Cybersecurity Best Practices in Financial Services

September 2015
CYBERSECURITY
BEST PRACTICES
IN FINANCIAL SERVICES

• Cybersecurity is of increasing importance to organizations in the
financial services industry
• It is not clear how aware the C suite is of their enterprise’s cyber
security programs, awareness of their strategy and tactics
• Cyber attacks pose a great threat to organizations, many of which
may not even know they have been victimized
• These incursions can disrupt business, steal and/or destroy data
• While many firms view cybersecurity as a technology and
compliance issue; in reality it should be viewed as a core business
risk
• It is essential that firms are proactive in their strategies to prevent
cyber attacks.
• This document will describe the current state of best practices for
cybersecurity within global financial services firms.
Cybersecurity Best Practices in Financial Services
Introduction
2

• The highest cybersecurity concerns surround network intrusions,
security breaches, the potential for theft, data corruption and
reputational damage
• Cyber attacks can encompass financial, technical, reputational
and/or regulatory threats
• There is a fine line between enforcing tight information security
controls and providing robust business value
• People are the weakest link in the cybersecurity chain; there is a
need for ongoing cybersecurity awareness and preparedness
training
• Firms should identify and segment the more significant key controls,
based on threat assessments (e.g., DDoS attacks, theft of data, data
corruption).
Background
3

• Have a robust and ongoing cybersecurity test regime
• Cyber testing should be designed around potential and currently
unforeseen cyber incident scenarios
• Conduct penetration testing of enterprise systems and client-facing
systems, with penetration from both an external basis and an
internal basis
• Testing frameworks should be based on access to threat intelligence
and staff involvement in scope and testing.
Background (Cont’d) …
4

• The persistent threat of cyber attacks makes managing risk a
greater focus than before
• To properly manage risk, firms must be proactive in their efforts to
prepare for potential attack scenarios by not only being ready for
them, but by actively searching for potential breaches and
successfully removing them.
Proactive Cybersecurity
Risk Management
5

• Establish policies and procedures ahead of time, so you are not
improvising, should an attack occur
• Gather intelligence so you can identify high impact alerts and
prioritize what to tackle first
• Position equipment to analyze firewalls and logs to search for
anomalies
• Identify your major concerns, based on the security “CIA”
triumvirate:
– Confidentiality
– Availability
– Integrity
• Build these factors into your policy for protecting core systems
• Periodically conduct proactive scans
• Engage trusted experts to evaluate networks and systems.
Cybersecurity Preparedness
6

1. Keep up with software patches – it doesn’t take long for hackers
to figure out what the hole is that the patch seeks to cover, and
they immediately develop tools to exploit it
2. Keep your online doors closed – many businesses do not know
how many computers they have, and sometimes they do not know
which are online. Computers that end up online when they
shouldn’t be are tempting targets for hackers; the Verizon Data
Breach Investigation Report in 2015 indicated that about 25% of
breaches were as a result of hackers getting in through a machine
that didn’t need to be online.
Key Cybersecurity
Preparedness Areas
7

• People that add machines to the corporate network often do not
understand the security concerns. Many devices have default
passwords that can be found online.
• In other cases, companies have misconfigured anti-hacker
technologies to not watch traffic going in and out of such devices.
• The solution is to ensure that only necessary machines are online
and that they are protected.
3. Encrypt your data – if data is encrypted, there is not a lot that
hackers can do with it. You have to rely on technology rather than
people
4. Eliminate passwords – users hate them, security staff dread
them and hackers love them. Over 25% of breaches analyzed by
Verizon this year could have been stopped if the victimized company
required more than a password to enter its network.
Key Cybersecurity Preparedness Areas (Cont’d) …
8

• Passwords are easy and can be used with any computer. Use of
tokens or biometric devices provides an added layer of protection.
5. Check out your vendors – smaller vendors and suppliers that
have access to corporate networks may not treat cybersecurity with the
same severity and urgency. Carful oversight ad vendor due diligence is
needed.
Key Cybersecurity Preparedness Areas (Cont’d) …
9

1. Make the threat more personal
2. Make the protection more relevant and easy to understand
3. Reduce the number of steps
4. Provide an effective solution
5. Overcome cognitive barriers
How to Increase Protection
Motivation with Staff
10
Source: Wall Street Journal Report on Information Security, April 20, 2015

1. Make the Threat More Personal
– Ask people questions that make the threat hit home (e.g., do
you want to know when someone is spying on you?)
– People are more likely to pay attention if they are prompted to
consider the possibility that their favorite retail outlet is the next
target
How to Increase Protection Motivation (Cont’d) …
11

2. Make the Protection More Relevant and Easy to Understand:
– It is more difficult to deny threats when you can see yourself
being attacked or find out that you cannot depend on safety in
numbers
12

