Our nation’s financial system is fragile. The technology we depend on today for the secure exchange of funds between banks dates back decades to a system that was first built to facilitate funds transfers using Morse Code. Today’s incarnation of that system takes advantage of modern computing standards, such as TCP/IP networking, but that convenience also means that it is exposed to some of the same vulnerabilities and threats found on the internet.
Financial institutions participating in interbank payments should take special care to ensure that they’ve built a robust cybersecurity program to address these threats. Their responsibility goes beyond the basic level of care expected from any organization. Responsible financial institutions must have 24/7 insight into the state of security on all endpoints within their organizations and be able to answer the following questions rapidly:
- Who is attempting to attack us?
- Were they successful?
- What were they after?
- When did the attack occur?
- Where did it originate?
I’ve been helping financial institutions answer these questions for 18 years, and I’ve had the unfortunate experience of helping institutions recover from breaches. This experience helped me learn seven key lessons that I now share with my current clients.
1. Build an Accurate Inventory
You can’t protect what you don’t know about. It’s not the most glamorous job in the world, but every cybersecurity program needs an accurate inventory of all the hardware and software used within the organization. Automated tools can assist with this task. It’s crucial to ensure that these inventories include both approved software and user-installed software.
2. Patching Is Critical
It sounds like cybersecurity 101, but I’ve been involved in many security incidents where the root cause was an unpatched server with a critical vulnerability. Once a determined adversary stumbles across a single weak point in an organization’s defenses, the individual can exploit that to gain access to other systems on the network.
3. Pay Special Attention to Privileged Accounts
System administrators have vast powers on a network. They can add new systems, override security controls and delete audit trails. Financial institutions should implement privileged account management systems that monitor and track privileged user activity.
4. Document and Maintain Configurations
Another leading cause of security incidents is the slow, steady drift from a carefully designed security baseline that occurs over time. Administrators tweak settings, install software and perform other actions that deviate from the security standard. The cumulative effect of those changes creates an insecure system. Configuration management should be an ongoing task, not a one-time activity.
5. Passwords Are a Disaster
Passwords simply aren’t a secure way to control access to sensitive systems. If you’re not already using multifactor authentication to protect your payment systems, this needs to be your highest priority. If you need help to do it quickly, reach out to a vendor and get going.
6. Minimize Your Attack Surface
Submarines are built with a series of sealable compartments to control flooding. A compromise in one area doesn’t necessarily sink the ship. Network segmentation serves a similar purpose in cyberspace. Firewalls and other network security technologies can segment a network into security zones so that an attack in one zone doesn’t compromise the entire network.
7. Educate Your Users
All of the technical controls in the world won’t do any good if users fall victim to social engineering attacks and give away the keys to the kingdom. Users must be aware of the threat facing financial institutions and know the tricks that social engineers use to gain access to information.
This may seem like a lot to do, but it’s all what I like to call “good security hygiene.” By applying these security controls, financial institutions will protect their own systems against ransomware and other threats. They’ll also be doing their part to maintain the integrity of the interbank payment networks.
This blog post brought to you by: