Alias:  M-7 2016

Seven trends impacting small bank Information Security Officers!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

Shhh . . . . . I’m sneaking this article in at the
end of February!  Hopefully no one will notice . . .

So Okay. . .

. . . those of you who follow me . . . and I know there are a couple of you out there . . . I can tell by the view count . . . have probably noticed that I have been procrastinating, for the second year in a row, on my annual Magnificent Seven post.

(Okay, I admit, you probably didn’t notice that.)

But when one of my closest friends, who also happens to be a Client, proposed I needed to call my blog series, “Dan’s Even Newer Leaf” because of my recent absence, I realized I better part the waters of my life to find time for my annual Dan’s New Leaf Post, affectionately dubbed “M7,” about the seven trends in bank technology that will impact Information Security Officers.  This is my annual prediction, to help you organize your thoughts for the upcoming year.

One of the biggest trends I’m seeing . . . that I’m sneaking in here because we actually identified 14 this year that we have been struggling to get below 8 . . . is information overload.  If you look in the mirror closely, you will see it spilling out of your ears . . . . that’s information you could not retain because while we predicted a new guidance in our 2015 M-7 article, there were a half dozen new guidance documents published by the FFIEC last year!

So, I could say that my excuse for delaying the release is that I am trying not to contribute to the problem.

But that isn’t true.  Dan’s New Leaf should help us BREAK through the information overload.  Heck, our slogan is “Fight the Noise.”

The real reason I have been procrastinating is because we’ve been struggling to get the list under the fourteen since before Thanksgiving.  And we want to be right this time.  In 2014 our M-7 article was only right with 4 of 7 predictions and, in 2015 we still only hit 4 of 7.  While I realize this is only predicting, I want 5 of 7.  71% is so much better than 57%.  And thus I’m left wondering . . .

Could it be that subconsciously I’ve been hoping that the longer we wait to publish the article, the more right we’ll be about the trends?

Track Record

So, first, let’s review the four of seven we got right last year:

1. The End of Procrastination.  We correctly predicted that Management would start driving cyber-risk management, rather than the IT folks having to drag them kicking and screaming to the table.  We were right!
2. Asset Based Protection:  We predicted that “asset-based” risk management applications would focus our controls on the assets with the most residual risk . . . . mobile security, endpoint protection, host-based IDS.  We are seeing this trend continue.
3. Lawyers Join the Incident Response Team:  We are seeing more and more attorneys recognize the billing potential of information security in general and, incident management more specifically.  And, we are seeing many benefits from this.
4. NIST Cybersecurity Framework will Drive a New Guidance:  The new Cybersecurity Assessment Tool, while not a guidance, was the subject of entire Indiana Bankers’ Association Cybersecurity Conference last year.  Heck, we renamed the conference in its honor!  And . . . . as we predicted . . . . it was based on the NIST Cybersecurity Framework.

Then there was a fifth prediction . . . The Continued Escalation of Breach News . . . where we predicted that the “breach news parade” would continue all through 2015.  And it did.  But the infotex team is debating whether or not to declare that we got this prediction right.  As a part of our prediction, we posited that the EMV chip roll-out was going to cause bad guys to “get while the getting is good,” and we didn’t really see that in 2015.  We still worry that CATOs will turn into ATOs, but we were wrong about the EMV Chip driving that.

What we did see in 2015 was a parade that included hits like the Anthem Breach, Primera, Experian, and of course the Office of Personnel Management.  Yes, it was in 2015 that your regulator lost his or her identity!

(A good run-down of the 2015 breaches, by Sai Ramanan for Forbes Magazine right here.)

So while you could say we got 5 of 7, I still feel like it’s 4 of 7.  If this was an audit, we’d report 4 of 7 as correct and 2 of 7 as incorrect.

What were we incorrect about?  Well, we predicted the adoption of SIEM and while we think that is still to come, it still didn’t take place last year.  It is still early adopter phase, not as much from a development perspective, but definitely an adoption perspective.

Finally, we also predicted that “who gets attacked” will continue to evolve.  Our thinking was that eventually CATO opportunities will dry up but that’s okay because now that the retail and federal government heads are out of the sand, the attackers will go after schools and other “last bastions of insecurity.”  The cusp of this thinking was that CATOs would be replaced with ATOs . . . .and that “in 2015 we may be thinking about adding  ‘Average Daily Balance > X Using Billpay’ to our definition of “high risk customer,” and apply Supplement Controls (Multifactor Authentication, Detect and Respond, and Customer Education) accordingly.  While we still see this as something coming, it didn’t happen in 2015.

Beware: We May Have an Agenda:

When I read people’s trend lists, I always wonder, “which of these is wishful thinking.”  So part of our approach when we brainstorm, analyze the T7, and then reduce what in late 2015 was fourteen trends to the seven we declare as our own predictions, is to be aware of the fact that we may be “hoping” that people will adopt SIEM (because we’ve been selling it since 2005.)

And, of course, beware that we value “aware.”

Why we call this the M-7 Article

The Magnificent Seven is 1960 western based on The Seven Samurai.  In it, a Mexican village is at the mercy of Calvera, the leader of a band of outlaws.  Incapable of standing up to Calvera, the village hired seven American gunslingers to protect them during Calvera’s raids.

Over time, the professional gunmen, played by Yul Brynner, Steve McQueen, Charles Bronson, Robert Vaughn, James Coburn, Brad Dexter, and Horst Buchholz, realized that they would NEVER be able to truly protect all the citizens of the community, unless they taught the villagers to defend themselves.

And so you must always realize, when digesting our M-7, we place a much greater priority on “awareness” than most organizations.  We believe the best defense against cyber attacks is not technology, but education.

