About Us | Contact Us
View Cart

The Magnificent Seven – 2016

By Dan Hadaway | Monday, February 29, 2016 - Leave a Comment

Alias:  M-7 2016

Seven trends impacting small bank Information Security Officers!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

Shhh . . . . . I’m sneaking this article in at the
end of February!  Hopefully no one will notice . . .

So Okay. . .

. . . those of you who follow me . . . and I know there are a couple of you out there . . . I can tell by the view count . . . have probably noticed that I have been procrastinating, for the second year in a row, on my annual Magnificent Seven post.

(Okay, I admit, you probably didn’t notice that.)

But when one of my closest friends, who also happens to be a Client, proposed I needed to call my blog series, “Dan’s Even Newer Leaf” because of my recent absence, I realized I better part the waters of my life to find time for my annual Dan’s New Leaf Post, affectionately dubbed “M7,” about the seven trends in bank technology that will impact Information Security Officers.  This is my annual prediction, to help you organize your thoughts for the upcoming year.

One of the biggest trends I’m seeing . . . that I’m sneaking in here because we actually identified 14 this year that we have been struggling to get below 8 . . . is information overload.  If you look in the mirror closely, you will see it spilling out of your ears . . . . that’s information you could not retain because while we predicted a new guidance in our 2015 M-7 article, there were a half dozen new guidance documents published by the FFIEC last year!

So, I could say that my excuse for delaying the release is that I am trying not to contribute to the problem.

But that isn’t true.  Dan’s New Leaf should help us BREAK through the information overload.  Heck, our slogan is “Fight the Noise.”

The real reason I have been procrastinating is because we’ve been struggling to get the list under the fourteen since before Thanksgiving.  And we want to be right this time.  In 2014 our M-7 article was only right with 4 of 7 predictions and, in 2015 we still only hit 4 of 7.  While I realize this is only predicting, I want 5 of 7.  71% is so much better than 57%.  And thus I’m left wondering . . .

Could it be that subconsciously I’ve been hoping that the longer we wait to publish the article, the more right we’ll be about the trends?

Track Record

So, first, let’s review the four of seven we got right last year:

  1. The End of Procrastination.  We correctly predicted that Management would start driving cyber-risk management, rather than the IT folks having to drag them kicking and screaming to the table.  We were right!
  2. Asset Based Protection:  We predicted that “asset-based” risk management applications would focus our controls on the assets with the most residual risk . . . . mobile security, endpoint protection, host-based IDS.  We are seeing this trend continue.
  3. Lawyers Join the Incident Response Team:  We are seeing more and more attorneys recognize the billing potential of information security in general and, incident management more specifically.  And, we are seeing many benefits from this.
  4. NIST Cybersecurity Framework will Drive a New Guidance:  The new Cybersecurity Assessment Tool, while not a guidance, was the subject of entire Indiana Bankers’ Association Cybersecurity Conference last year.  Heck, we renamed the conference in its honor!  And . . . . as we predicted . . . . it was based on the NIST Cybersecurity Framework.

Then there was a fifth prediction . . . The Continued Escalation of Breach News . . . where we predicted that the “breach news parade” would continue all through 2015.  And it did.  But the infotex team is debating whether or not to declare that we got this prediction right.  As a part of our prediction, we posited that the EMV chip roll-out was going to cause bad guys to “get while the getting is good,” and we didn’t really see that in 2015.  We still worry that CATOs will turn into ATOs, but we were wrong about the EMV Chip driving that.

What we did see in 2015 was a parade that included hits like the Anthem Breach, Primera, Experian, and of course the Office of Personnel Management.  Yes, it was in 2015 that your regulator lost his or her identity!

(A good run-down of the 2015 breaches, by Sai Ramanan for Forbes Magazine right here.)

So while you could say we got 5 of 7, I still feel like it’s 4 of 7.  If this was an audit, we’d report 4 of 7 as correct and 2 of 7 as incorrect.

What were we incorrect about?  Well, we predicted the adoption of SIEM and while we think that is still to come, it still didn’t take place last year.  It is still early adopter phase, not as much from a development perspective, but definitely an adoption perspective.

