Cybersecurity has lately become a top concern for bank boards and their senior management teams in the face of an unrelenting wave of ransomware attacks. Now you can add heightened geopolitical tension resulting from Russia’s invasion of Ukraine to the worry list.
“Clearly we have a geopolitical situation going on which, given the threat actor, does raise cybersecurity concerns,” says Kevin Greenfield, deputy comptroller for operational risk policy at the Office of the Comptroller of the Currency. “And financial institutions, as well as government agencies themselves, are very focused on this heightened alert and are making sure that cyber defenses are up.”
And if they’re not, they certainly should be.
In an interview, Greenfield says that threat actors have been known to have used cyber attacks as an effective tool against their opponents in the past for political purposes. The concern is that at some point during the conflict in Ukraine, threat actors could potentially target cyber attacks against this country’s critical infrastructure – including its banking system.
“The financial system is a critical infrastructure, which means that it is something that is very important for not just individual institutions,” says Greenfield. “The banking system supports the U.S. economy and the U.S. people. And it’s important to maintain the integrity and resilience of that system. Banks need to make sure they lockdown key controls and make sure they are monitoring for any threat indicators.”
The OCC regulates banks with a national charter, but Greenfield’s comments are just as relevant to state-chartered banks regulated by states, the Federal Deposit Insurance Corp., or the Federal Reserve.
In early January, even before the Russian invasion of Ukraine, the Cybersecurity & Infrastructure Security Agency (CISA), a federal agency under the Department of Homeland Security, issued a threat alert — “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.”
In the alert, CISA made the following recommendations for all U.S. companies, including banks.
1. Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
2. Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
3. Increase organization vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
CISA has also set up a website – Shields Up – focused on providing threat information, tools and resources to help all organizations safeguard and respond to geopolitical threats in cyber space. “We have pushed that information out to financial institutions because these are the experts,” says Greenfield.
Separate and apart from the current geopolitical situation, Greenfield says the OCC is also seeing an increase in ransomware attacks. “Just from personal observation, we’re seeing more use of ransomware and using [it] to solicit illicit funds from banks,” says Greenfield. “We’re seeing it and I think one of the reasons why is because it works.”
Greenfield says it’s up to banks whether they should pay a ransom if their critical data has been locked up following an attack. “That’s an institution’s decision,” he says. “Executive management and the board need to make that decision. The one thing I’ll tell you is, understand [that] you’re dealing with criminals. You’re not dealing with honest people. It’s not something that we would encourage, but there’s no regulation against it.”
Any bank that does decide to pay a ransom needs to make sure it doesn’t violate any restrictions that have been imposed by the Office of Foreign Assets Control (OFAC), an agency under the U.S. Treasury Department. “When paying ransoms, be aware of any OFAC requirements and any sanctions on those who might be getting paid,” he says. “You can contact OFAC to request a waiver, but that’s something that will be very important to ensure an institution does not violate any sanctions requirements.”
In the face of continued ransomware attacks, Greenfield says that banks should focus on fundamental elements of cyber security. “We have been very clear on our messaging to banks about the importance of cybersecurity and just fundamental cyber hygiene, because when events do occur and then we explore the root cause, it tends not to be a zero-day exploit, but a basic control oversight,” he says. A “zero-day exploit” is a previously unknown vulnerability in a software program.
At the top of Greenfield’s list of poor cyber hygiene habits that leave banks vulnerable to ransomware attacks are weak authentication controls, including the failure to use multi-factor authentication. And even when a multi-factor protocol is in place, banks sometimes grant exceptions that end up getting targeted by hackers who know to look for them.
Greenfield says the federal banking regulators have been emphasizing “effective authentication,” and recently the Federal Financial Institutions Examination Council (FFEIC) – an interagency group comprised of bank and credit union regulators – updated its guidance on authentication. “We tried not to be technology specific so there’s not a corporate requirement for multi-factor,” he says. “But our guidance is you need to have effective authentication, which typically we would see as a layered security approach with multi-factor or similarly strong technologies.”
The guidance also advocates that if nothing else, banks at least take a risk-based approach and protect their most sensitive or critical systems. “This is something that I communicate to all bank management teams; if it’s nonpublic and you don’t want anyone to gain access that’s not authorized, use multi-factor authentication or something similarly strong,” he says. “We’ve seen that malicious actors will get into a system and they will wait for the opportunity to exploit it and move laterally throughout the network as they’re able to figure it out.”
Another vulnerability is poor network management, a potential problem that has been exacerbated by the industry-wide shift to many employees working from home on laptops. Common shortcomings include networks that are not effectively configured, including a failure to turn on security controls that already exist within a particular software product or service. Or a failure to install an available patch when a vulnerability has been identified. “Sometimes we’re seeing they’re not changing default administrator IDs and passwords – I mean, simple things,” Greenfield says. “And especially when we’re talking about off-the-shelf software applications that everyone uses. All those user manuals that you have access to, the bad guys have access to as well, so they know how it works.”
Successful cyber attacks can often be traced back to multiple causes. “Typically, it’s a combination of phishing or some other [tactic] to steal a credential, then weak multi-factor [authentication], and then looking for vulnerabilities such as misconfigured or unpatched systems,” Greenfield says. “The biggest thing I can tell any institution is, make sure your controls are up and as strong as they can be so that you’re not a target, because the one thing that I have seen with many malicious actors is, they’re going to go for the easiest target.”
*Clarification: This article has been amended from an earlier version in part to clarify that Greenfield did not specifically mention Russia in the interview.