Top 10 Cybersecurity Trends for BanksNew Survey Identifies Key Risks for Institutions in 2012
Consumer behavior is the biggest concern when it comes to online risks posed by social media. But Bill Wansley of Booz Allen Hamilton says financial institutions can manage those risks. What steps does he recommend?
During an interview with BankInfoSecurity's Tracy Kitten [transcript below], Wansley, a financial fraud and security consultant, says cybercriminals have turned to social media to target and exploit business executives, employees and consumers for social engineering. With bits of information they engineer out of unsuspecting users on networking sites like Facebook and LinkedIn, fraudsters have enough to launch well-disguised spear-phishing attacks.
"This is a manageable problem," Wansley says. Corporations and executives just need to think about their exposure. "[They need to] do an assessment of what their exposure is and then understand how to manage that exposure, to get both the personal gain and business gain that social media offers without overexposing corporate information," he says.
Booz Allen Hamilton recently released its Top 10 Financial Services Cybersecurity Trends for 2012. Topping the risks: social media.
"Through the next year, you're going to see additional steps taken by institutions to ensure that the training and awareness of their staff is up to a level to allow them to know when they're being made an unwitting insider," Wansley says.
During this interview, Wansley discusses:
- The increased role government will play in cybersecurity;
- Why cloud computing could enhanced online security;
- The impact of globalization on cybersecurity initiatives.
Wansley leads multidisciplinary consulting teams at Booz Allen Hamilton, where he provides a full range of operational level management and technology consulting services, including advanced analytics of financial data, operational and technology risk management, compliance and regulatory risk assessments, and payment process redesign. He has 30 years of professional experience as an operational U.S. Army officer, a national security policy planner, and a management consultant for the U.S. intelligence community. Wansley's operational military experience includes serving as a field commander, division level war planner, and national security strategist. For the past 13 years, he has supported U.S. Intelligence Community clients in solving national security risk-related challenges through strategic planning and advanced analytics.
2012: Top Cybersecurity Trends
KITTEN: Booz Allen Hamilton recently listed its top financial-services cybersecurity trends for 2012, which highlight the impacts increased mobile use and organized crime are expected to have on banks and investment firms in the coming year. Can you tell us a bit about the trends and how Booz Allen determined these to be the top ten?
WANSLEY: Booz Allen has a pretty broad base of customers, from the government to commercial to international clients, many of whom are doing business directly supporting financial services, or it may be financial institutions on their own. What we've tried to do is find a way to bring relevant awareness to the real security threats that are facing financial institutions. Based on the number of jobs we've had in the past couple years in these environments, we got together essentially a focus group of our experts to pull together what we saw as the emerging trends specifically in technologies, emerging trends and the threats, and built on our experience in cyber intelligence, where we see the threats evolving to - it's a constantly evolving environment. Then we looked at the regulatory environment to see how all of this would come together almost in a systematic way to provide an environment that could be very risky for financial institutions going forward.
Based on the discussions we had and all of those factors, we identified the ten financial-services security trends for 2012. We want to try to communicate them out to executives rather than keeping these issues in the back room of the security session or the information-security team. We want to try to raise these issues as risk issues to executives so they totally understand and are aware of the types of threats that could be affecting their institution, and I'd be happy to go through those if you'd like to do that.
The Mobile Threat
KITTEN: I actually would like for you to go through some of those. I have noted some of those as well, and mobile was one that seemed to be a growing concern. Could you talk a little bit about mobile?
WANSLEY: Mobile is a very relevant topic across all industries, but specifically financial services. In some ways, financial services have an advantage because there are already very tight controls on the use of mobile devices around any trading that happens on the market. Once you get outside the trading floor that's controlled by communications, we're finding that many employees are using their mobile devices. Many of them have - like many of us - an iPad, iPhone or another smart-phone device, and they're using different service providers that provide them clouds where their information is going so that all their devices can connect to them.
All of that's terrific, and a lot of companies actually adopt bring-your-own-technology-to-work" now so that rather than having firm-issued laptops or mobile devices, people are bringing their own. There are obviously a lot of advantages to that as the newer generations like to bring their own devices with them, but the downside is the potential risk for the institution.
Each time you have another one of these mobile devices that's not controlled through a hosted server within the corporation, you're then providing access to potentially corporate information directly through these devices that don't have the kind of built-in monitoring security features that a corporate-issued device would have. That's particularly true any place where there's the bring-your-own-technology-to-work kind of policy in certain companies, but it's also true for anybody who's using a cell phone. In fact, you'll see a number of people walking out of banks that have their personal cell phone. And while they use their personal cell phone for personal use, oftentimes they have sent some information that could be discussed on that as well.
The issue is not to say stop using mobile devices. The issue is just asking executives to think about their policies and procedures and what potential risks that may be bringing on to their enterprise unwittingly and what they can do to help mitigate that. There are steps you can take to mitigate the mobile environment, but it has to be done in a very deliberate way with a little forethought and planning and operational monitoring.
