Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Business

A holistic view of organisational security

Untitled design 2020 08 14T184458.102 - Global Banking | Finance

By James Ward, Senior Cyber Consultant at MASS

The finance sector is typically more developed than others when it comes to implementing security measures. This is partly due to it being targeted by a diverse range of threat actors who are some of the most advanced, and also because the threat is so great –  even the smallest breach has the potential for significant impact monetarily, or on market reputation, perception or confidence.

Ideally, an organisation’s critical assets should be surrounded by layer upon layer of security measures, all working together so that if one layer is removed or breached, the business’ most valuable assets are not compromised. Too often however, organisations take a siloed approach to security – viewing physical, cyber and personnel security as separate entities, where in fact they are more inter-related than many imagine.

It’s therefore vitally important that security measures are considered holistically and are led and understood by senior management, otherwise gaps for exploitation can be found by intelligent and experienced actors, supported by an ever-growing arsenal of exploitation technology.

Based on the approach MASS takes with public sector and defence organisations, we’ll now consider the security measures which should combine as part of a holistic approach.

Physical security

It might seem obvious, but the first and fundamental consideration should be physical access to a site. For all organisations, this step remains vital – even in the finance industry where physical security principles have long been established.

You should consider the basic question of how an intruder could gain access, starting by reviewing the ‘perimeter’ controls. Indeed, organisations should even question what their perimeter is. With the potential for distributed site facilities, linked remote assets, and supply chain dependencies, this simple question must be answered.

To define where a ‘perimeter’ really lies, the use of scenario-based analysis, threat actor personas, motivations and objectives can be useful. It’s also an invaluable methodology for exposing how an organisation could be exploited.

The physical security stage should also involve a review of physical controls such as fencing, access technology, CCTV coverage etc., including their role in the deterrence and detection of hostile reconnaissance activities. Disrupting the planning cycle of attacks is often overlooked relative to direct prevention of unauthorised access.

That being said, security measures can only be as effective as the people applying them, so an understanding of human behaviours is essential. It’s important to consider how people’s actions affect overall site security and to question why these actions occur.

Simple mistakes like staff wearing security badges in the street could lead to unforeseen issues while poor motivation or effectiveness of roving security staff or those monitoring CCTV may also cause warning signs to be missed, demonstrating that innocent human mistakes could form the seed of future security breaches.

Cyber security

The finance sector’s cyber resilience has advanced considerably, as it’s adapted to threats over the years. But the evolution of the finance industry itself poses new challenges; businesses range considerably in size and new forms of financial transactions provide new opportunities for cyber exploitation. Exploitation toolsets and associated managed services are now more readily available at a lower cost, reducing the financial and technical barriers to advanced cyber-attacks.

The levels of cyber security in the financial sector must be retained, taken to a new level, and existing assumptions continually challenged.

For example, penetration testing regimes are a vital tool in mitigating network cyber risk (including ‘CBEST’ which has been widely rolled out across the finance sector) but have limitations given they are just a snapshot in time. They offer us a valuable depth of analysis within a network but can be constrained in breadth of scope and potentially leave vulnerability blind spots. Very frequent, lighter-touch cyber assessments can fill this gap as they offer a more dynamic view of ongoing vulnerabilities over a wider proportion of the estate, which could represent ‘low hanging fruit’ for the cyber actor. Assessments can be enhanced by applying modern threat intelligence techniques to rapidly identify existing compromises and potential weaknesses (including personnel and corporate digital footprint). This establishes a picture of cyber posture and vulnerabilities before any testing taking place.

End-user device security is also often viewed in terms of its encryption strength, keys etc. Modern methods of fault injection attack (a device’s response to artificially applied ‘fault conditions’ used to derive security credentials), though are able to bypass these assumed security measures, whereas it would take decades to ‘crack’ using more traditional computer power. This means it becomes important to test a device’s vulnerability to fault injection, rather than falling back on the old assumptions for protection.

To take a holistic view, it’s also important to examine the wider supply chain. The finance sector relies heavily on a network of suppliers of digital telecommunications and energy services, and when a network this complex is interconnected, it’s challenging to pinpoint cyber resilience risks. However, identifying ‘hot-spot’ concentrations of dependencies that represent single-point failures within the complexity of the overall business can allow you to filter the complex information and establish risk effectively.

The insider threat

Those who might misuse legitimate access to an organisation’s assets for unauthorised purposes are known as insiders and their threat is often overlooked when considering the overall cyber risk.

For those in the financial sector, personal financial gain could be a particular incentive to potential insiders, while security controls are now so effective that one of the only ways to circumvent them is for hostile actors to exploit those with legitimate access. It can help to think of insider threat as the ‘grand master skeleton key’ of security, as the right insider, or team of insiders can overcome almost all security measures. Security compromises involving insiders also tend to have a disproportionately high business impact.

Yet many organisations overlook insider risk, assuming that pre-employment screening is enough to deter employees and failing to recognise the wide range of risks from genuine human error, through to orchestrated insider activity by paid professionals. Insider cases are typically individuals who have been with an organisation for some years and could have had a personal vulnerability exploited or exposed, or simply become disgruntled with their employer.

It’s a broad area to address and can be more challenging to enforce than other security measures. Internal governance, security culture, employee wellbeing, employment measures, corporate digital footprint, and perceived employee sentiment are some of the aspects that should be considered. Once these internal factors have been addressed, organisations should then make the same assessment of their supply chains.

If the business is sufficiently committed to its security, structured analytical methods can quantify their maturity and assess where the key vulnerabilities and risks could lie. This extra level of understanding can enable improvement, and when it comes to security even small changes can make a big difference.

Consider your dependencies

It’s clear that security is a vast network comprising many different aspects and as such, if not considered collectively, some areas can fall through the cracks.

All businesses have particular dependencies which shouldn’t be overlooked. Your own environment may be protected, but if data is shared with suppliers or partners, is it still secure? If a supplier or partner has a security breach, does that affect your operation?

When assessing security measures, it’s essential to go an extra layer deeper and consider how a range of factors could impact your organisation and its readiness to respond to an incident.

At MASS, our security experts consist of professionals with extensive experience in preventing security breaches and performing assessments in accordance with Ministry of Defence processes, so that we can ensure our security analysis meets and exceeds industry best practice.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post