Donald Good, Director-Global Legal Technology Solutions, Navigant
The cyber threat has never been more complex or dynamic. Financial institutions, large and small corporations, medical providers, law firms, accounting firms, and government agencies are targeted with increasing frequency by highly skilled adversaries. These organizations are targeted because they hold financial information, Personally Identifiable Information (PII), Protected Health Information (PHI), or Intellectual Property (IP) valued by the cyber adversary.
“An Incident Response Plan is the cornerstone of a strong information security program”
Organizations are faced with attacks from hacktivists, criminal and nation state actors, and insiders. Hacktivists advancing a political or social agenda launch attacks against organizations in a number of sectors, including the financial sector. While these attacks are mitigated quickly, they are a distraction and a nuisance to the victim organization.
Criminal actors are those seeking to profit from their hacking activities. Increasingly organized and well-funded, criminal actors target organizations holding valuable information they can easily monetize on the dark web. They target organizations with point of sale attacks, extortion, Business Email Compromise (BEC) and Ransomware. In recent months, the number of organizations targeted by BEC and ransomware has grown significantly. BEC attacks have resulted in organizations wiring hundreds of thousands of dollars overseas. If the organization realizes the funds were wired in error and contacts their financial institution and federal law enforcement within 48 hours, the wire transfer may be reversed. However, in many cases the organization may not realize it was a victim until it is too late and the funds are lost.
"A collaborative information sharing program should be part of your information security strategy"
In recent months, ransomware attacks have become more common and egregious. In the early ransomware attacks, files and folders were encrypted. In recent months, the attacks have resulted in some or all of the organization’s servers encrypted or locked. If the organization has no backup or the backup is infected, and the encryption can’t be defeated, the organization will most likely be forced to pay the ransom. The ransom payment is normally required in bitcoins. Unless the organization holds bitcoins, it normally takes a number of days to obtain the bitcoin resulting in additional downtime, lost revenue, and in some cases reputational damage for the organization.
The insider threat is a challenge for all organizations. Whether an employee or contractor, this is an individual whom the organization believes is a well-intentioned person and has entrusted with access to its information. In some instances the individual has access to highly sensitive information including PII, PHI, financials, and highly valuable IP. The insider threat is difficult to detect because often times the person appears to be well-intentioned, but is harboring deep seated resentment or has personal issues which are motivating his behavior. During the last few years, the media has repeatedly reported on the significant damage perpetrated by insiders to organizations as well as our national security.
Nation state actors may present the most formidable threat. Commonly referred to as the Advanced Persistent Threat, this group of actors is highly skilled, extremely well-funded, and organized. Often times, this actor has hundreds of people working towards exploiting a network or a group of systems. Their goal may be to steal IP, target critical infrastructure, gain access to PII for targeting purposes, or disrupt businesses or processes in the United States. During the last couple of years, these actors launched DDOS attacks against the financial services sector, stole IP from a number of U.S. businesses, and sought to disrupt processes in this country. In many instances, due to the skill of the actors, they were able to remain undetected in victims’ networks for months and then move laterally through the network to gain access to additional information which they exfiltrated. In other cases, victims believed they successfully eradicated the nation state actor from their networks only to find the actor was somewhere else in their network
Regardless of the adversary, hacktivist, criminal, insider, or nation state, it’s nearly impossible to prevent an attack. Rather, organizations must focus on reducing their risk to attack and be prepared to contain and mitigate when an attack occurs. The most successful organizations are those that effectively balance people, processes, and technology. No organization, big or small, can do everything at once. So, it’s important to develop a plan and a strategy that works for your organization. Many organizations follow the National Institute for Standards and Technology (NIST) Cybersecurity Framework.
Executive Management commitment is one of the most important elements of a strong information security program. Without the full support of the C-Suite and the board of directors it’s difficult for the CISO and his team to implement an effective program. It’s not just about funding the program, it’s about setting the example for the rest of the organization and helping to cultivate a culture of information security from the top down. The CISO, or the individual responsible for information security in your organization, should be briefing the C-Suite and the board regularly. When the C-suite and board are well informed about the organization’s information security posture, and the potential threats to the organization, they are likely to be more supportive of the CISO and his proactive approach to information security.
It’s important to know which adversary poses the greatest threat and how might that adversary target your organization. What are the adversaries’ Tactics, Techniques, and Procedures (TTPs)? Understanding which adversaries may attack your organization and how they will attack should be part of your strategy. You may not be able to prevent the attack, but you’ll reduce your risk significantly.
The information most critical to the success of your organization is your “crown jewels”. It could be customer accounts and associated PII, financials, employee information, or many other things. Do you know where your crown jewels are in your network? Have you done everything within reason to protect them?
An Incident Response Plan (IRP) is the cornerstone of a strong information security program. As everyone would agree, the financial services sector is one of the most heavily regulated sectors, so exercising due care and due diligence is essential. Developing an IRP is due care, but exercising it regularly is due diligence. When a breach occurs, your organization will be better positioned to handle it.
A collaborative information sharing program should be part of your information security strategy. For many years, the financial services sector has engaged in robust information sharing through the FS-ISAC, the NCFTA, InfraGard and a number of other similar organizations. It’s good to have a relationship with the FBI or USSS before a breach occurs. If you engage with law enforcement, you’ll know who to call. Also, both organizations share timely cyber threat information that help you get ahead of the threat.
I think most would agree, securing your organization’s information has never been more challenging. Major breaches occur with frequency and many of us have been the victim of some of those breaches. I would suggest that waiting for something to happen is not the answer. Assess your current information security strategy to determine if it aligns with your organization’s business needs and the current threat environment. Be proactive and work to get ahead of the threat and reduce your risk.