful and highly publicized cyberattacks that have occurred over the last several years, surely every bank director understands the serious nature of cyber risk today. Hackers are incredibly creative and persistent in their efforts to penetrate bank security systems and steal sensitive customer data, money—or both. A successful intrusion can be costly to the bank, damage its reputation with customers, and become an issue with regulators if they believe the bank has a weak cybersecurity program.

Twenty-six percent of the respondents say their bank has experienced a data breach or some other type of cyberattack since 2015, and another 4 percent were the victims of a breach prior to 2015. In other words, nearly one-third of the respondents have already experienced a breach—an incident rate that should get all directors’ attention regardless of whether their banks have been victmized or not.

So, what is being done about this? Over the past two years, the survey participants’ banks have made a number of improvements to their cybersecurity programs, including:

  • Eighty-two percent have invested in technology to better detect and deter cyber threats and intrusions.
  • Eighty-one percent have improved training for staff.
  • Eighty percent have increased their focus on cybersecurity at the board level.
  • Seventy-five percent have improved their internal controls related to cybersecurity.
  • Seventy-five percent have improved and tested their bank’s cyber-incident management and response plan.

But there is still more that can be done to protect against hackers. According to the survey, 38 percent of the respondents still don’t employ a full-time chief information security officer (CISO). As one might expect, this deficiency is most evident at banks under $1 billion is assets, even though they are still likely targets for a cyberattack. The benefit of having a CISO, rather than giving this responsibility to the chief risk officer or chief information officer, is that cybersecurity has become so specialized that it should be handled full-time by one individual with experience in the field. Fifty-one percent of the survey participants say their bank won’t be hiring a CISO in 2017, and 43 percent say they are unsure. Banks under $1 billion are already less likely to employ a CISO, and the survey data suggests that they’re unlikely to hire one this year.

Most surprising of all is that only 17 percent of the respondents say cybersecurity is discussed at every board meeting. Thirty-six percent say the board reviews the issue quarterly, 19 percent say they discuss it semi-annually and 10 percent talk about cybersecurity just once a year. If cybersecurity is truly the most pressing risk management issue facing bank boards today, then why isn’t it being discussed at every board meeting, at every bank?

If it’s the board’s responsibility to set the tone at the top when it comes to risk governance throughout the bank, then it would seem that a lot of boards are tone-deaf when it comes to cybersecurity.

What You Don’t Know About Network Defenses Can Definitely Hurt You


defense.png

Hackers have many avenues to choose from when it comes to attacking your organization, the most obvious of which is breaking in from the outside, or attacking your network’s perimeter. But they also can choose to attack from the inside-out by targeting your employees and internal weaknesses.

Cyber criminals use tactics like password attacks, session hijacking, exploiting application vulnerabilities and leveraging malware to gain unauthorized access to your network. Once inside, they steal, delete or distort confidential data, and often alter or disable security features to enable larger future attacks and avoid detection.

As revealed in Verizon’s 2016 Data Breach Investigations Report—a yearly study composed of findings from law enforcement agencies, forensic services firms and other entities—external threat perpetrators have been responsible for at least 75 percent of confirmed data breaches in each of the last six years.

To help protect your network, all employees—from the top down—should learn to spot the signs of a possible attack or breach, from suspicious emails and system modifications to unusual network glitches.

Here are some examples of the possible tools in an attacker’s arsenal:

  • Session hijacking: occurs when an attacker hijacks a network session shared by two systems by masquerading as one of them.
  • Password cracking: involves identifying the password of a user or administrator to gain system access.
  • Denial of Service (DoS) attacks: bombard a system, causing it to crash or deny access to legitimate users.
  • Web-application attacks: hackers exploit weaknesses and/or security flaws in a web application, possibly leading to the compromise of the host device or internal network.
  • Malware: includes ransomware that encrypts your files on the network drives and demands payment of a “ransom” to decrypt them; rootkits that embed themselves in your computer’s software, replacing legitimate software or hiding malicious ones; and remote access trojans (RATs), disguised as legitimate programs, but giving attackers an open door into your network.

Toughen Your Defenses with Vulnerability Assessments and Penetration Testing
Two crucial types of security testing offer financial institutions the best protection against these threats: vulnerability assessments and penetration testing. One is focused on finding as many vulnerabilities as possible, while the other can reveal the impact of an attack rather than theorizing about it, and also ensure that controls work as expected.

A vulnerability assessment is designed to yield a prioritized list of the environment’s vulnerabilities, and works best for institutions that already understand they are not where they should be in terms of security. However, recent guidance outlines the importance of regularly performing vulnerability assessments on your network. The scope, in industry terms, is breadth over depth.

This type of assessment, which helps ensure compliance with Gramm-Leach-Bliley Act data guidelines, can be performed using a remote scanning device—configured by a certified provider—that is plugged into an organization’s network. The device scans the entire network, including hardware and software, and performs internal vulnerability, patch management and port-scanning functions.

