M7-2013:  Trends in Bank Information Security

On October 7^th, 2009, the head of the FBI stopped banking online.  Robert Mueller cited the fact that he nearly fell for a phishing attempt as the reason.  The first “Magnificent Seven” that I wrote, two years earlier, established Phishing as a high likelihood attack that I thought most community based banks would be responding to.

(What you might not realize is that the Magnificent Seven, one of the great Westerns starring Yul Brynner, Steve McQueen, Charles Bronson, James Coburn, Robert Vaughn, Brad Dexter, and Horst Buchholz as a group of seven American gunmen hired to protect a small town, is actually based upon The Seven Samurai, a movie which my eldest stresses is about layers of defense! 

But to be honest, I know about The Magnificent Seven because I always loved the theme music by Elmer Bernstein.  If you really want the best reading experience for this article, consider playing the theme music in the background, as you read.)

Last year, my article completely missed that BYOD would be a big trend in 2013.  Not that I didn’t anticipate it . . . heck, I was agreeing at the time to give a talk on the subject in two different venues.  I just missed it as a big issue when I was writing The Magnificent Seven.  “Because it was so obvious,” I said to myself, when I came to the realization.  By then, however, it was too late.  I had already published the article.

I state this because it’s important to realize this year’s Magnificent Seven could be missing a big issue as well.  I merely write it and its companion article, “Top Twenty Tactics for 2014,” to spark your thinking and give you something to compare to your own updated information technology and governance strategy.  But let me also warn you that I also wonder what, of the seven 2013 trends that could affect our 2014 strategies, will be like last year’s “digital discovery,” and turn out to just not be that big of a trend after all.

Having established the above disclaimers, let me finish introducing this year’s Magnificent Seven by reminding us what this list has evolved to be:  an analysis of seven 2013 trends we are seeing among our Indiana, Ohio, and Illinois community banking clients, that will probably be bothering us throughout 2014.

1. Revision of Incident Response Processes:  DDoS, CATO, and Zeus have driven us to new incident response processes, and testing those scenarios is one of them.
2. IT Auditors Are Busy:  Healthcare enters the fray, right when banks begin realizing the value of information technology testing.
3. Simplification of Ongoing Risk Management Processes:  The need to risk assess everything has driven the development of integrated enterprise risk management applications.
4. 2013 Compliance Trends:  The FFIEC has been busy, and we predict we’ll be responding to some new guidance in 2014.
5. Mobile Security:  Branchless Banking and Portable Device Risk:  Yawn.  But it’s still very important, and much of our time will be dedicated to “finishing up.”
6. Expansion of Awareness (to the Technical Team):  The supplement drove us to recognize the value of awareness training not only for our users, but also our customers.  And in 2014/2015, we predict that “technical awareness” will be on the rise.
7. Process Simplification:  We see a lot of banks looking back at the last decade and asking their auditors/examiners if they can have a year to re-iterate their processes.  Sounds like a great idea to us!

1)    Revision of Incident Response Processes

So we all were buzzing just a year ago about the big trend in distributed denial of service attacks, and some of us were stinging from a recent “CAT Attack,” which was my phrase for what ended up being coined as a CATO by the Conference of State Bank Supervisors. In 2013 most of us revised our incident response plans to address DDoS and CATOs in response to guidance or just out of pure proactive reasoning.  We believe that in 2014, this will spawn the testing of these scenarios.

What’s very interesting about the banking industry’s renewed focus on incident response is that, in the rest of the world, information security incidents are down.  And the financial services industry is doing very well.  According to the 05/13 IRTC breach report, in 2012, financial services data breaches accounted for only 3.8 percent of all reported data breaches.  Given that statistic, the response to DDoS and CATO is something we should be proud of!

Meanwhile, most community banks installed some sort of detect and response process for high risk transactions.  If this form of intrusion detection and prevention is anything like IPS/IDS on network traffic, we cannot consider ourselves done with this task . . . . EVER.  Expect your ACH, Wire Transfer, and fraud personnel to be forever tweaking this system.

If you haven’t already done so, you may be re-writing a portion of your Incident Response Plan to document how you plan to leverage the above-mentioned anomaly detection.  And if you have already done that, how are you going to test that process?  Think about it:  how long do you go between testing IPS on your network?

2)    IT Auditors Are Busy

The second major trend in 2013 that will affect our 2014 is that healthcare has finally entered the fray.  Not the larger hospitals and such that have already been forced to comply with HIPAA.  We’re taking calls left and right from smaller institutions, business associates, insurance companies and trusts that are now recognizing the importance of information security.  Meanwhile, many of our OTS gone OCC banks are seeing their regulators rely much more heavily on our audit reports, and thus requiring much more extensive audits plans.  While risk-based auditing is still the big trend, auditors are being asked more and more to conduct some of the risk assessments.   Plus, many banks are finally starting to agree that social engineering tests are important.  Add to this trend the fact that we’re seeing demand for newer, deeper audit testing such as mobile security reviews, mobile banking assessments, e-mail configuration audits, paper risk assessments, and vendor file audits.

So does this create a climate where information technology audits get more expensive?  Or can we bridge this by relying more on internal audit processes such as paper risk reviews, internal vulnerability assessments, etc?

3)    Simplification of Ongoing Risk Management Processes

This makes a great segue into the next big trend, which is the need to simply our risk management processes.  For a decade now, I have joked with bank presidents about the fact that banks now have to do a risk assessment for everything.  Clients have asked me if they need to perform a risk assessment before they use the restroom.  And I have been told that “Dan Hadaway’s Spreadsheets” are becoming a metaphor for the phenomena.

