R-7 – The Top Seven Risks – 2018:

Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

When Dan presents audit reports to boards of directors, he also talks to the board about the top risks the institution is facing. Since 2006, Dan has been compiling a list of the “top seven risks small institutions are facing,” in preparation for his board presentations.

This year, we decided to make this list public, with a new annual article, “R-7.”  Let us know if you agree or disagree with the following list:

1 Targeted Attacks:

Targeted attacks, where hackers use applications designed to identify, analyze, and attack American banks, are still a big risk.  They often combine many attack vectors and rely on user mistakes.  While the likelihood rating on this type of attack vector may remain low for smaller community based institutions due to them being “off the radar,” in the event that the bank ends up “on the radar,” the impact is substantial.  And the primary source of trepidation with this vector . . . the targeted nature . . . means that “staying off the radar” is becoming much less likely.  The good news with that is that we have a lot of control over how our employees behave, and we can train our employees, and we can make sure they are not susceptible or that they are less susceptible to those targeted attacks.

2 Customers Are the Target:

Unlike our own user base, we cannot control the actions of our custumers, which is really the second big risk that we face. There are three primary attack vectors for this risk (CATO, PATO, and BEC).  If your institution is in compliance with your state guidance, you are already totally aware of the “Corporate Account Take Over”, which we abbreviate CATO. The corporate attack take over is an attack we see again and again, where organized hacker groups gain control of a computer at one of your commercial accounts and then they use that control to drain the account.  The FFIEC released an entire guidance in 2011 to combat this attack vector, and by now you should have matured your customer awareness training, strong authentication, and detect and response controls.  Since we rely on customers to control the risk, and they often ignore us, we also rely on a solid incident response process to address CATO attacks.  This process usually involves assisting with containment and establishing forensic paper trails.

The good news is that America has finally woke up cybersecurity risks, and commercial accounts are starting to harden their security posture.  The bad news:  organized crime is now gathering intelligence to evolve their CATO business into PATOs or “Personal Account Take Overs.”  Applications are identifying who has the money in America, so that the entire CATO process can be directed towards our retail customers.  Be prepared to start analyzing the costs of offering multifactor authentication to our rich retail customers, if we can not convince them to store their money in accounts that are not “public facing.”  Be prepared to identify those customers, and find ways to target awareness materials to those customers, maybe even adding them to the detect and response processes we have established for ACH and Wire Transfer originations, if possible.  And know your core and internet banking providers are already developing processes to help with that particular element. We’re finding many of our customers have already pulled the trigger on more sophisticated methods of fraud monitoring (and detect and response).

Finally, an attack vector we are seeing much more of these days, but which has been around for a long time.  Once named “the Bossy Scam,” the “Business Email Compromise” attack vector has earned the respect of institutions and their victims alike.  It is an attack on one of your customers’ employees, launched after one of your customers’ executives’ email account has been compromised.  The approach is to compromise an exec’s email account, then use that account to issue transfer instructions.  We believe that this approach may be a result of both serendipitous opportunity taking and targeted attacks.  Remember:  organized crime is populating databases to help them with the identification phase of an attack.  And if a compromised email account turns out to be a boss, especially a CFO-type who from time to time issues monetary transfer orders, the BEC becomes very lucrative.

What we’ve seen again and again is a compromise of the CFO’s personal email account.  The hacker will watch the email stream for a while, figure out who is in charge of transferring the money, and then execute an order to transfer money.  What makes this attack vector work is the use of personal accounts by your executives.  This is obviously a big no-no for banks and credit unions, but we need to make sure our customers’ understand the risk with this.  (Thus, what I’m saying is you need to update your customer awareness materials to discourage the use of personal email accounts.)

3 Sloppy Response:

The incident response age is upon us.  Law firms and insurance companies have joined the traditional audit firms and security consultancies as a wealth of resources . . . assuming you make the time to use them.  To us, the third primary risk small financial institutions will be mitigating in 2018 is the risk of sloppy incident response.  Again, America has finally pulled its head out of the cybersecurity sand, and that means people will be able to spot poor response processes much more readily.  For example, I saw a post on my own Facebook account that read something like this, “I went into my bank today and said I think I got a phishing message and the teller didn’t even know what a phish was.”  More illustrative: on a regular basis our Clients receive kudos from their customers because of the way they handled an incident.  The kudos almost always include, “this was so much better than when _______” sent us a letter.  (The blank is usually filled a local healthcare organization.)

