Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .
When Dan presents audit reports to boards of directors, he also talks to the board about the top risks the institution is facing. Since 2006, Dan has been compiling a list of the “top seven risks small institutions are facing,” in preparation for his board presentations.
This year, we decided to make this list public, with the second iteration of what we now want to be an annual article, “R-7.” Let us know if you agree or disagree with the following list:
1. Microsoft’s Next Denial Of Service:
(New) We have all bought into the notion that, in the 21st century, software is not only delivered broken, but its publisher can also announce when it will refuse to keep fixing its broken software. For Windows 7 and Windows Server 2008, Microsoft has made its “sunset announcement,” and . . . based on previous experience . . . we believe banks everywhere will be dealing with it in 2019. Your bank will be spending money on this soon. Vendors will need to be policed. Users will need to learn new operating systems. Complaining will be rampant. Audits will have findings.
But we’ll all be safer (including Microsoft).
2. Targeted Attacks:
(Number One in 2018) The risk of targeted attacks, where hackers use applications designed to identify, analyze, and attack American banks, was our number one risk last year and is still near the top of the list in 2019. Cyber criminals often combine many attack vectors and rely on user mistakes. While the likelihood rating on this type of attack vector may remain low for smaller community-based institutions due to them being “off the radar,” in the event that the bank ends up “on the radar,” the impact is substantial. And the primary source of trepidation with this vector . . . the targeted nature . . . means that “staying off the radar” is becoming much less likely. The good news with that is that we have a lot of control over how our employees behave, we can train our employees, and we can make sure they are not susceptible–or that they are less susceptible–to those targeted attacks.
3. Malware’s Great Grandchildren:
(Number 4 in 2018) The first of three “staple risks” . . . meaning they have never been off our annual list since 2006 (the other two are vendors and users) . . . is the ongoing battle that we face against malware, which is so much more sophisticated than it was in 2006. Even when we do have solid programs in place . . . we’ve matured our incident response tests, provided consistent awareness training to all four corners of the organization (board, management, user, customer), brought the management team on board, and we’ve even brought the board on board . . . many small institutions will return to the struggle against “malware’s great grandchildren.” Malware has been in our Top 7 Risks list since we first started compiling them. But now we are getting to a point where malware is very sophisticated, able to attack “data in use” as well as data at rest and data in motion. As software updating continues to get more complicated, we now need to update our hardware as well.
In 2019, we think smaller institutions will continue turning their “patch management programs” into “vulnerability management programs.” What we mean by this is three-fold: 1) We will create a vulnerability management policy that specifies a risk-based approach towards managing vulnerabilities; 2) We will educate our management teams on our definition as expressed in the policy (we are working on two articles right now that we hope will assist in this endeavor); and 3) We will establish vulnerability testing processes so that we can tweak and mature our patch management processes until we get to a point where we NEVER miss critical patches.
4. Vendors and Users May WILL Still Make Mistakes:
(Numbers 5 and 7 in 2018) Like malware, the fourth risk that we will be mitigating in 2019 has been on our list since we first started compiling it. This year we changed it slightly, by combining the two “staples” . . . user and vendor risk. (Let’s face it, they will probably ALWAYS be on the list, and we should not remove them from the list. But we can at least combine them!)
They will probably remain a staple forever. And each year there was a different twist on what needed to happen to mitigate the risk of vendor and user errors.
For users: “It’s not a matter of if, it’s a matter of when” applies to our users more than any other “control” we maintain. Even the best of us make mistakes, as evidenced by the fact that in 2017 . . . for the third time in our history . . . the person who hired us to do social engineering tests also failed the social engineering test. This proves that awareness is not only about education and motivation . . . it’s also about activation. We must put our users on guard. KnowBe4 helps with this, and we’re seeing more and more institutions convert their “once per year social engineering test regimen” to “ongoing pretext calls,” monthly phishing tests, and weekly walk-throughs.
But most importantly, we believe small institution ISOs will be reminding their board and management teams that the bank must maintain an environment where people feel comfortable self-reporting. When the brand new worker makes a mistake and clicks on “that link”, they MUST feel comfortable reporting the issue to their supervisor. The culture that the board of directors establishes makes this possible.
For vendors: We must continue to do our due diligence; for legal and reputational reasons. We always want to be able to say “we did everything we were required to do.” That’s true, even if it does take forever!!