3. Reduce the Number of Steps:
– The less we do to gain security, the more likely we are to do it
– Systems could be designed so that computers do not have to
be plugged in to receive software downloads.
– Companies can reduce the need for users to act by making
antivirus software the default.
13

4. Provide an Effective Solution:
– When a practical solution is offered, we are more likely to
change our behavior
– E.g., the use of biometric readers - digital fingerprints are easy
and foolproof – fingerprints is hard to copy and never change.
14

5. Overcome Cognitive Barriers:
– The biggest barrier to cybersecurity guidelines is remembering
a random sequence of letters, numbers and symbols
– If a new password is difficult to remember, train staff to create
complex passwords they can remember, even if they are not
linked to personal information (e.g., iLove2Sleep247!)
– Pick something that makes you happy, because bundling
something positive with something negative is the best way to
make the negative thing less negative.
15

• Firms should develop a comprehensive testing strategy
• Testing should encompass both penetration testing and vulnerability
testing
• Conduct cybersecurity scenarios with the management team, via
table top “war room” exercises; they are relatively easy and cost-
effective to plan
• Think deviously when designing and planning scenario exercises!
• Penetration testing should be conducted no less than annually,
depending on the enterprise and the prevailing threat environment
• Vulnerability should be based on key controls
• Key control risks should be identified in impact analysis reviews with
the business units
Cybersecurity Testing
and Preparedness
16

• The goal of penetration testing is to FIND vulnerabilities and FAIL.
• If testing illustrates that there are NO vulnerabilities, it could set a
false sense of security that “…we’re okay...”
• Design penetration tests to exploit potential vulnerabilities, tests
should look for users and/or system administrator/procedural
patterns
• Review the results of penetration testing with the senior
management team
• Develop an action plan to rectify issues that were uncovered and
further bolster the infrastructure resilience.
Penetration Testing
17

• Develop an ongoing penetration test strategy – mix it up, don’t
necessarily do the same thing over and over again – the bad guys
don’t!
• Penetration test cycles should be run as long as it takes to break in
(i.e., minutes or hours)
• Tests to access applications and systems could run for days or
weeks
• Do not widely publicize that penetration testing is being conducted
to internal staff (i.e., done on a need to know basis)
• Longer duration tests should be done “off cycle” to look to exploit
key controls, client-facing applications and web-based applications.
Penetration Testing (Cont’d) …
18

• Design vulnerability testing to address and potentially exploit key
controls
• Identify both known (software patches) and unknown (zero day
exploits) vulnerabilities, as well as advanced, persistent threats
• Automate vulnerability testing and scanning; by comparison,
penetration testing is relatively more manual
• Identify the top 5-10 common vulnerability exploits (CVEs) (e.g.,
Microsoft patch day)
• Uncover data changes over both long and short time periods –
subtle changes in data are difficult to detect
• Identify the “kill chain” of events that are associated with an intrusion
• Monitor network controls, patch management, privilege escalation,
containment and risk management processes; they have the biggest
potential for loopholes.
Vulnerability Testing
19

• Conduct a thorough and ongoing review and inventory of all IT
assets
• Conduct ongoing screening of all systems and infrastructure for
potential vulnerabilities and threats
• Virtualize desktops, restrict/eliminate use of external media on
workstations
• Minimize workstation-to-workstation communications
• Enforce network segmentation, use DMZ controls with limitations on
privileges and access rights
• Deploy change management controls for SW/HW/NWs, operational
control structures, admin access rights
Best Practice Areas
20

• Standardize and automate software patch management
• Flat network structures are more vulnerable to threats than tiered
networks
• Conduct vulnerability testing based on key controls
• Conduct iterative and progressive test initiatives
• Cooperate and share information with other firms when a cyber
incident occurs
• Develop an ongoing staff training program on cybersecurity
awareness and preparedness
• Design and conduct table top “war room” scenario planning
exercises with the management teams.
Best Practice Areas (Cont’d) …
21

• The pace of cyber attacks is on the rise, and the bad actors have
become better organized, devious and smarter
• Firms need to be vigilant and proactive in their cybersecurity
preparedness, strategies and tactics
• People will continue to be the weakest links in the chain
• Keep best practices and information security standards relevant, as
long as information security controls can evolve with the changing
nature of cybersecurity threats, vulnerabilities and threats
• There is no “one size fits all” with regards to best practices.
Conclusions
22

Tellefsen and Company, L.LC.
1-212 809 3800
JJR@Tellefsen.com
Cybersecurity and Business
Resilience Advisory Services
23

Cybersecurity Best Practices in Financial Services

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (13)

Similar to Cybersecurity Best Practices in Financial Services

Similar to Cybersecurity Best Practices in Financial Services (20)

More from John Rapa

More from John Rapa (9)

Recently uploaded

Recently uploaded (20)

Cybersecurity Best Practices in Financial Services

Editor's Notes