The Original Thirteen

This may be a way to hedge our bet, but this year we decided to list the original thirteen “alternative trends for Dan’s M-7 article” that was compiled back in November 2015:

1. The Cybersecurity Assessment Tool of course, and its unintended implications. (Recent study shows 30% of bank breaches in 2015 were do to employee error, not cybersecurity.)

Okay, let’s start over . . . .

1. The updated FFIEC Management Booklet (and IT Governance) http://ithandbook.ffiec.gov/media/210375/managementbooklet2015.pdf
2. The TSP Examination program and the ways it can be used in your own vendor management program.
3. Encryption by bad guys, and thus the need for ssl inspection, edr, and inspection of data in use.
4. Building a SIEM
5. Training Your Incident Response Team
6. Awareness in All Directions . . . . board, technical team, management team, vendor owners, asset owners, customers, vendors . . . and, of course, users.
7. The Return of the Breach News Parade
8. Lawyers join the Incident Response Team
9. EMV Implications
10. On-line Applications, Do-it-Yourself Banking, and Leveraging the Social Media Guidance
11. The Elimination of Passwords
12. The Encryption of Everything (Data at Rest as well as data in motion!)
13. Managed Patch Management, Virtual ISOs, and Outsourcing Information Security

As you can see, even the original thirteen is fourteen strong!

And, as you’ll see, some of the finalists were not even on the above list!

The Magnificent Seven 2016

So we trimmed and cut, and the seven top trends to consider for 2016 are:

1. Awareness In All Directions: Yes, we’re doubling down on our top pick for 2015.  Last year we called this trend “The End of Procrastination.”  We considered calling it “We Become Aware” or “We become aware that we need to be aware.”  I personally liked, “We’ve Woken to the Notion!”   But what this means is that EVERYBODY is becoming aware not only of the threats and vulnerabilities, the likelihoods and impacts, but also the controls.  And most importantly, they are becoming aware that the number one control is THEM.
2. Training Your Incident Response Team:  Since it’s not a matter of if, but of when, let’s “prepare to fail,” as I heard Lee Wetherington put it in the IBA’s Cybersecurity Conference last year.  This will include more formalized agendas, incident response tabletop tests, and yes, even some functional testing!
3. Who gets attacked: We’re doubling down on one that didn’t prove true in 2015.  We still believe that who gets attack will continue to evolve.  Right now the bad guys are focused on the unregulated industries and commercial accounts using ACH and Wire Transfer over the internet (Corporate Account Takeovers.)  I fear that sometime in the near future an attack on K-12 schools will be the buzz of the talking heads.  But as we control this risk, criminals will start to focus more and more on our noncommercial consumers.  We hear reports of pretext calls meant to populate databases that could help attackers sort the rich from the poor.  The controls we’re using on ACH and Wire Transfer may need to be extended to Billpay.  This may or may not completely materialize in 2016, but by the end of the year we could be having discussions about implementing stronger authentication and detect and response for more than those currently identified as our “high risk customers.”  Another way of putting this . . . in 2016 we may be considering adding “Average Daily Balance > X Using Billpay” to our definition of “high risk customer,” and apply Supplement Controls (Multifactor Authentication, Detect and Respond, and Customer Education) accordingly.
4. Adoption of Security Information Event Management Systems:  On June 30th, 2015, if you listened closely, you may have heard cheers coming from your MSSP’s corporate headquarters.  While we’ve always maintained that SIEM (and primarily the event log management components of a typical SIEM) should be considered a basic control.  But we never sold it that way, because we didn’t feel the FFIEC Guidance spelled it out as clearly as we would have wished.  However, the Cybersecurity Assessment Tool has created the compliance need for a SIEM (what infotex has always called ELM).  We think the CAT will now cause auditors, regulators, and examiners to start waking up to the truth that banks are not really watching their event logs, and your MSSP is not correlating network traffic to event logs.
   

   Note:  We may be proved wrong on this yet again.  We developed our first SIEM in 2005, and have been patiently waiting for this trend to actually occur!  Still, in conferences at the end of last year, we all heard both auditors and regulators describe SIEM as a “basic control.”  The NIST Cybersecurity Standard sees it this way as well.

5. Continued Adoption of Do It Yourself Banking:  We believe that on-line applications, mobile banking, the use of social media for traditional banking processes such as applications and problem-solving . . . and all the other forces keeping your customers from entering your branch . . . are only going to continue.  The reason we include it in a list like this is because, as an ISO, you need to help your management realize this.  The additional costs of information security should be offset by the notion that Branchless Banking is no longer a phenomenon, it is the reality of banking.  It’s the branch that is the phenomenon . . . .
6. Lawyers Continue to Join the Incident Response Team:  We are seeing more and more attorneys recognize the billing potential of information security in general and, incident management more specifically.  But this is a good thing.  Most of the risk, once an incident HAS occurred, is legal risk.  And you should consider adding the expense of having your bank’s attorney join your incident response test.  The two-way education in advance of a panic is worth the money.
7. The Encryption of Everything:  We’re sort of combining two trends here.  We believe the implications that bad guys can encrypt is being vetted in the mainstream media.  But while we’ve always been adamant that data in motion should be encrypted, we’re also seeing more and more emphasis on encryption of data at rest.  And not just mobile devices.

So there you have it.  Let’s face it, the community needs a new Magnificent Seven, to teach information security best practices to our employees, partners and customers.  If you haven’t seen the movie, know that the Village eventually wins the battle with Calvera.

I guess that might be where the metaphor breaks down.  I don’t believe there will ever be an ending to the movie, “IT Governance.”

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”