Why sustainable cyber resilience matters in the financial sector
Author: Dirk Schrader, CISSP, CISM, and CMO at Greenbone Networks
Banks, alongside the stock market and other financial companies, are all critical elements of the UK’s infrastructure. Without them, the country’s economy simply could not operate. As such, they represent particularly attractive targets for hackers.
To ensure appropriate security, it is no longer enough for these companies to take reactive measures against cybercriminals. Instead, they must strive to achieve a state of ‘sustainable resilience’ – a comprehensive concept that is more strategic than technological, going a step further than traditional IT security deployments.
Financial institutions are critical to national security
The UK Government splits the nation’s critical infrastructure into 13 separate sectors. One of these is the financial and insurance sector. This includes banks, stock markets, insurance companies, and other financial service providers, most notably the high number of fintech specialists that are springing up, particularly in London.
All these institutions play an important role in modern society. Without a functioning payment system, trade would be paralyzed. Basics requirements such as buying food or paying salaries would be impossible. The repercussions for individuals, organisations and the Government are perhaps too enormous to even contemplate.
For cybercriminals, companies in this sector are attractive targets because hackers can obtain money directly without the rigmarole of having to fence stolen goods. It is little surprise that this industry, at least according to research from Dimension Data, suffers more attacks than any other sector.
There are many examples of attacks aimed at the financial sector’s critical infrastructure.
In 2014, hackers targeted JP Morgan, stealing data relating to more than 76 million private customers, and seven million businesses.
Meanwhile, in February 2016, criminals stole 81 million US Dollars in an audacious robbery when they successfully hacked the SWIFT system of the central bank in Bangladesh. A similar heist occurred two years later when the Indian City Union Bank noticed that its systems had been hacked and 1.5 million Euros had been transferred to international banks without authorisation.
Even more famously, hackers penetrated the systems of America’s largest credit bureau, Equifax, in 2017, stealing the data – including credit card and social security numbers – of 143 million US citizens. For this attack, hackers took advantage of a security vulnerability in the open source framework Apache Struts, which formed part of Equifax’s IT infrastructure. This was a known vulnerability, which had been discovered two months previously.
Unfortunately, Equifax had not installed the patch that had been issued to close this vulnerability. Indeed, a recent US Senate report identified several gaps in Equifax’s security architecture, singling out the company as an example of how negligence and ignorance diminish a company’s cyber security posture, not to mention undermine any approach to resilience (if such an approach even existed).
The finance sector’s challenges
The use of digital processes and automated workflows is common place in modern financial institutions. While efficient, these procedures make companies digitally vulnerable.
Hackers have several routes into their networks. These include office and email systems, company networks and databases, accounting systems and their upstream applications, control applications, risk management systems, payment systems and trading systems. Customer interfaces, such as user portals, apps, and cash machines are also in their sights.
To achieve a state of sustainable cyber resilience, companies in the financial sector must consider the complete range of networked systems, equipment, and applications.
The pressure to go digital – caused by both rising customer expectations and competition from fintechs – is forcing banks and insurance companies into unknown territory and at a pace that might be faster than they are comfortable with. In the past, they only had to secure the IT within their own companies; now they are faced with new risks from mobile devices, apps and web applications that are vulnerable in many different ways.
In addition, banks and insurance companies often outsource IT services such as software development to external providers. This pool of third parties is shrinking in size, yet if the same developers work for many banks, programming errors or security gaps can spread faster throughout the entire banking sector.
These challenges become harder still because the financial sector must also fulfill numerous national and international regulations. These rules specify requirements for IT security and risk management. This makes it even tougher to develop comprehensive security and resilience.
Vulnerability management: a key component of sustainable resilience
Resilience is a continuous process. It strengthens a company’s abilities to resist attacks and enables it to continue to function if – or more accurately, when – an incident takes place. To achieve this, it is important to reduce the size of the target. This means identifying and eradicating vulnerabilities that hackers could – and most likely will – take advantage of. Ultimately, it means being one step ahead of the criminals.
Effective vulnerability management consists of a number of steps, many of which are automated. These include
Step 1: preparation
The first step is to create the context for IT security policies, risk assessment, company processes and company-critical systems. What needs protection, how and how intensively? How much risk is acceptable? This information will help IT teams decide how to configure their solutions in order to bolster resilience and ensure regulatory compliance.
Step 2: identification
The next step is to analyse the current situation. A vulnerability scan determines any weak points in the infrastructure and where they differ from the new configuration specifications. Access to an up-to-date vulnerability database is a fundamental requirement. Any outdated information will leave systems vulnerable to the latest attacks.
Step 3: classification
Once the current situation has been assessed, the information gathered should be split up based on different criteria, which the company can define individually – for example, the physical location of a system, the department that it belongs to, the network segment it is located in, and the function that it fulfills in the company.
Step 4: prioritisation
Once classified, it is time to prioritise which vulnerabilities are most important and which should be tackled first.
Step 5: remediation
This is the process of eliminating the vulnerability. The procedure should specify who is notified once a vulnerability is discovered, how quickly they should be notified, who is responsible for any next steps, and what those steps should be.
Step 6: store and learn
Finally, it is important to store key information, such as when a vulnerability was first detected, when it was reported, and how long it took to rectify. This helps in the analysis of security incidents and provides evidence that the process complies with company processes, sector-wide regulations as well as UK and EU law. This audit trail can be interrogated to identify how the policies can fine-tuned or tightened, after all, vulnerability management should be a dynamic – rather than static – process.
Vulnerability management’s role in a wider resilience plan
Vulnerability management is an important way of achieving sustainable cyber resilience. However, it is just one element in a comprehensive overall architecture. For sustainable cyber security and resilience, many other factors must be considered, all of which must mesh together.
In addition to safeguarding the systems against hackers, financial institutions must not forget physical security. Organisational measures also play an important role. Companies must define and document exactly what security processes should look like, as well as who has responsibility for carrying out necessary tasks. Nor should organisations forget the human factor. Training and raising awareness of risks remain important prevention measures.
That said, a robust process for identifying, managing and eradicating vulnerabilities in financial institution IT systems represents a substantial step forward in the quest to build a sustainable and resilient infrastructure capable of underpinning the nation’s economy.