About Us | Contact Us
View Cart

R7-2022

By Adam Reynolds | Monday, March 21, 2022 - Leave a Comment

Top Seven Risks . . .


that small bank Information Security Officers face in 2022!


R7.infotex.com

Once again, we compile this list in preparation for updating our normal board of directors awareness training presentation and movies and such.  This list is meant for community-based banks but could apply to small businesses.  How this works can be illustrated with our decision to NOT include this new risk:

“Compliance with the FFIEC Architecture, Infrastructure, and Operations Booklet.”

While this is indeed a very important risk we are all thinking about now, this is compliance risk.  And while compliance risk is important, the threats to our information (and our customer’s information by extension) is what can keep us up at night, and what we want to address here.

So, let’s cut to this year’s list:

Users May Will Still Make Mistakes.  The first risk is a combination of two items from previous years; users will still make mistakes and vendors will still make mistakes.  Mistakes are unfortunately a part of life, even for the best of us.  They can happen to our users and our vendor’s users.  It’s how we catch mistakes and respond to them that is important.  Our employees need awareness training to understand and recognize the threat landscape, and we need employees who are not afraid to report their mistakes.  A self-reporting culture is really a necessity these days for true information security, and it’s up to us to ensure our employees feel comfortable reporting mistakes without fear of retribution. For our vendors, as their users our outside our control, there are two important groups of controls that are needed.  The first is vendor due diligence, making sure we know the risks the vendor presents to us and the controls they have in place to protect our information and notify us when there is a problem.  The second group of controls are the ones we implement when responding to a vendor issue, our incident response and business continuity programs.

Supply Chain Cyber Risk. While the supply chain risk in general has increased in likelihood over the past couple years, here we are focusing on supply chain cyber risk.  That is, the threat of software (or even hardware, but that’s outside the scope of this article) from our vendors, or software our vendors are using from their vendors, may be compromised.   Here, a supply chain attack works by targeting a third party with access to an organization’s systems rather than trying to hack the networks directly.  The best example of this is the SolarWinds breach from 2020, where companies such as Cisco, Intel, and Microsoft were affected due to their use of SolarWinds.  Another good example is the Apache Log4j vulnerability from December 2021.  Log4j is a java-based logging utility used in many software applications from vendors such as Fortinet, VMWare, Sophos, and Microsoft.  In these examples, these companies were breach due to third-party software.

Attacks on Your Customers (BEC | CATO | PATO | Ransomware).  This is something everyone reading this should be familiar with.  Whether they are corporate accounts or personal accounts, compromised through email, social engineering, viruses, or ransomware, our customers are being attacked daily.  Just like our users, we need to arm our customers with information on how to identify and react to these threats.  And this not only includes awareness information for our customers, but also the controls we implement to protect them such as multi-factor authentication for logins and additional authentication requirements for high-risk transactions.

Shadow IT (New).  While shadow IT is a new term in the AIO booklet, the threat is not.  We have been referring to this threat as rogue technology acquisition for many years.  It’s the threat of hardware or software being on our network or systems without vetting through the proper channels first.  Most of the time this happens by good meaning individuals trying to accomplish their job as opposed to a malicious insider as discussed below.  We need to ensure that any device connecting to our network, and any software installed on our systems, have gone through the proper due diligence, risk assessments, and controls review so that they will not be exposing us to unknown risk.

Next Gen Attack Tools (Ransomware, Fileless Malware, Password Spraying, AI, OS-INT).   As our cyber defenses evolve, so do the attacks themselves.  This will always be a cat-and-mouse game as each side evolves as exemplified by the continuous cycle of vulnerability management.  Our tech team and defenses (patch management, vulnerability management, anti-virus and malware, awareness of threats, etc.) need to stay on top of the ever-evolving threat landscape.

Cloud Deployment (Without Proper Controls).  We are increasingly moving information from our systems into the cloud.  This migration creates unique risks as we rely on our vendors to protect our information and requires specific controls to address.  When we deploy cloud assets, there are unique threats due to many factors, including the fact these resources are made to be accessible to anyone on the internet.  Using cloud resources without implementing proper controls such as enhanced access methods (MFA, IP whitelisting, time or location restrictions, etc.) is an incident waiting to happen.  Finally, as a rhetorical exercise meant to galvanize momentum, we suggest every banker ask themselves, “why have we never required strong passwords on our ATMs?”

Malicious Insider Threat (New).  As an auditor, one thing I find at smaller community-based institutions, and something that sets them apart from their competition, is dedicated employees who genuinely care for their communities and customers.  The malicious insider threat can be a taboo subject because we do trust our employees, that’s why they are working for us.  But trust is not a control and while the likelihood is hopefully very low, the impact can be disastrous and to address this risk we need to be able to properly respond to it.  The concern isn’t whether your employees are trustworthy, it’s whether you are prepared to respond if you ever suspect a possible malicious insider threat.  Making matters (possibly?) easier is the notion that if you are at “Pure Zero Trust” that means you “assume breach” in your security posture.  In other words, you are assuming there is already an insider on your  network.  While this insider may be demonized with the three letters, APT (Advanced Persistent Threat), the APT could be somebody you know.

So, to summarize, the top seven risks community-based banks face in 2022 are:

1) Users May Will Still Make Mistakes (In General)
2) Supply Chain Cyber Risk
3) Attacks on Your Customers (BEC | CATO | PATO | Ransomware)
4) Shadow IT (New)
5) Next Gen Attack Tools (Ransomware, Fileless Malware, Password Spraying, AI, OS-INT)
6) Cloud Deployment (without proper controls)
7) Malicious Insider Threat (New)

We have taken this list and created a webinar-movie!


Original article by Adam Reynolds CISSP. Lead Non-Technical Auditor, infotex

Interested in any of infotex’s services? Visit offerings.infotex.com to request information!


same_strip_012513


 

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    You think you’ve finally found stability in your to-do list. Your goals are set, and you’re even making great progress on them all. Audit findings: all addressed. Management requests: Under control. Heck, you might even be able to leave the office five minutes early at least once this year. Then BAM! A press release from […]
    Software Bill of Materials (SBOMs) are becoming more and more important. . . We are all very familiar with one aspect of the software supply chain – updates.  New features, bug fixes, and performance upgrades are a regular occurrence to any device’s lifecycle, however what if these kinds of updates also include deliberately malicious code? […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    According to a new survey, more organizations than ever are reporting problems with cybersecurity staffing… An article review. While pandemic related mandates and restrictions are gradually being lifted across the country, many organizations are still feeling the effects in one important area: staffing.  That’s according to ISACA’s annual State of Cybersecurity survey, which asked over […]
    Understanding Banking Trojans… Another Technical Article by Tanvee Dhir! What are Banking Trojans? A trojan is a malicious program that masquerades as a genuine one. They are often designed to steal sensitive information from users (login passwords, account numbers, financial information, credit card information, etc.). A banking trojan is a malicious computer program designed to […]