Seven trends impacting Information Security Officers of Small Institutions!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .
Welcome to the Magnificent Seven, my annual predictive article, affectionately dubbed “M7,” about the seven trends in bank technology that will impact the Information Security Officers of small banks (under five billion in assets). My intention is to help you organize your thoughts for the upcoming year.
In the past, we spent a lot of words in these articles explaining the concept behind our annual M-7 article, as well as a run-down of how we did last year, a list of all the trends we considered before we reduced them down to the top seven, etc. This year, let’ us jump directly to the top seven trends:
First let me explain that we are listing our Top Seven Trends (the M-7) in backwards order, like a David Letterman Top Ten List, on purpose. We use a “Dan Spreadsheet” to determine our top seven, which looks a bit like this:
M-7 Trend #7: Encryption by the Bad Guys: The encryption of everything proved to be a true trend in 2016, and we correctly thought it would continue in 2017 and 2018. But we want to highlight one small part of the trend we successfully predicted for 2016 . . . that the bad guys are delivering negative payloads in encrypted format. It’s a weakness in the very systems we provide, and we are running out of time when it comes to finding viable solutions. Look for the cost of IPS/IDS sensors to increase as “SSL Inspection” becomes a trend. We think, and hope, this will be a “white flag” or maybe a “pop” in our 2018 evaluation of our 2017 predictions. But all the same, we need to start preparation!
We still see this as a major trend, we still see it pertaining to bank ISOs, but we do not see much action that a bank ISO can take at this time, other than to ask their MSSP when they are going to offer SSL Inspection Technologies, and we think it’s not really time to ask that yet.
M-7 Trend #6: Revisiting Network Segmentation as a Security Strategy: Many small institutions are now talking about how/who/when we would implement more robust forms of network segmentation than we already have in place. While we are not sure if this is warranted in all banks, you may want to start discussing Network Access Control and Mobile Device Management as controls that, when price feasible, should be targets for investment.
The easiest, most robust method of implementation is Network Access Control, which is still a bit pricey for smaller banks and credit unions.
Along with the rise of the Internet of Things (IoT) and other wireless devices it is more important than ever to segregate these devices into separate networks where varying security controls can be applied based on the inherent risk associated with those devices.
M-7 Trend #5: Incident Response Testing: If you are not already implementing incident response testing, you will be. The CAT Requires it, Your Examiner is wanting it, but most importantly, we believe it is the #1 control, even more important now than awareness training (though Dan maintains it IS a form of management awareness training).
M-7 Trend #4: Virtual Desktop Infrastructure: This is a new item for 2019, where we return to our origins (thin client) and all the inherent controls that come with it: anti-malware, change management, backup and recovery, and desktop control. The question auditors will have for you as you begin to investigate VDI . . . . What are the security concerns implementing VDI, where does asset risk go up/down?
M-7 Trend #3: Vulnerability Management: This is another item that is new for 2019. We should have seen this coming for 2018; after all our articles about the trend were published in January. In fact, our first “guest author” article was about Vulnerability Management. If you are still struggling with “patch management findings,” the implementation of Vulnerability Management is so ripe for you! We suggest you start by asking your committee to read our nontechnical article on the subject!
M-7 Trend #2: IoT Inventories: We of course are all starting to worry about IoT vulnerabilities with a specific nod to the recent WPA2 KRACK vulnerability and how it exposes the difficulty in patching these devices. This trend, which was also in our 2017 and 2018 M7 lists, frightens us because we do not know what the extent of our exposure is. Do our loan officers speak to Siri or Echo when they read account numbers or financial statement information to a phone caller? Are the refrigerators in our customers’ homes connected to our on-line banking system now? Do vacuum robots, security cameras, light bulbs, and garbage cans . . . . all now WiFi enabled . . . affect our known attack surface? Is there even a process for updating or patching the software on these devices when vulnerabilities are discovered? The good news: there is a first step. We think the action item is to inventory your IoT devices . . . what on your network is connecting out to the internet. Hint: if you can not easily produce a report to answer this question, ask your MSSP.
