Musts: Defense in Depth and having more than one plan
Not to be an alarmist, but let’s face it. Your institution is vulnerable and at risk! Almost daily we hear of another data breach. We thought Target was big. Then Home Depot. And then came Sony? It is not just retailers or large entertainment companies, it is now governments. News flash, government-sponsored espionage is not news. (Another meaning for “GSEs). Mandiant recently reported on the People’s Republic of China’s cyber espionage unit and the emerging Advance Persistent Threat scenario in 2013. (Visit their page “APT1: Exposing One of China’s Cyber Espionage Units”) Here’s the point. Today, cyber attacks may not just focus on high-value targets or public targets. They could be system wide—and industry-focused.
Banks in the crosshairs
Let’s say the banking system becomes a target. Realistically speaking, could an attack be launched that focused just on financial institutions only in a particular area or geography?
The answer is yes.
This approach goes beyond just one bank and can be timed to happen all at once. Given how much our society relies on the internet, a new risk has been brought to the forefront—Virtual Warfare, and we are not talking video games.
This new form of warfare can also include an inside-out scenario, meaning that part of the attack may already be inside your enterprise just waiting for the signal to activate.
Scary yes, Sci-Fi no! The internet and affordable computing technology makes this possible and plausible.
You don’t have to be paranoid to ask yourself some very focused questions … and you should be:
- Have you updated your system and logical security to thwart some of these obvious attack?
- Do you have a defense in depth security plan?
- Do you have your information that is stored on your system compartmentalized & encrypted?
- Do you have your encryption keys stored off of the enterprise?
- Do you sweep your system on a regular basis looking for unauthorized software?
- Do you change system administrator credentials frequently?
- Do you monitor the movement of data in and out of your enterprise regardless of the size and the amount of the data moving?
Just because you are a small or community financial institution does not mean you are not a target or at risk. The opposite is true. If you answered no to any of these questions you may already have the enemy within and not know it.
What is a good defense?
The best defense is to not stand still.
Your organization should review your security infrastructure and procedures after every published or known attack. You should expect, as bad as it may sound, that your security will be penetrated at some point in time.
Okay, say they get in, your data should be encrypted and compartmentalized.
That is one aspect that makes these attacks so horrific is that once the system has been penetrated, the perpetrator can go everywhere and take everything. A good strategy is to not make it easy for anybody inside or out.
Furthermore, your monitoring system should be sensitive to constant probing and retries from more than once source, and alert you to shut the attack down.
Have a VBCP plan!
Ask your institution the question … what if we have to take all of our internet-facing applications offline, how would your customers transact their business?
This could be a real scenario—“not a drill”—and you need to have a plan already in-place that could avert a loss of confidence in your institution. Review each internet-based application, from remote deposit capture to mobile banking and develop a non-internet alternative. Practice it and be ready.
Call it your VBCP! That’s right—a Virtual Business Continuity Plan.
What if the internet goes down altogether? Or at least your bank’s access to it, which amounts to the same thing?
Time-Warner encountered a significant internet service failure in August 2014. Though this service was ultimately restored, the questions remain:
- What if the Internet Service Provider your system relies upon fails. What are you going to do?
- More importantly, don’t you think the internet is already being targeted for disruptive attacks?
Attacks can be very subtle and complex. Your system, too, should emulate the same tactic of monitoring and alerting.
Thanks to the internet and new technology, your institution is open 7 days a week 24 hours a day 365 days a year.
And so are the hackers!
Vigilance needs to be virtual too!