The primary control for this risk is serious, proper, and thorough tabletop testing of your incident response plan.  And the key factor in whether or not these tests produce value:  how many executives (not on the incident response team) participated in the test?

4 Malware’s Great Grandchildren:

The first of three “staple risks” . . . meaning they have never been off Dan’s annual list . . . is the ongoing battle that we face against malware, which is so much more sophisticated than it was in 2006.  Even when we do have solid programs in place . . .  we’ve matured our incident response tests, provided consistent awareness training to all four corners of the organization (board, management user, customer), brought the management team on board, and we’ve even brought the board on board . . . many small institutions will return to the struggle against “malware’s great grandchildren.”  Malware has been in our Top 7 Risks list since we first started compiling them. But now we are getting to a point where malware is so sophisticated, able to attack “data in use” as well as data at rest and data in motion.  As software updating continues to get more complicated, we now need to update our hardware as well.

In 2018, we think smaller institutions will be taking their “patch management programs” to “vulnerability management programs.”  What we mean by this is three-fold:  1) we will create a vulnerability management policy that specifies a risk-based approach towards managing vulnerabilities; 2) we will educate our management teams on our definition as expressed in the policy.  We are working on two articles right now that we hope will assist in this endeavor.  And 3) we will establish vulnerability testing processes so that we can tweak and mature our patch management processes until we get to a point where we NEVER miss critical patches.

NEVER.

5 Users May Will Still Make Mistakes:

Like malware, the fifth risk that we will be mitigating in 2018 has been on our list since we first started compiling it.  It will probably remain a staple forever.  And each year there was a different twist on what needed to happen to mitigate the risk of user errors.

The difference is, last year we crossed out may and inserted will.  “It’s not a matter of if, it’s a matter of when” applies to our users more than any other “control” we maintain.  Even the best of us make mistakes, as evidenced by the fact that in 2017 . . . for the third time in our history . . . the person who hired us to do social engineering tests also failed the social engineering test.  This proves that awareness is not only about education and motivation . . . it’s also about activation.  We must put our users on guard.  KnowBe4 helps with this, and we’re seeing more and more institutions convert their “once per year social engineering test regimen” to “ongoing pretext calls,” monthly phishing tests, and weekly walk-throughs.

But most importantly, we believe small institution ISOs will be reminding their board and management teams that the bank must maintain an environment where people feel comfortable self-reporting.  When the brand new worker makes a mistake and clicks on “that link”, he/she MUST feel comfortable reporting the issue to his/her supervisor.  The culture that the board of directors establishes makes this possible.

6 Compliance Risk:

While there have been no earth-shaking guidance released since fall of 2016, the CAT has been updated and most financial institutions still have a long way to go addressing the parade of nine guidance publications that were released between June 2015 and December 2016.  The solution?  Your auditor should be ensuring your compliance.  If not, you should be rewriting your audit plan.

7 Vendor Risk (and the risk of Sluffing Off):

The final “staple risk” . . . a risk that’s been on our list since we first compiled it . . . is the risk that our Vendors are going to make a mistake that affects our own reputation.  Most smaller institutions finally tackled vendor management within the last couple of years.  But what we’re now seeing, unfortunately, is that institutions who took their vendor management program to the appropriate level did not maintain that level.  With vendor management, we must keep the schedule.  Too often there is the temptation to cut corners.

While we believe there are many economies that can be gained by streamlining the process, if the streamlining is not a deliberative process, and just a result of running out of time, we are going to regret it.  We have thus been counselling our Clients to stay the course, streamline it to be more risk-based, and focus on the vendors who, if there was breach, would not be readily forgiven by our customers.  In other words, leverage the notion that if it’s Microsoft who made the mistake, we’re not going to blame the bank.  But if it’s the local network support provider who makes the mistake, shame on the bank.

So let us know if you think we got this list right this year. Of course there are so many other fires to fight, but we find that by listing the seven main fires, you can use this list to supplement your board and management awareness training. We wish you good luck managing these risks in 2018. It is our intention that sharing this article with your board of directors will help you in this endeavor. And if you feel overwhelmed, please know: we’d love to help!

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

Dan’s New Leaf is a fun blog to inspire thought in the area of IT Governance.”