Seven trends impacting Information Security Officers of Small Institutions!

Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

Welcome to the Magnificent Seven, my annual predictive article, affectionately dubbed “M7,” about the seven trends in bank technology that will impact the Information Security Officers of small banks (under five billion in assets).  My intention is to help you organize your thoughts for the upcoming year.

In the past, we spent a lot of words in these articles explaining the concept behind our annual M-7 article, as well as a run-down of how we did last year, a list of all the trends we considered before we reduced them down to the top seven, etc.  This year, let’ us jump directly to the top seven trends:

First let me explain that we are listing our Top Seven Trends (the M-7) in backwards order, like a David Letterman Top Ten List, on purpose.  We use a “Dan Spreadsheet” to determine our top seven, which looks a bit like this:

M-7 Trend #7 Cybersecurity Consulting for the Board:  So you can see by looking at the above analysis that our number seven trend is reflected by how many inquiries we are getting to not only speak to boards of directors but also to act as a consultant to the board of directors.  And we’re seeing many smaller banks look through their community for somebody to be on their board who has “cybersecurity capabilities.”  The board needs somebody they can consult with that is independent of both the technical team and the financial institution’s auditors.  The goal of this engagement would be to answer questions posed by the board after the delivery of the audit report, the annual report to the board, and the annual risk assessment.  The consultant would write a half page memo summarizing each document, and then ensure board members understood the “gist” of each document.

M-7 Trend #6:  Equifax Fallout:  Let’s face it, everybody now knows what phishing is, thanks to the 2016 election, and we all know how to freeze our credit, thanks to the 2017 Equifax breach.  What we don’t know is what the fallout is going to be. What new laws and regulations will result from this?  What industries will be punished because Equifax did not know the basic priorities of an incident response, and what are the implications of “regulated vendor” as a category in our vendor management inherent risk assessments?

M-7 Trend #5:  Incident Response Testing:  If you already are not implementing incident response testing, you will be.  The CAT Requires it, Your Examiner is wanting it, but most importantly, we believe it is the #1 control, even more, important now than awareness training (though Dan maintains it IS a form of Management Awareness Training).

M-7 Trend #4:  IoT Inventories:  We, of course, are all starting to worry about Internet of Things (IoT) vulnerabilities with a specific nod to the recent WPA2 KRACK vulnerability and how it exposes the difficulty in patching these devices.  This trend, which was on our 2017 list as well, frightens us because we do not know what the extent of our exposure is.  Refrigerators, vacuum robots, security cameras, light bulbs, and more are now becoming WiFi enabled making them potential attack targets.  Is there even a process for updating or patching the software on these devices when vulnerabilities are discovered?   The good news:  there is a first step.  We think the action item is to inventory your IoT devices . . . what on your network is connecting out to the internet.  Hint: if you cannot easily produce a report to answer this question, ask your MSSP.

M-7 Trend #3:  Advanced Backup Technologies:  The establishment of an air gap methodology, enhanced backup testing (i.e. malware scanning and corruption, testing,) more sophisticated and targeted failover testing, etc. will be a very important “next steps” in our war against ransomware.

M-7 Trend #2:  Circular Nature of Vendor Management:  “The growing layers of abstraction between a User or Customer, and the actual provider of a service.  When doing due diligence, we often find the people you’re contracting with for a service are themselves contracting things out. Sometimes (many times?) their entire production environment is provided by a third party, and even though many of those third parties have their own audit reports you can read it still adds a layer of complexity to knowing where your risk is. Virtualization has made it so cheap and easy to outsource operations that we’re only going to see more cases where multiple reports will need to be reviewed to cover one vendor’s services, and you never want to see more complexity when it comes to something like identifying risk.

We anticipate the day when, if we truly follow all subservice providers of the subservice providers, we will circle all the way back around to the original company we’re investigating!  The Good News, and thus the Action Item – at least the new SSAE-18 format tries to address this, rather than ignore it like the previous formats.  The action item:  be sure that vendor management is something you look for in the SOC-2 review!

—— drum roll please ——

So . . . that brings us to our Number One Trend for 2018.  And we’re kind of throwing a curve at you here for this one.  It’s not glamorous.  It’s not fun to discuss.  And it’s not really a scary trend.

But it helps highlight a problem with banking . . . we’re suffering the death of a thousand cuts, every time we reveal that account balance to the wrong person.  Our reputation suffers when we do this just like it would suffer, in Dan’s opinion, had we cursed at a customer.  Because that’s what we do to them when we do not protect their privacy.