Protecting the Financial Space
KITTEN: I did want to ask about protecting executives, and I think this might be a nice segue. How vulnerable are executives to spear-phishing attacks? When we take a step back and think about the environment today, with the advent of social media and personal information basically being accessible all over the web, organizations aren't as cushioned today as they were in the past. What can the industry do to protect itself?
WANSLEY: That's a great question. Frankly, social media is evolving so rapidly that privacy controls on a number of the social-media outlets are being updated constantly. The good news is the industry is aware that through [its] use, the benefits of social media are to create those broader networks of colleagues and friends that you can share information with. But you have to have some controls on privacy and access to some personal information.
Back to your original question about executives, there's certainly a trend where there are some individuals out on the Internet who are looking very closely at who are the executives leading some of these firms. A lot of them are considered to be part of the one percent, so they're sometimes targets for people looking at them. And they'd be targets for a number of reasons: some hackers just want to embarrass CEOs and bring attention to them, where they live, how they operate, what their personal lives are like. Sometimes there's some organized criminal aspect of this where they actually want to take and steal financial information for their own personal benefit. And thirdly is the group of foreign intelligence services that may want to collect important information for business purposes for foreign espionage.
All of these three kinds of threats are potentially tracking executives, linking from social media and doing additional research, and then doing, as you mentioned, spear-phishing attacks or other sorts of collection. What I mean by collection is collecting information on executives so that later on it could be used for another attack. Most commonly known today in the industry is an advanced persistent threat, which is abbreviated APT, and that's the advanced sophisticated threat that works over time to do the social engineering on executives to understand who they are, where they come from, to find those little inabilities to be able to send them e-mail and get them to open an explosive package on their machine, for example.
We're seeing increasing trends in this area. There are executives now getting a little more concerned, maybe even being more careful about what they're placing on their social media pages. At the same, again, this is a manageable problem, if the corporations and executives sit back and think about what their exposure is, do an assessment of what their exposure is and then understand how to manage that exposure to get both the personal gain and business gain that social media has got without overexposing corporate information too much.
KITTEN: What about risk assessments? How thorough and ongoing are risk assessments, especially when it comes to cybersecurity threats?
WANSLEY: I believe most institutions do a very good job with risk assessments. The challenge is that the risk is changing constantly. You have to be sure that the way in which you go about doing an assessment is up-to-date with the latest threats and understandings and is pretty thorough across the organization. Some organizations are very centralized - policies, procedures, controls and governance posture [are] very centrally controlled and it's much easier to get a handle on where you are.
Other global corporations are widely distributed and have very different policies across, so that takes a great deal more effort to ensure you know what your risks are in one part of the world versus the other part of the world. But in general, I think the financial-services industry probably does better than most in assessing the risk and reporting that information to the chief risk officers.
KITTEN: I wanted to also ask about the updated FFIEC guidance which relates to online authentication processes. How prepared are most financial-services organizations for this upcoming guidance? When it comes to risk assessment being a key part of that, how prepared are they from a risk-assessment perspective?
WANSLEY: I think most major financial institutions really try to stay ahead of all guidance coming from regulators to them. A number of them have been expecting the FFIEC guidance, and I think they're actually leaning forward in that area. A lot of them are exploring different technologies, different procedures. They're looking at the impact on a business and doing the kind of tradeoff between how this is going to affect my business and how can I put in efficient methods in place to comply with the guidance. In general, they're doing pretty well. Some of the smaller institutions may not have as big a problem to deal with, [but] they still need to take the time to assess where they are and ensure that they're ready to comply. The regulators will insist on this in the very short term.
KITTEN: You've mentioned globalization, and I'd like to talk about that with the FFIEC guidance in mind, because the FFIEC guidance relates to U.S. institutions. But what about the global impact of the updated FFIEC guidance? What are institutions doing globally to enhance their user as well as transactional authentication practices?
WANSLEY: As you might imagine, most of the big banks have global transactions, and they have corresponding bank relationships with other institutions. And you can imagine if you've got a really strong security program at your home office, that might great, but every day you're dealing with millions of transactions coming in from international corresponding bank relationships, different vendors and different customers. So even though it may be U.S. guidance, what we're seeing is that U.S. and U.K. guidance dominate global financial transactions because they just drive practices across the world.
As you see most corporate headquarters out of Washington, New York, London and San Francisco looking at the impact of these kinds of new guidelines, they see it as a global venture to start with, and frankly all the foreign banks - some of which we're talking to now - realize that, as a potential corresponding bank partner with these banks, they have to comply as well.
KITTEN: What about increased regulatory scrutiny generally? I'm talking about globally as well as domestically. Are financial organizations making investments in the right types of technologies and solutions to ensure that they're complying and conforming to existing, as well as perhaps upcoming, mandates and standards that wouldn't just affect us domestically but internationally?
WANSLEY: The real challenge is the cost of technology for a financial institution is skyrocketing. Banks are struggling to try to get their costs under control. There's this tradeoff between increased efficiency and effectiveness and trying to keep your costs down moving forward. That's why you see a lot of large institutions moving toward cloud structures, which do potentially offer tremendous cost savings and efficiencies. But correspondingly, there are some new security controls that need to be in place with the cloud architecture to allow them to make those changes.