Finally, we also predicted that “who gets attacked” will continue to evolve.  Our thinking was that eventually CATO opportunities will dry up but that’s okay because now that the retail and federal government heads are out of the sand, the attackers will go after schools and other “last bastions of insecurity.”  The cusp of this thinking was that CATOs would be replaced with ATOs . . . .and that “in 2015 we may be thinking about adding  ‘Average Daily Balance > X Using Billpay’ to our definition of “high risk customer,” and apply Supplement Controls (Multifactor Authentication, Detect and Respond, and Customer Education) accordingly.  While we still see this as something coming, it didn’t happen in 2015.

Beware: We May Have an Agenda:

When I read people’s trend lists, I always wonder, “which of these is wishful thinking.”  So part of our approach when we brainstorm, analyze the T7, and then reduce what in late 2015 was fourteen trends to the seven we declare as our own predictions, is to be aware of the fact that we may be “hoping” that people will adopt SIEM (because we’ve been selling it since 2005.)

And, of course, beware that we value “aware.”

Why we call this the M-7 Article

The Magnificent Seven is 1960 western based on The Seven Samurai.  In it, a Mexican village is at the mercy of Calvera, the leader of a band of outlaws.  Incapable of standing up to Calvera, the village hired seven American gunslingers to protect them during Calvera’s raids.

Over time, the professional gunmen, played by Yul Brynner, Steve McQueen, Charles Bronson, Robert Vaughn, James Coburn, Brad Dexter, and Horst Buchholz, realized that they would NEVER be able to truly protect all the citizens of the community, unless they taught the villagers to defend themselves.

And so you must always realize, when digesting our M-7, we place a much greater priority on “awareness” than most organizations.  We believe the best defense against cyber attacks is not technology, but education.

The Original Thirteen

This may be a way to hedge our bet, but this year we decided to list the original thirteen “alternative trends for Dan’s M-7 article” that was compiled back in November 2015:

  1. The Cybersecurity Assessment Tool of course, and its unintended implications. (Recent study shows 30% of bank breaches in 2015 were do to employee error, not cybersecurity.)

Okay, let’s start over . . . .

  1. The updated FFIEC Management Booklet (and IT Governance) http://ithandbook.ffiec.gov/media/210375/managementbooklet2015.pdf
  2. The TSP Examination program and the ways it can be used in your own vendor management program.
  3. Encryption by bad guys, and thus the need for ssl inspection, edr, and inspection of data in use.
  4. Building a SIEM
  5. Training Your Incident Response Team
  6. Awareness in All Directions . . . . board, technical team, management team, vendor owners, asset owners, customers, vendors . . . and, of course, users.
  7. The Return of the Breach News Parade
  8. Lawyers join the Incident Response Team
  9. EMV Implications
  10. On-line Applications, Do-it-Yourself Banking, and Leveraging the Social Media Guidance
  11. The Elimination of Passwords
  12. The Encryption of Everything (Data at Rest as well as data in motion!)
  13. Managed Patch Management, Virtual ISOs, and Outsourcing Information Security

As you can see, even the original thirteen is fourteen strong!

And, as you’ll see, some of the finalists were not even on the above list!

The Magnificent Seven 2016

So we trimmed and cut, and the seven top trends to consider for 2016 are:

  1. Awareness In All Directions: Yes, we’re doubling down on our top pick for 2015.  Last year we called this trend “The End of Procrastination.”  We considered calling it “We Become Aware” or “We become aware that we need to be aware.”  I personally liked, “We’ve Woken to the Notion!”   But what this means is that EVERYBODY is becoming aware not only of the threats and vulnerabilities, the likelihoods and impacts, but also the controls.  And most importantly, they are becoming aware that the number one control is THEM.
  2. Training Your Incident Response Team:  Since it’s not a matter of if, but of when, let’s “prepare to fail,” as I heard Lee Wetherington put it in the IBA’s Cybersecurity Conference last year.  This will include more formalized agendas, incident response tabletop tests, and yes, even some functional testing!
  3. Who gets attacked: We’re doubling down on one that didn’t prove true in 2015.  We still believe that who gets attack will continue to evolve.  Right now the bad guys are focused on the unregulated industries and commercial accounts using ACH and Wire Transfer over the internet (Corporate Account Takeovers.)  I fear that sometime in the near future an attack on K-12 schools will be the buzz of the talking heads.  But as we control this risk, criminals will start to focus more and more on our noncommercial consumers.  We hear reports of pretext calls meant to populate databases that could help attackers sort the rich from the poor.  The controls we’re using on ACH and Wire Transfer may need to be extended to Billpay.  This may or may not completely materialize in 2016, but by the end of the year we could be having discussions about implementing stronger authentication and detect and response for more than those currently identified as our “high risk customers.”  Another way of putting this . . . in 2016 we may be considering adding “Average Daily Balance > X Using Billpay” to our definition of “high risk customer,” and apply Supplement Controls (Multifactor Authentication, Detect and Respond, and Customer Education) accordingly.
  4. Adoption of Security Information Event Management Systems:  On June 30th, 2015, if you listened closely, you may have heard cheers coming from your MSSP’s corporate headquarters.  While we’ve always maintained that SIEM (and primarily the event log management components of a typical SIEM) should be considered a basic control.  But we never sold it that way, because we didn’t feel the FFIEC Guidance spelled it out as clearly as we would have wished.  However, the Cybersecurity Assessment Tool has created the compliance need for a SIEM (what infotex has always called ELM).  We think the CAT will now cause auditors, regulators, and examiners to start waking up to the truth that banks are not really watching their event logs, and your MSSP is not correlating network traffic to event logs.

    Note:  We may be proved wrong on this yet again.  We developed our first SIEM in 2005, and have been patiently waiting for this trend to actually occur!  Still, in conferences at the end of last year, we all heard both auditors and regulators describe SIEM as a “basic control.”  The NIST Cybersecurity Standard sees it this way as well.

  5. Continued Adoption of Do It Yourself Banking:  We believe that on-line applications, mobile banking, the use of social media for traditional banking processes such as applications and problem-solving . . . and all the other forces keeping your customers from entering your branch . . . are only going to continue.  The reason we include it in a list like this is because, as an ISO, you need to help your management realize this.  The additional costs of information security should be offset by the notion that Branchless Banking is no longer a phenomenon, it is the reality of banking.  It’s the branch that is the phenomenon . . . .
  6. Lawyers Continue to Join the Incident Response Team:  We are seeing more and more attorneys recognize the billing potential of information security in general and, incident management more specifically.  But this is a good thing.  Most of the risk, once an incident HAS occurred, is legal risk.  And you should consider adding the expense of having your bank’s attorney join your incident response test.  The two-way education in advance of a panic is worth the money.
  7. The Encryption of Everything:  We’re sort of combining two trends here.  We believe the implications that bad guys can encrypt is being vetted in the mainstream media.  But while we’ve always been adamant that data in motion should be encrypted, we’re also seeing more and more emphasis on encryption of data at rest.  And not just mobile devices.

So there you have it.  Let’s face it, the community needs a new Magnificent Seven, to teach information security best practices to our employees, partners and customers.  If you haven’t seen the movie, know that the Village eventually wins the battle with Calvera.

I guess that might be where the metaphor breaks down.  I don’t believe there will ever be an ending to the movie, “IT Governance.”

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”


Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    You think you’ve finally found stability in your to-do list. Your goals are set, and you’re even making great progress on them all. Audit findings: all addressed. Management requests: Under control. Heck, you might even be able to leave the office five minutes early at least once this year. Then BAM! A press release from […]
    Software Bill of Materials (SBOMs) are becoming more and more important. . . We are all very familiar with one aspect of the software supply chain – updates.  New features, bug fixes, and performance upgrades are a regular occurrence to any device’s lifecycle, however what if these kinds of updates also include deliberately malicious code? […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    According to a new survey, more organizations than ever are reporting problems with cybersecurity staffing… An article review. While pandemic related mandates and restrictions are gradually being lifted across the country, many organizations are still feeling the effects in one important area: staffing.  That’s according to ISACA’s annual State of Cybersecurity survey, which asked over […]
    Understanding Banking Trojans… Another Technical Article by Tanvee Dhir! What are Banking Trojans? A trojan is a malicious program that masquerades as a genuine one. They are often designed to steal sensitive information from users (login passwords, account numbers, financial information, credit card information, etc.). A banking trojan is a malicious computer program designed to […]