Don Smith, director of technology, Dell SecureWorks explores why financial organisations need to consider regular security assessments and how they can determine the best option.

Introduction

As financial organisations face the ever advancing threat of cyber-attacks, security has become vital. The global threats continue to evolve at a rapid pace as the virtual ‘bad guys’ are increasingly thorough. There’s a bigger level of persistence from all attackers, who won’t stop until they find a weak point within an organisation’s armour.

Not only do financial organisations need to ensure they are properly protected, but in highly regulated sectors like finance, it is critical that security meets or exceeds the legal compliance levels set up by national and international Governments. Financial fraud is one of the greatest cyber threats for businesses around the globe. Banks and other payment service providers have a duty to use strict security measures in order to keep sensitive data safe.

Submitting to a security assessment provides organisations with a way to test existing defences and ensure they are as protected as they perceive themselves. There are multiple ways to approach assessment including different areas and levels of testing. Before examining some of the options, it’s important to take a step back and consider what security protection needs to achieve overall.

Approaching security processes

Determining the overall organisational security goal is important and will provide a much clearer idea of what needs to be accomplished with an assessment. Part of this is confirming what information is being protected and what types of attacker the organisation is protecting against. Once a company has an understanding of these elements, they should drill down further to look at what the assessment should achieve, for example:

• Meet compliance
• Mitigate risk
• Improve overall security position
• Evaluate a team’s response capabilities if an organisation suffers a breach

Overall, an assessment should clarify if more security protection measures are needed and highlight how robust a business’ existing security is.

Don’t wait: prepare for sophisticated attacks now

Financial institutions are a high profile and valuable target for attackers in terms of the financial rewards that can be gained from a hack as well as the notoriety they can achieve if they successfully breach a high profile target. Assessment is very important but business leaders shouldn’t wait for the results and should be continuously monitoring security. While waiting for an assessment to take place financial institutions should be doing the basics well. For example, ensuring their staffs are security aware, basic perimeter protections are in place, critical data and associated infrastructure is identified, anti-virus software is up to date and they are conducting a basic level of security monitoring already.

Practicalities of protection

Once an organisation has decided what its overall security goal is, it can start looking at some of the options for assessing current security. There are several methods; what and how many of these to undertake will provide a clear view of what other security measures might need to be implemented. For businesses in the finance sector, compliance has got to be taken into consideration. However, a word of warning: being compliant doesn’t necessarily mean being secured. It’s advisable that organisations keep compliance as a key driver, but actually take a security centric approach. This will ensure that standards are met, but that the most sensitive data and processes are properly secured. There is no one size fits all approach to assessing and implementing security.

In terms of the assessments available, there are several options to consider. Each one looks at a different area of security and in a different level of detail:

Top level assessment
This will provide a base line test of the security a company already has in place and consider if there are any gaps in coverage which mean the business isn’t as secure as it thinks. This assessment will only provide a basic understanding of what’s missing in an organisation’s security. It’s a useful starting point for any financial company who considers itself protected, but it shouldn’t be seen as providing a definitive test of security.

Network scanning and vulnerability assessment
This provides a way for organisations to assess software vulnerabilities that a hacker could exploit. More than 7,600 were exposed in the last year so it can be difficult to keep track of the current and emerging threats to protect against. This assessment should be completed by all financial organisations on a regular, ongoing basis to ensure new vulnerabilities are spotted and eliminated. This option is a way to validate how IT configurations are put together. It should identify critical flaws in network security that an attacker could exploit. It will assess network infrastructure devices, intrusion detection and prevention systems email systems, VPN systems and produce a list of known vulnerabilities. An important point to note is that there are automated options available but these won’t produce accurate results. This is because once the list of vulnerabilities is completed, financial organisations need knowledgeable security professionals to go through the results, determine the accurate ones and eliminate false positives.

Penetration testing
Designed to show how an attacker would gain unauthorised access to a business environment; this can be described as assurance testing. It will validate specific security risks and help meet financial and security compliance requirements. Penetration tests can be extremely thorough. An initial exploration could validate basic IT security steps like patch management. Then, the test can go further into a network, hunting for where a hacker could compromise further once they already have access.

Web application security assessment
This examines all applications used within an organisation. This assessment will apply well known tactics, techniques and procedures used by hackers. Its imperative here that the organisation completing the assessment has up-to-the minute knowledge of the current cyber security landscape. This will ensure that the financial organisation is put through the paces of the most modern attack methods and will be prepared accordingly should it be hit by such an attack in future.

Social engineering
Employees can be an organisation’s best asset but unfortunately they can also be the weakest link in security. This test evaluates employees against non-technical break-in attempts such as phishing emails and personalised threats that are designed to exploit trust and a lack of security awareness.

Red Team Testing
Considered as a full-scope assessment of an entire business, this is as in-depth as a defence test can be. The Red Team are a group of ‘white hat’ hackers, (security experts and ethical hackers) who pose as a cyber attacker and try to infiltrate an organisation’s network. They do this through many different types of attack, sometimes all happening simultaneously. It’s the most realistic way a business can assess its security and also test its ability to detect and respond to attacks as they’re happening.

How to determine the best assessment

As a first step to determine which security assessment is right, a financial organisation should consider what the end security goal is. Those with security in its infancy need to ensure the basics are being done well before considering an assessment. This also applies to organisations while they wait for an assessment to be completed. Most financial companies will find that they want multiple assessments to determine if different security processes are performing as they’re meant to.

The different types of tests can highlight:

• Vulnerabilities that pose a threat to the business and guidance on how to meet compliance obligations.
• What would happen if a hacker actually got inside the organisation and how to stop that happening. Additionally this test helps to meet compliance requirements for some financial security processes.
• Testing web applications including any changes or updates which have been made to an application.
• How easy it is for employees to inadvertently allow a hack to take place. It is possible to build up a picture in employee’s minds as to how to protect themselves personally as well as professionally.
• How a hacker would get into an organisation and what the weakest security link is. This is also how to test the capabilities of the team in charge of protection and response from such an attack.

By having an end goal fixed, it will be easier to choose between the different options for testing. Ultimately, all financial organisations are a target for hackers and therefore they need to be doing their utmost to protect themselves and their customer’s data. Compliance plays an important role, but managers shouldn’t rely on this as providing guaranteed security coverage. By preparing and testing for the worst, financial organisations will have vulnerabilities highlighted and develop a good awareness of what needs to be done to ensure security is the best it can be at all times. A robust assessment will help to prioritise security spend and also ensure better ROI. The importance of keeping up to date with current threats and testing security defences cannot be underestimated in the face of the complex and advancing threat landscape.

Don Smith

Director of Technology, Dell SecureWorks

Dell SecureWorks, Inc.

Don Smith is the technical lead for Dell’s EMEA information security practice. His close ties with Dell SecureWorks’ Counter Threat Unit give him unparalleled visibility into the threat landscape as well as effective countermeasures and protective security strategies. This insight is shared at government conferences and security gatherings around the world.

Don is a leading information security expert with 19 years’ experience working in the IT industry. Originally joining dns in 2005, Don was instrumental in the development of its identity management and managed security services portfolio. With SecureWorks’ acquisition of dns in 2009 Don took responsibility for EMEA security strategy and now continues this role as part of Dell.