I think you'll see coming forward in the next year a lot more questions about cloud security and about how to do that, and that's specifically to your point. But if these institutions are going to be able to continue to maintain some control of their cost while changing technologies to satisfy regulatory requirements, they're going to have to do some evolution of their architectures into public and private cloud structures that allow them to be able to do that. And big institutions are doing that. They're now looking at it. They're thinking about how to better keep their costs under control and increase their maturity postures going forward. I think you're going to see a fair amount of activity, thought leadership and development in this area because if the banks don't maintain control of their costs in implementing these new technologies, they're going to have a rough road ahead.
KITTEN: What about the public-private partnerships? You've touched on that just a bit here. How will government get more involved in the cybersecurity effort?
WANSLEY: That's a great question. Clearly, the Department of Homeland Security in the United States is responsible for protecting the homeland. There's going to be increased involvement I believe by the government bodies in the United States to try to protect the homeland. But in the end, most consumers believe the banks that are holding their data are the ones that are responsible for providing security of their particular financial information and personal data.
But I'll tell you the FS-ISAC is absolutely the best example of where a public-private partnership seems to be getting some traction. It was established a number of years ago to protect the nation's critical infrastructure. The FS-ISAC provides that information sharing amongst the financial-services institutions. Booz Allen is an affiliate board member. We're not a bank ourselves, but we certainly participate in that body and we believe that's exactly the kind of body that needs to go forward to ensure that we have sufficient protection for our nation's critical infrastructures, like the financial-services industry.
There are other institutions or other groups being stood up by the banks between themselves to help share information, and I believe you'll see this January new legislation coming off Capitol Hill that will actually direct some very specific sharing of information between the government and the financial-services industries. This is really a very hot topic, and look for, again, in 2012 seeing legislation in January coming out in this area and very specific bodies like FS-ISAC being reinforced to show that information more broadly.
Malware: Can We Win?
KITTEN: This may seem like I'm shifting gears a bit, but it actually does relate to the public-private partnership and the need for more government involvement. I wanted to ask about malware. We talk quite a bit about spear-phishing attacks and phishing attacks, and of course Zeus continues to evolve and become much more prevalent throughout the world. Will we ever win the battle though?
WANSLEY: No. Frankly, the malware bug is out and people have now realized that they can develop new malware products on a continuous basis, much like people develop an iPad app. The reality is we need to learn to take a risk-management approach to living with malware, frankly. That's constantly monitoring it, constantly checking for it, constantly staying on top of how it's evolving and doing our best to ensure that whatever malware is floating around and is injected into our enterprise is something that we can manage. Obviously, taking out is the preferred way to do it. Sometimes you need to do some real deep research to find malware because the groups sending malware into our institutions are becoming more and more sophisticated that create code that you can't recognize or see even with traditional security practices. You have to go a little step beyond to be able to monitor malware.
Now, one emerging trend in this area is the advanced analysis to malware, and that allows you to actually take the code and reengineer it and understand how it was developed, and perhaps that's an indication of what could be next. That's really important because then you would at least have some insight as to what could be the next set of malware you're going to be facing in the next generation.
KITTEN: I wanted to ask about insider threats. Insider threats made the top ten, as well as some of the other issues that we've discussed today. Insiders are often the points of compromise, whether intentional or unintentional. Are institutions and organizations, generally, sufficiently addressing their internal risks?
WANSLEY: I think a lot of institutions are aware of the potential damage of an insider threat, but mostly they've focused in the past on some malicious intent by some insider. The broader problem right now is the unwitting insider. In other words, that person who gets a phishing attack who unwittingly gives some access to an outsider, and then they become essentially an insider. That's a concern that now is starting to get the attention of a lot of security officers and the bank risk officers, and that's: how do you ensure that your staff have enough awareness to be able to see when they're being set up as a potential unintended insider? There's greater attention to that area. I think through the next year you're going to see additional steps taken by institutions to ensure that the training and awareness of their staff is up to a level to allow them to know when they're being made an unwitting insider. Frankly, that's a very cost-effective means to start stopping the problem right up front. Just make sure people are aware that that's what's happening.
KITTEN: Before we close, what final advice can you offer to financial-services organizations that are preparing for current, as well as emerging, cybersecurity threats?
WANSLEY: The primary focus should really be in having a deliberate program that actually documents where the most important information of the organization is [and] establishes a priority system to protect the most sensitive and classified information because you can't protect everything. You have to accept the fact that it's cost-prohibitive to have perfect security all the time. In fact, there's no such thing as perfect security. Then, think through the tradeoffs, the risk tradeoffs, you have to make for protecting that information. Now, if you do that, you can come up with some very cost-effective ways to manage your risk or make decisions about your business practices to manage those risks. It doesn't have to be a large investment in technology, and that's where I see the security trends going.
I think most chief information security officers are really starting to get a little smarter about where we apply technology or where we apply non-technology solutions that just make good sense to manage risk.