Add to that the increased appetite for benchmarking information, the fact that the concept of Enterprise Risk Management is not going away, and that risk measurement is becoming a much more ongoing, rather than annual process.  What do we end up with?

“An entangled mess,” said one of my Clients who declined to be quoted.  But he is seriously considering the new application that infotex now offers, “TRAC,” along with several other risk management applications.  We obviously believe that more and more banks will be investigating risk management applications in an effort to escape the complexity of the spreadsheet-world.  We’re poised for it.

I can’t write a year-end article, and then include a section on risk management, without at least mentioning some new risks that we’re trending:

1. Federated Authentication Continues:  The fact that when you log into Facebook you can also log into twitter, LinkedIn, amazon, and many other assets has us information security professionals worried.  A different perspective:  when your BYOD user signs up for a mobile app that asks for access to your contact list, how much access is that?
2. New Operating Systems:  What do we do about Windows 8 in the workplace?  What new risks does that create, and are we sure our administrators are on top of those risks?  And as many of us rush to migrate off of legacy operating systems, what risk does that create?
3. EVM:  Deadlines loom.  Confusion reigns.  Risk exposure may or may not prevail, depending upon YOU.
4. Cloud Computing:  Still frightened that your managers are using the latest flavor of dropbox.com?
5. BYOD, Branchless Banking, and the false sense of security that can accompany MDM.
6. DDoS and CATO (though not new risks, we worry there will be new vectors in 2014)
7. New Guidances Including the Social Media and Vendor Management Guidances recently released, as well as rumors of guidances about mobile banking and portable device management

4)    2013 Compliance Trends

I suppose we could say responding to guidances is unfortunately not a trend, it’s a regular duty.  And maybe it’s a sign of maturity that we security people are finally surrendering to the loss of control we have over our networks due to the examination function.

And in 2013, all OTS-2-OCC banks learned what the rules would be, for the most part.  We ran into a bank this month that bucked the trend, but most of these banks are relying more heavily upon us, their auditors, as per the OCC’s informal, verbal guidance.

So yes, there was a last minute guidance release on 12/11/13.  Fortunately we had been predicting its arrival all year.  And the OCC and Fed have both released a guidance surrounding vendor management.  But where’s the guidance on BYOD and Mobile Banking?  We think we’ll be addressing all four guidances while we finish up on the supplement all year long in 2014.

The guidance, however, that we’ll be examined on, is the State CATO guidance.  Even banks that are not DFI-regulated should take a look at this well-written guidance.  By complying with it, you will make sure your t’s are crossed and your ducks are in a row.

I know, that’s a mixed metaphor.  But I’m getting ready to discuss mobile, and thus don’t have to follow normal protocols, right?  lol?

5)    Mobile Security:  Branchless Banking and Portable Device Risk

Brb.  K.  I won’t yawn again, but we’ve been talking and warning and advising on portable device risk since 2001, so I won’t spend a lot of time on this subject.  Suffice it to say, it’s a trend that ain’t over.  We’ll be learning more about MDM, its limitations, federated authentication, and the politics of BYOD.  Good luck!

6)    Expansion of Awareness (to Technical Team)

In 2013 we finally recognized the value of educating our customers.  I won’t say I told you so, or that infotex had been preaching this since we were founded in 2000, but thirteen years later we rolled out customer education programs that are truly reducing risk.

I’m proposing, more than noticing a trend, that banks expand the notion to the last corner of the bank that has not yet been thoroughly considered for an awareness program:  the technical function.  I’m happy to realize that by 2013 we saw community banks open their purses to support the attending of conferences, workshops, conventions, and training by technical team members.  And I’m seeing many more of my Clients pick up certifications such as the CISSP or CISM.  I’m also seeing information technology and network engineering folks much more involved in the non-technical side of IT auditing, and that’s a great thing!

But I’m hoping banks begin acquiring new awareness tools for their technical team.  We’re seeing it a bit in the BYOD area . . . MDM and DLP are definitely awareness tools (beyond their primary function.)  We’re seeing smaller banks start to address event log management, and network monitoring is no longer just an outsourced function.

I’m hoping that we can include the detect and response mythologies developed as a result of the Supplement in the realm of “technical awareness.”  Infotex will be focusing on the concept in 2014.

7)    Process Simplification

What is the last, but probably the most powerful, trend in 2013 that will be affecting us in 2014?  We have matured to the point where we want to re-iterate our IT Governance Programs.

We’ve seen many banks go through various policies and procedures with a fine tooth comb, focused on simplification and “neutralization.”  We’re seeing simplified business continuity plans, technical standards documentation, awareness training programs, and risk management programs.

Infotex was lucky in 2013, to take on a group of one-person insurance trusts as clients.  In doing this, we had to revise our policy and procedure boilerplate set to articulate a governance program that could be maintained by a one-person operation.

It worked!  And we have a network backup procedure that, when one of the trusts completely changed their backup system, did not have to be re-written.  Now that’s flexible!

But the results of this 2013 project will be a set of policies and procedures that are very streamlined.  Look for us to release this new boilerplate set in 2014.

Meanwhile, we’re seeing some banks “stepping back from the trees to see the forest” in the form of graphic thinking . . . . drawing layers of security so that they can more fully understand them.  The expression is an effort to simplify the overall description of the program.  Though much easier said than done, the results seem to be worth the effort.

Finally, as discussed above, the use of ERM Applications can place you in a position to substantially simplify your governance processes.  As you can tell, we’re very excited about the possibilities at infotex.  This applies whether you go with TRAC or any of the other applications.

Have a very happy, thankful, merry, and safe holiday season!

Dan Hadaway and the Infotex Team!

Dan Hadaway CRISC, CISA, CISM
Founder and Managing Partner, Infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”