So, the number one trend in 2018:

M-7 Trend #1:  Pretext Calling, Then Everything Else:  Pretext Calling will remain a higher likelihood than Ransomware, Business Email Compromise, and Corporate Account Takeovers, though the impact is usually much lower.  If we can only convince those yelling about business email compromise that those capable of defending against pretext calling are much more resilient against ransomware, BEC, and CATO attack vectors!!!

Honorable Mentions

The Top 12 Trends:

Had we drawn the line at twelve, and not seven:  The five trends that did not make it into the top seven list, but were very close:

• Awareness in All Directions: We think our number one trend from 2016 and 2017 will continue well past 2018.  It barely missed this year’s top seven.*That’s because we have indeed “Woken to the Notion!” We are aware that we need to be aware, and awareness training will still continue to be an important focus in 2018, starting on management, our incident response teams and ending with our Billpay customers (because though Continued Corporate Account Takeovers (CATOs) didn’t make it into M-7, they are still going to be a trend for some people!).And, of course, if we want to remain successful, we will continue to improve our messaging to our Board of Directors.  Plus our technical team needs to learn the new guidance, as well as compliance officers and auditors.  This will be the third year this trend has made it into the Magnificent Seven.*The trendex for this trend was an 11, and the the minimum trendex for the top 7 trends came in at 12.
• Encryption by the Bad Guys: The encryption of everything proved to be a true trend in 2016, and we kept it in our top seven list in 2017.  That the bad guys are delivering negative payloads in encrypted format is a weakness in the very systems we provide, and we are running out of time when it comes to finding viable solutions.  Look for the cost of IPS/IDS sensors to increase as “SSL Inspection” becomes a trend.  We still see this as a major trend in 2018, and we still see it pertaining to bank ISOs, but we do not see much action that a bank ISO can take at this time, other than to ask their MSSP when they are going to offer SSL Inspection Technologies, and we think it’s not really time to ask that yet.
• Cryptocurrency: Our NOC Manager, Chad Smith . . . whose current return on his bitcoin investment is like 78% . . . gave us, as his pick for the top 2018 trend: cryptocurrency and, more importantly, banking’s reaction to it. Will we be embracing it, tolerating it, or fighting it, like PNC Bank is doing, which we discovered thanks to an article found by our friend and Client Wes Pollard of HomeBank? The action item for bank ISO’s?  Make sure management and the board understand what it is and why it is important to understand what it is!!
• Information Overload: As we tried to let most boards of directors know at the beginning of 2017, this trend was the most impactful trend of 2017.  One of the likeliest risks we faced in 2017 was the fact that the Cybersecurity Assessment Tool, released in a mix of six new guidance publications by the FFIEC, was followed by a dozen additional publications or updates to existing guidance.  But we made it, we weathered the storm, and while we may need a vacation or two, we’ve fought the noise!
• Pseudo Accounts (used like decoy accounts): Our newest employee, Sofia Tafoya (the Sender of Signs), researched trends and found that many organizations are starting to introduce thousands of fake credentials onto an organization’s network, which makes it mathematically impossible for cybercriminals to gain access to a legitimate set of user identities. Once a cybercriminal has used a fake credential generated by deception technologies, the security operations team receives an alert that an unauthorized user is lurking on the network. They can then immediately initiate the incident response.  WE think this is a great find, but because it was more of a control than a trend the “trendex” on this ended up being a 10, and thus it did not make the top seven list.

Top 22 Trends: 

We actually identified 22 trends for our analysis.  As you may have already surmised, trends were analyzed based on how strong of a trend the topic was, but also how much it pertained to small banks, and whether or not there were direct immediate action items (for a 2018 tactical plan).

You’ve read the top twelve, so here are the remaining ten, as well as the main point we think that kept each trend out of the top twelve, listed here:

1. Social Media Data Integrity Issues (very big trend, but we don’t think it applies to ISOs as much in banks as it does everywhere else).
2. Revisiting Network Segmentation as a Security Strategy (future trend)
3. Eliminate Knowledge-based Authentication (future trend)
4. Lawyers on the Incident Response Team (hopefully no more action items, been on our last several trend lists)
5. Cybersecurity on the Board (duplicate in a way to cyber consultant)
6. Strengthening Authentication Controls (future trend)
7. Outsourcing of Information Security (trend that has died down a bit)
8. Continued Adoption of Security Information Event Management Systems (most banks have already made the action plan)
9. Ability to Kill Financial Fraud Transactions (a control, not a trend)
10. Board Awareness Training (duplicate in a way to cyber consultant)

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex