Cybersecurity in an Insecure World
By Dr. Anand Singh, Chief Information Security Officer, Alkami
The rules of engagement in cybersecurity have dramatically changed. The explosion of connected devices and the Internet of Things (IoT) creates a large pool of devices that can be strung together into botnets. These botnets can be then used to perpetrate attacks such as distributed denial of service (DDoS) and credential stuffing.
A DDoS attack is an attack in which a botnet is used to flood a financial institution’s website with traffic that can lead to denial of service for genuine users of the website. Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.
Such a situation is especially challenging for banks and credit unions. Cybersecurity is essential to protecting your community. And a rapidly evolving threat landscape makes it considerably harder to stay protected. According to the 2018 Verizon Data Breach Report, financial institutions (FIs) suffered $16.8 billion in total estimated losses as a result of such attacks. Billions of credential stuffing attempts are made on a monthly basis.
To complicate matters further, the regulatory landscape is also becoming more complex. Federal governments, states, and countries are going into overdrive mode to manage these evolving threats through compliance regimes. This means that FIs have more compliance needs to satisfy.
Most medium- and small-sized FIs have small security and compliance organizations and are at a disadvantage when it comes to defending their enterprises. But if we band together as a community and treat cybersecurity as a shared responsibility, we can fight these threats together. To this end, we are sharing our insights about an effective cybersecurity program.
The most secure enterprises practice 3D security: security in design, development, and deployment. Taking security measures before products are even built, developing code free of vulnerabilities, and securing in-production deployment is crucial. Managing security requires a holistic view including knowledge of where your data is, how it is stored, who has access to it, and how it is handled in transit.
Risk Management and Governance
Effective governance structure can set the tone for cybersecurity in your enterprise. Following are the key elements of an effective governance structure:
- Boards should govern security by getting regular updates on the progress of the security program as well as a review of the security dashboard
- Chief Information Security Officers (CISO) should be granted independence through direct reporting to the board as well as through proper organization setup (e.g., it should not be within technical hierarchy of the organization to ensure separation of duties)
- Strong policy and standards framework
- Regularly measure efficacy of the program through PCI, FFIEC, and SOC 2 Type 2
Building a fence around your assets with a traditional firewall used to be enough. In today’s world, that is not sufficient. You need a web access firewall to look through application layers to mitigate bots and stop SQL injection and network layer attacks. Traditional firewalls have now been replaced by next generation firewalls that provide more advanced intrusion detection and prevention capabilities. Lastly, you should beef up your endpoint protection with a next generation antivirus that has built in artificial intelligence (AI) and machine learning (ML).
It is critical to protect data at rest and in transit through encryption. Additionally, every FI should have a data classification mechanism (e.g., secret, confidential, private, and public) to guide their employees on appropriate handling of data. Following are some key technologies that can assist in the protection of data:
- Certificate and key management
- Encryption of emails with sensitive data
- Data loss prevention (DLP)
Privilege management is the practice that ensures only authorized individuals have access to sensitive data. Because of the large number of data breaches in which user IDs and passwords have been compromised, FIs should not consider username/password as effective mechanisms to protect data. Access to every sensitive data asset should be protected by multi-factor authentication. Following are additional practices that can help secure your enterprise:
- Single Sign-On (SSO) – In addition to driving security, it also provides great user convenience since they don’t have to enter their usernames and passwords all over the place
- Secret Server – These systems provide a secure repository for users to store their privileged information
- Enforcement of least privilege and need to know
Threat and Vulnerability Management
Identifying, assessing, and remediating your security vulnerabilities on a regular basis fortifies your defenses. Developing these security habits helps prevent vulnerabilities that lead to breaches:
- Ongoing vulnerability scans
- Patch management
- Threat model and analytics
Making Your Users Smarter and Safer
A large portion of cybersecurity attacks stem from successful email phishing attempts. That goes to show that building a fence around your information assets is no longer sufficient in itself. You need to create a secure bubble around every one of your employees since they will be your first line of defense.
Follow these tips to raise the security baseline of your employees:
- Regularly conduct social engineering testing
- Make security training fun
- Have special events (e.g., Hacktober)
- Protect your email
We employ these and other security measures for a security culture that has resulted in 100% security program penetration. Security is a core component of our values. It all started with us working together so that our remarkable clients can adapt quickly, succeed wildly, and build a thriving digital community.