Cybersecurity Inside Your Perimeter
By Stelios Valavanis and James Burnham
As many bankers are experiencing, examiners are increasingly emphasizing top-down cybersecurity leadership from bank leaders to bank management. Yet technology is one of the most challenging areas for bank leaders to provide top-down guidance. Historically, bank leadership has depended on the bank’s management team to develop responses to technology challenges and make IT investment recommendations. Since much of cybersecurity involves making technology decisions, how can bank leaders without either a technology or security background offer informed top-down guidance?
Becoming Informed and Aware
Bank leaders can develop high-level cybersecurity guidance by first starting with a general understanding of cybersecurity risks and then focusing on the risks most relevant to financial institutions. If bank leaders can understand at a high level the most relevant risks, then they can direct management to develop specific responses — without having to acquire detailed technical or practitioner knowledge.
Bank leaders can find an excellent source on the current state of cyber threats by reading the annual “Verizon Data Breach Report.” The report collates data from cyber-attacks across a broad base of security sources and offers industry specific details in a readable, not-too-techy style. Analyzing the data reveals that cyber criminals repeat similar attacks across numerous institutions. Repeated attacks follow patterns that reveal the most likely attack paths. According to the 2016 report, if a financial services enterprise took just two effective steps to interrupt a cyber criminal’s likely attack path, it would reduce the threat from external cyber crime an astonishing 25 times. (The full report can be accessed here http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/.)
Questions Bank Leaders Should Ask
The first question to ask management is how your bank manages and monitors user and device identities and access to trusted services. User and device credentials are critical elements of securing the bank’s assets and feature prominently in all compliance, audit and examiner events.
They are also the first step in a cyber-attacker’s plan to compromise your bank. Inquiries from a bank leadership that direct management’s attention toward what else can be done to secure and manage identities will benefit not only the bank’s security posture but also your compliance activities and regulatory mandates.
Second, ask your management proactively what steps are being taken to monitor and harden the network and, particularly, internal applications. Given both the sophistication and persistence of attackers, it is likely that even if a bank has a robust program for protecting identities and credentials, attackers will gain, at some point, access to the bank’s internal network.
Unfortunately, an attacker operating inside a bank is likely to find a target-rich environment. A bank’s typical applications are collections of several (or many hundreds of) virtual servers that perform specific tasks: web servers for connecting users; application servers for business logic and processing transactions; and database servers for storing and serving data. If an attacker can find just a single vulnerable host within that collection of servers, then the attacker can execute the next step in their exploitation plan.
To prevent this, the second step a bank should take to interrupt the attackers plan is to add protection and monitoring to the bank’s network and internal applications.
You’ll be in good company. Google realized in 2015 that it would be impossible to prevent attackers from accessing its internal networks. Google responded by launching an initiative, Beyond Crop, to build protection into each of its internal applications. Banks are not Google; but, like Google, a bank’s IT team can take steps to protect internal applications, including:
- Segmenting applications from the enterprise network to eliminate east-west vulnerabilities.
- Isolating each application with a hardened, defensive micro-perimeter.
- Providing each application with its own, dedicated virtual network.
- Securing interior traffic with secure edges and encrypted security controllers.
- Monitoring network traffic for threats on both the enterprise network and on the virtual application networks.
When these techniques are applied, an application will be encapsulated in its own, custom and dedicated protective bubble. Imagine an encapsulated application as an island, isolated from all of the potential threats on the untrusted enterprise network and connected to the enterprise by a single well defended bridge.
When each application is encapsulated, an attacker on the bank’s network will not be able to see much, less access the application’s vulnerabilities. Because the application is hidden, the vulnerabilities are inaccessible and the attacker’s malware and exploit kits have no targets to compromise.
These concepts are not new and are familiar to IT professionals; however, applying these concepts to applications on physical servers would be difficult, rigid and expensive. Fortunately, since many applications are now virtualized, software-only virtual network and security appliances make application encapsulation both practical and affordable. Because the software-only networks are managed by virtual concentrators, network monitoring tools now gain visibility beyond the enterprise network and into the server-to-server traffic normally unmonitored.
Securing identities and encapsulating applications work together to create a layered, internal defense-in-depth that interrupts the cyber criminal’s most successful attack paths against financial institutions. Implementing these two steps makes a bank 25 times less likely to be subjected to a successful cyber-criminal breach.
Examiners are expecting bank leaders to provide more top-down cybersecurity guidance and direction to management. By staying abreast of the high-level cyber criminal patterns most relevant to financial institutions, bank leaders can drive proactive discussions with management to focus responses on the threat paths that deliver the greatest mitigation of cyber criminal risk.
Stelios Valavanis is the CEO of onShore Security (www.onShore.com). Valavanis has 35 years of information technology experience ranging from software development to enterprise network infrastructure, bringing a network and data-centric approach to cybersecurity. James Burnham has 25 years’ experience building effective relationships among enterprises and technology providers. He leads Strategic Alliances and Partnerships for Cohesive Networks where he focuses on helping their partners secure virtual and cloud environments.