SECURING FINANCE AND INSURANCE ORGANISATIONS – WHY THERE’S NO SILVER BULLET
Leon Ward, Director, Product Management, Sourcefire
Banks, brokerage firms, and insurance companies are all intent on enhancing customer experience, while ensuring confidence and trust, improving productivity, and protecting private and sensitive information.
Like all organisations, however, the finance and insurance industries are under constant threat from cyber security attacks, which are jeopardising their ability to provide the upmost protection for customers.
The primary motivation of these attackers is money; whether targeting it directly via your identity (by accessing internal accounts and applications), or indirectly through ‘downstream fraud'; data exfiltration of transactions. As these industries are seen as high-value targets, they attract significantly more direct and tenacious criminal attention than other sectors.
Attacks can range from bank specific malware, advanced persistent threats, zero-days, targeted attacks, to emerging tactics such as the Man-in-the-Browser attacks, viruses, Trojans, Distributed Denial of Service attacks, worms and phishing. Further, given the nature of the finance and insurance sector – which holds a vast amount of private and sensitive data – the sector faces even greater complexity when protecting information.
In Australia, there are a number of regulations, which provide security guidelines to ensure the protection and integrity of both company and customer. Some of these regulations include:
- Payment Card Industry Data Security Standard (PCI-DSS): this provides an actionable framework for developing a robust payment card data security process – including prevention, detection and appropriate reaction to security incidents.
- ISO/ IEC 15408: an international standard providing assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use.
- Control Objectives for Information and Related Technology (COBIT): a business framework for the governance and management of enterprise IT.
- Australian Prudential Regulation Authority (APRA): the prudential regulator of the Australian financial services industry that ensures that that, under all reasonable circumstances, financial promises made by institutions are met within a stable, efficient and competitive financial system.
Even with regulations and compliances in place, however, the sector still continues to fall victim to cyber security attacks. This is not through any fault of its own, but the fact that, unfortunately, there is no silver bullet to security. Even the most security conscious organisations are realising that breaches are no longer a question of ‘if’ nor a question of ‘when’. Now it’s simply a matter of ‘how often the attack happens’. Detection and blocking technologies only address part of the problem at a specific point in time and lack the decisive insight to find, analyse and remediate compromised systems on an ongoing basis.
Outlined below, are five tips to help finance and insurance businesses be better prepared for cyber attacks:
1. Adopt a threat-centric approach to security: Attackers don’t discriminate and will take advantage of any gap in protection to reach their end goal. Rather than relying on disparate ‘silver bullet’ technologies that don’t – and can’t – work together, businesses need solutions that address the extended network. This means protecting endpoints, mobile and virtual environments and sharing intelligence in a continuous fashion that spans the full attack continuum– before, during and after an attack. Look for technologies that go beyond point-in-time detection and blocking to include a continuous capability, always watching and never forgetting, so you can mitigate damage once an attacker gets in.
2. Automate security as much as possible: Manual processes are inadequate to defend against relentless attacks that often employ automated techniques to accelerate and broaden attacks. Businesses need to reduce labour-intensive tasks and streamline security processes. Tools that can intelligently identify and automatically alert only on relevant security events can save security teams hours investigating events that aren’t real threats. In addition, being able to automatically enforce and tune security policies and rules to keep pace with the changing threat landscape and evolving IT environment minimises risk of exposure to the latest threats and vulnerabilities.
3. Leverage retrospective security: Modern threats are able to disguise themselves as safe, pass through defenses unnoticed, remain undetected and later exhibit malicious behaviour. Look for technologies that address this scenario by continuously monitoring files originally deemed “safe” or “unknown” and enabling you to apply retrospective security – the ability to quickly identify scope, track, investigate and remediate if these files are later determined to be malicious.
4. Hone your incident response processes: Security events happen and many organisations don’t have an incident response plan in place. Every organisation should have a designated Incident Response team that is trained to communicate and respond to security events. The team needs to be backed by documented processes and policies. For example, an InfoSec Policy must be put in place to ensure you’re protecting the right data. An Incident Response Runbook with clear step-by-step instructions for the team to follow in the event of an attack, including incident notification and a collaboration call tree, leads to better, swifter and more accurate containment and remediation. Finally, systematic program reviews on a quarterly basis can ensure that your policies, configurations and rules performance are protecting your organisation as needed.
5. Educate users and IT security staff on the latest threats. Educating users so they are wise to these techniques and putting policies in place to restrict user behaviour can go a long way toward preventing these malicious attacks that often rely on relatively simple methods. Organisations must also be committed to keeping their staff highly trained on the current threat landscape. Ongoing professional development with a specific focus on being able to identify an incident, know how to classify it and how to contain and eliminate it will help keep security teams apprised of the latest techniques used by attackers to disguise threats, exfiltrate data and establish beachheads for future attacks.
In a world in which attackers seem to be gaining an advantage, defenders need to fight fire with fire. With the right regulations, compliances and precautions in place, as well as security technologies that enable visibility, automation and intelligence, organisations can help break the attack chain and finally come closer to winning the war against cyber criminals.