We think the action item is to inventory your IoT devices . . . what connects to the internet in your organization. Note: if you do not have a report that can help you with this, ask your MSSP. We anticipate more security standards related to IoT are coming, possibly in the form of guidance, because more and more IoT devices are becoming prevalent. Vendor support is mixed but higher end options do provide better update options, with frameworks like Zigbee 3.0, ZWave+, and Wifi6 being the newer standards with security in mind.
M-7 Trend #1: Circular Nature of Vendor Management: The “subservice provider circular trend” will continue through 2019. This is the phenomenon where the people you’re contracting with for a service are themselves contracting things out.
Many times an entire production environment is provided by a third party, and even though many of those third parties have their own audit reports you can read it still adds a layer of complexity to knowing where your risk is. Virtualization has made it so cheap and easy to outsource operations that we’re only going to see more cases where multiple reports will need to be reviewed to cover one vendor’s services, and you never want to see more complexity when it comes to something like identifying risk.
We anticipate the day when, if we truly follow all sub-service providers of the sub-service providers, we will circle all the way back around to the original company we’re investigating! The Action Item – be sure that vendor management is something you look for in the SOC-2 review!
The Top 12 Trends:
Had we drawn the line at twelve, and not seven: The five trends that did not make it into the top seven list, but were very close:
8. MFA Attacks and How To Mitigate: Now that we have MFA we need to be aware of how it can be bypassed/thwarted and how we can protect against those attacks. Most banks should already have implemented MFA, however they may not be aware of how this can be bypassed or otherwise thwarted (SIM swapping, MFA fail open, social engineering mobile carriers). So this trend should really be MFA attacks and how to mitigate.
9. Lawyers on the Incident Response Team: Investigate what its’ going to take to offer 2FA to those who transact a large volume or large amounts using Billpay. Note: this assumes we’re already using true 2fa, at the transaction level, on ACH and Wire Transfer. If not, we should start there!!
10. Pretext Calling, Then Everything Else: Pretext Calling will remain a higher likelihood than Ransomware, Business Email Compromise, and Corporate Account Takeovers, though the impact is usually much lower. If we can only convince those yelling about business email compromise that those capable of defending against pretext calling are much more resilient against ransomware, BEC, and CATO attack vectors!!!
11. The Use of Deception Technologies, Like Pseudo Accounts: Our newest employee, Sofia Tafoya (Sender of Signs) researched trends and found that many organizations are starting to Introduce thousands of fake credentials onto an organization’s network, which makes it mathematically impossible for cybercriminals to gain access to a legitimate set of user identities. Once a cybercriminal has used a fake credential generated by deception technologies, the security operations team receives an alert that an unauthorized user is lurking on the network. They can then immediately initiate incident response.
12. Continued Adoption of SIEM: This is our third year of maintaining that the adoption of SIEM is huge. Thanks to the Cybersecurity Assessment Tool, event log management practices are now considered basic controls. The rest of the world is starting to catch up, so lock in on your pricing now . . . we think it may be going up!
Top 29 Trends:
We actually identified 29 trends for our analysis. As you may have already surmised, trends were analyzed based on how strong of a trend the topic was, but also how much it pertained to small banks, and whether or not there were direct immediate action items (for a 2019 tactical plan).
You’ve read the top twelve, so here are the remaining 17, as well as the main point we think that kept each trend out of the top twelve, listed here:
- Internal Monitoring Techniques and Technical Control Reviews
- Advanced Backup Technologies
- Data Integrity on Social Media
- Testing Your SIEM
- Windows OS Retirement
- Employee Risk Assessments
- Awareness In All Directions
- Ability to Kill Financial Fraud Transactions
- Everything 3.0
- Cybersecurity on the Board
- Outsourcing of Information Security
- Equifax Fallout
- Cybersecurity Consultant for the Board
- IoT Sneaks Into Banking
- Strengthening Authentication Controls
- Board Awareness Training
Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex
Dans New Leaf is a fun blog to inspire thought in the area of IT Governance.