Security Evangelist and Strategist Jeff Man of Tenable discusses cybersecurity in the financial services industry. He shares insights on securing your organization and best practices for tightening your defenses and improving your security posture beyond regulatory compliance standards.
Q. What cybersecurity challenges are you seeing in the financial services industry? How is Tenable helping to secure these organizations?
The paradigm for cybersecurity has changed. In the past, cybercriminals took a break-and-enter approach to stealing data. Today, they can launch remote attacks that embed malware in your network that may be hidden in your systems, secretly harvesting data for days, weeks or months. The traditional method of securing your network and operations against vulnerabilities isn’t working against this type of cybercrime. Now you must work harder to find the malware and detect when it sends your data out of your network.
To do that, you need to establish a baseline of what is “normal” for your network operations, network traffic, network activity, user activity, user behavior, critical data flows and data repositories. Then you can detect what’s abnormal and what a malicious attack might look like. It requires skill, but also technology, because there’s so much data now that it’s impossible to analyze all the traffic manually.
That’s where Tenable can help. Our technology provides three ways of detecting data flows, network traffic and network activity information. First, our static vulnerability detection finds the systems attached to your network, analyzes them for vulnerabilities and sets your baseline. Our Nessus® scan engine can detect more systems such as servers, network devices, servers, workstations, notebooks, tablets and mobile devices — whether you’re on a traditional network, a virtual network or operating in the cloud.
A second method for detecting network activity is our Passive Vulnerability Scanner (PVS), which acts much like a network sniffer to monitor network traffic at strategic points. The continuous monitoring that PVS provides helps to identify systems that might have been offline during static scans and also to identify malware that’s designed to elude the detection of a static scan. We also can detect unintended sensitive data flows both within and outbound from your network.
The third component, Log Correlation Engine, gives us the ability to look at every system and event log generated by the systems on your network. Using analytics, we review log traffic and identify exploitation attempts, additional vulnerabilities and malware. The system logs enable the technology to track user behaviors like successful and failed log-ins, which helps us identify malicious activity and compromised user accounts.
All the data our collectors produce can be formatted in numerous dashboards and reports — or what we call “Assurance Report Cards” (ARCs) — to allow easy review and presentation to system owners, management, senior executives and board members.
Q. What are some cybersecurity best practices that could help financial services firms better defend their organizations?
Education and cybersecurity awareness is an important defense tactic no matter the size of your financial services organization. You need a great technical team, documented processes and technology solutions. However, it’s equally important to have everybody in your organization understand the risks involved with conducting commerce on the Internet, and the impact of their behavior as individuals and as company employees.
Every employee in your organization can have an impact on your business based on the things they do — and equally important, what they don’t do. Human error is a frequent cause of cybercrime, whether it’s not following policies/procedures, not utilizing policies/procedures or worse yet, using weak passwords, sharing passwords or downloading unknown attachments. Every single employee must be educated that their actions have a real impact, and should be aware of attempts to gain access to your network — whether through suspicious emails inviting them to open an attachment or click on a link (called “phishing” emails) or other “social engineering” attempts to steal their log-ins or access badges.
63% of confirmed data breaches involve using weak, default or stolen passwords. Basic defenses continue to be lacking in many organizations.1
Also, collaboration across the enterprise with business units working together to help solve the larger cybersecurity problem needs to be a priority, particularly in financial services organizations. For example, fraud and cybersecurity business units often work independently of each other, yet working together could offer the potential for great synergy. Theft of data — a cybersecurity problem — is relatively meaningless until a cybercriminal figures out a way to use that data or monetize that data. However, that aspect of the crime is typically handled by the fraud unit. Working together, cybersecurity and fraud units could streamline and eliminate duplication of efforts and share combined resources, experiences and lessons learned to reduce cybercrime.
Q. What cybersecurity advice could help financial services organizations better meet regulatory compliance?
Most financial services organizations are focused on their compliance “grade” — “What’s our percentage of compliance?” “Are we showing signs of improvement?” This tends to create an attitude of meeting the bare minimum of regulatory standards: “What can I do to get by?”
The PCI Data Security Standard, which has been around since 2004, is based on a pass-or-fail, “you’re doing it or you’re not” approach, and could actually be used as the framework for securing any of your sensitive data. The PCI DSS offers a fairly comprehensive cybersecurity framework that sets a higher standard of metrics for an information security or cybersecurity program by assuring that good security practices are built in to the “business as usual” fabric of the organization. The companies I’ve worked with over the years that have treated PCI seriously and attempted to do it well have been far better off than the companies that treated it as a nuisance or burden.
The PCI DSS is very familiar to most organizations in the financial services world, whether they report on PCI compliance or not. Treating PCI DSS as a framework for your entire cybersecurity program is a good idea and actually reinforces the original intent of the PCI DSS — which was to measure your data or cybersecurity program as it related to payment card data. The underlying assumption has always been that the organization already had a functional cybersecurity program, so the PCI DSS was designed to assure consumer payment card data was properly protected.
Employee, customer and “soft” IP data are the top targets of cyberattacks.2
Jeff Man offers over 30 years of information security experience, compiling a rich knowledge base in cryptography, information security and PCI.
This article first appeared in the Summer 2016 issue of FINTALK Report.