5. Sloppy Response:
(Number 3 in 2018) The incident response age is upon us. Law firms and insurance companies have joined the traditional audit firms and security consultancies as a wealth of resources . . . assuming you make the time to use them. To us, the fifth primary risk small financial institutions will be mitigating in 2019 is the risk of sloppy incident response. Again, America has finally pulled its head out of the cybersecurity sand, and that means people will be able to spot poor response processes much more readily. For example, I saw a post on my own Facebook account that read something like this, “I went into my bank today and said I think I got a phishing message and the teller didn’t even know what a phish was.” More illustrative: on a regular basis our Clients receive kudos from their customers because of the way they handled an incident. The kudos almost always include, “this was so much better than when _______” sent us a letter. (The blank is usually filled by a local healthcare organization.)
The primary control for this risk is serious, proper, and thorough tabletop testing of your incident response plan. And the key factor in whether or not these tests produce value: how many executives (not on the incident response team) participated in the test?
6. Customers Are the Target:
(Down from #2 in 2018) Unlike our own user base, we cannot control the actions of our customers. There are three primary attack vectors for this risk (CATO, PATO, and BEC). If your institution is in compliance with your state guidance, you are already totally aware of the “Corporate Account Take Over”, which we abbreviate CATO. The corporate account take over is an attack we see again and again, where organized hacker groups gain control of a computer at one of your commercial accounts and then they use that control to drain the account. The FFIEC released an entire guidance in 2011 to combat this attack vector, and by now you should have matured your customer awareness training, strong authentication, and detect and response controls. Since we rely on customers to control the risk, and they often ignore us, we also rely on a solid incident response process to address CATO attacks. This process usually involves assisting with containment and establishing forensic paper trails.
The good news is that America has finally woken up to cybersecurity risks, and commercial accounts are starting to harden their security posture. The bad news: organized crime is now gathering intelligence to evolve their CATO business into PATOs or “Personal Account Take Overs.” Applications are identifying who has the money in America, so that the entire CATO process can be directed towards our retail customers. Be prepared to start analyzing the costs of offering multifactor authentication to our rich retail customers, if we cannot convince them to store their money in accounts that are not “public facing.” Be prepared to identify those customers and find ways to target awareness materials to those customers, maybe even adding them to the detect and response processes we have established for ACH and Wire Transfer originations, if possible. And know your core and internet banking providers are already developing processes to help with that particular element. We’re finding many of our customers have already pulled the trigger on more sophisticated methods of fraud monitoring (and detect and response).
Finally, an attack vector we are seeing much more of these days, but which has been around for a long time. Once named “the Bossy Scam,” the “Business Email Compromise” attack vector has earned the respect of institutions and their victims alike. It is an attack on one of your customers’ employees, launched after one of your customers’ executives’ email account has been compromised. The approach is to compromise an exec’s email account, then use that account to issue transfer instructions. We believe that this approach may be a result of both serendipitous opportunity taking and targeted attacks. Remember: organized crime is populating databases to help them with the identification phase of an attack. And if a compromised email account turns out to be a boss, especially a CFO-type who from time to time issues monetary transfer orders, the BEC becomes very lucrative.
What we’ve seen again and again is a compromise of the CFO’s personal email account. The hacker will watch the email stream for a while, figure out who is in charge of transferring the money, and then execute an order to transfer money. What makes this attack vector work is the use of personal accounts by your executives. This is obviously a big no-no for banks and credit unions, but we need to make sure our customers’ understand the risk with this. (Thus, what I’m saying is you need to update your customer awareness materials to discourage the use of personal email accounts.)
7. Pretext Calling as an Attack Vector:
(New) You have probably been pretext called while reading this article, the likelihood is so high. But this is really the “nosy neighbor / divorcee” vector that many community banks have nervously tolerated. Some of you may have discounted the impact of this vector. Forget our opinion that this drip-drip-drip of irritated customers (because we just gave their account balance to somebody besides them) destroys our reputation over time.
Forget the irony that we must, by law, protect dead-beat dads. Instead, consider that crime syndicates recognize the 2FA on commercial cash management systems, and thus want to go for your BillPay customers. How do you think they are going to determine who to target?
So . . . let us know if you think we got this list right this year. Of course there are so many other fires to fight, but we find that by listing the seven main fires, you can use this list to supplement your board and management awareness training. We wish you good luck managing these risks in 2019. It is our intention that sharing this article with your board of directors will help you in this endeavor. And if you feel overwhelmed, please know: we’d love to help!
Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex
Dans New Leaf is a fun blog to inspire thought in the area of IT Governance.