The provider can then analyze the data and prepare a detailed report with recommendations for securing your network.

By contrast, a penetration test’s ethical hackers seek to achieve a specific, attacker-simulated goal. A typical goal could be to gain access to the internal network and compromise a privileged account, or obtain the contents of the customer database. The test determines whether a mature security posture can withstand an intrusion attempt from a hacker. Here, the scope is depth over breadth.

A thorough penetration test consists of these elements:

  • Reconnaissance: Entails learning about the target using little or no interaction with their systems. This compares to a burglar watching a neighborhood to determine the patterns of its residents as well as their types of possessions and whether they have security systems. Reconnaissance includes Internet searches, website reviews, IP block information and domain name system (DNS) interrogation.
  • Scanning: The first major contact with the target’s systems, which involves looking for potential openings. This is likened to a burglar rattling doorknobs and checking for unlocked windows. Scanning includes network mapping, port scanning, operating system (OS) fingerprinting, service detection and vulnerability scanning.
  • Gaining Access: This is where the hacker comes in, with an attempt to compromise the system. This step is similar to the burglar breaking into the home using the most vulnerable door or window. Gaining access features password and web application attacks and the exploitation of vulnerable software and configuration flaws.
  • Maintaining Access and Covering Your Tracks: Performed only upon successful penetration into the institution’s network. It should be noted that many organizations forego these steps because they involve manipulating systems, applications and files.

It is crucial for your financial institution to maintain cyber-resilient networks and systems. The costs of disrupted business, reduced customer confidence, fines and lower profitability resulting from an attack are simply too great.

2016 Risk Practices Survey: Banks Beef Up on Cybersecurity


cybersecurity-3-21-16.pngFor 77 percent of the bank executives and board members responding to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS, cybersecurity remains their top concern, for the second year in a row. More than half indicate that preparing for cyberattacks is one of their organization’s biggest risk management challenges. While these concerns aren’t new, respondents this year indicate a shift in how their boards and executives are addressing the threat. Unfortunately, the fact remains that many banks still aren’t doing enough to protect themselves—and their customers.

Just 18 percent indicate their bank has experienced a data breach, but it’s important to note that these breaches were almost as likely to occur at a smaller, $500 million asset institution as at a larger institution above $10 billion. Cybersecurity can no longer be dismissed as merely a “big bank” concern.

In addition to identifying cybersecurity practices within the industry, the online survey asked 161 independent directors and chairmen, chief risk officers, chief executive officers and other senior executives of U.S. banks above $500 million in assets to weigh in on their bank’s risk governance, culture and infrastructure. The survey was conducted in January.

Compared to last year’s survey results, more respondents indicate their board reviews cybersecurity at every board meeting, at 34 percent compared to 18 percent last year. While this shift represents a significant increase in board-level attention to cyberthreats compared to last year, these institutions remain the exception rather than the rule.

Many banks have yet to fully utilize the Cybersecurity Assessment Tool, developed by the Federal Financial Institutions Examination Council and made available to banks in 2015 “to help institutions identify their risks and determine their cybersecurity maturity.” Sixty-two percent of survey respondents indicate their bank has used the tool and completed an assessment. However, just 39 percent have validated the results, and 18 percent established board-approved triggers for update and reporting. All three prudential regulators—the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.— now use the tool in exams, regardless of the bank’s size. Several states have mandated its use as well.

Other key findings:

  • Seventy-eight percent indicate that their bank employs a full-time chief information security officer, up from 64 percent in last year’s survey.
  • Almost half report that the bank has a chief risk officer exclusively focused on risk, while 37 percent have a risk officer that is also focused on other areas of the bank.
  • Fifty-four percent of respondents who indicate that the bank has a CRO also say the board never meets with that individual.
  • Responses indicate a low level of board engagement with the chief risk officer: Just 21 percent indicate the CRO’s performance is reviewed, and compensation determined by, the board or a board committee.
  • Forty-eight percent of respondents govern risk within a separate, board-level risk committee, and 65 percent have at least one director who is considered to be a risk expert.
  • Forty-five percent indicate that risk performance is not incorporated into their bank’s compensation programs.
  • Just 55 percent indicate their bank has a risk appetite statement, which defines the acceptable amount of risk for an organization.

To view the full results to the survey, click here.

Cybersecurity: Five Best Practices To Protect Your Bank


Cybersecurity: Five Best Practices To Protect Your Bank



Cybersecurity remains a top concern for the bank executives and board members surveyed in Bank Director’s 2016 Risk Practices Survey, sponsored by FIS. What can bank boards do to combat this threat? In this video, Sai Huda of FIS reveals best practices that boards can implement, based on the survey results.

  • Cybersecurity and the Board
  • The FFIEC Cybersecurity Assessment
  • Detecting an Intrusion