How to Build a Solid Cybersecurity Foundation in Financial Services

It’s regulatory world we live in. From tax regulations to “you-need-to-be-this-tall-to-ride,” we’re conditioned to feel like if we follow the rules, all will be well.  And if there’s an industry that knows the importance of complying with standards and regulations, it’s financial services.

In the cybersecurity realm, financial services is governed by standards such as Payment Card Industry (PCI) and DFS Standards. There is a mindset in many companies that if these standards are met, then their organizations are secure—this is a dangerous assumption.

There is a difference between achieving compliance with cybersecurity standards, and actually being secure. A security-in-depth strategy is needed that follows the top 18 security controls that, at a minimum, are needed to actually prevent breaches instead of simply checking off regulatory boxes.

The 18 CIS Critical Security Controls

The Center for Internet Security (CIS): 18 Critical Security Controls is a good starting point to lock down a financial services technology environment and prevent the loss of critical customer data. These controls include:

1. The Inventory and the Control of Enterprise Assets

You should inventory and track all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) that resides on the network. Only authorized devices should be given permission for the employee tasks that they are authorized to do. This comes back to the very simple idea that you cannot protect it if you don’t know it exists. That’s why it’s essential to have a good physical inventory of all devices on a network.

2. The Inventory and the Control of Software Assets

You should inventory and track all software that resides on the network. Only authorized applications should be given permission for the tasks that are authorized. A good software inventory, knowing what tools are allowed and then monitoring for tools that shouldn’t be on the network because they present a risk, will provide you good, solid control over the environment. Application control and segmentation of your network is something you’re probably already familiar with due to current financial service industry standards.

3. Data Protection

Encryption needs to be implemented to mitigate data leakage and there needs to be continual investigation into the performance of algorithms and their respective key sizes. While this may sound straightforward, accomplishing this in practice can prove particularly challenging.

4. The Secure Configurations for Enterprise Assets and Software

You need to mitigate risk from misconfiguration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). As an example, this can include resetting default passwords, sealing off network ports that were left open, reevaluating the use of administrative privileges, reconfiguring digital certificates and more.

5. Account Management

You need to proactively manage the account creation, usage, dormancy, and deletion lifecycle from beginning to end, especially when you hire contractors or outside third-party vendors.

6. Access Control Management

You need to create, assign, manage, and revoke access credentials and privileges to ensure they are appropriately assigned to the right IT staff. Those employee privileges—are they really needed? Employees often move on to new roles or leave the company altogether. But do they still have unnecessary access privileges that could be exploited by an attacker? You need to constantly evaluate permissions so that employees are provided just the minimum access needed to conduct their daily responsibilities.

7. The Continuous Vulnerability Management

You need a defined security policy that mandates regular scanning of your entire IT infrastructure to identify security flaws and vulnerabilities before an attacker exploits them. This should include automated scans.

8. Audit Log Management

The audit log provides the most unbiased and clear evidence of an attack. But here’s the key: Logging functionalities must be switched on every networking device without exception. When logs are securely stored and accessible, they can be studies for evidence of attacks both inside and outside of your organization.

9. Email and Web Browser Protections

The foundation of this control is examining how your employees interact with their email and web browsing applications. By providing instruction on and enforcing policies that limit employee exposure to a social engineering attack, you can limit threat vectors such as Business Email Compromise, phishing and SQL injection/cross-site scripting attacks.

10. Malware Defenses

Automated tools should be used to stop the spread and execution of malware at all points in any organization, including malicious email attachments, links to phony and fraudulent websites and infected storage media such as USB or flash drives.

11. Data Recovery

You should back up datasets on a regular basis and use a proven a backup and restore methodology. You may have heard of the “golden hour” in medicine, referring to the importance of early intervention when dealing with a traumatic injury. The ability to restore operations withing hours after a cyberattack is your golden time to prevent serious operational disruption and reputational damage to your business.

12. Network Infrastructure Management

Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points. New hardware uses default security settings, but those may not be the right settings to protect your unique environment. You need to perform regular audits on these types of devices and implement the proper change management process to prevent an attacker from discovering any settings and exploiting them.

13. Network Monitoring and Defense

You should continuously monitor the flow of network communications through automated tools as network intrusion devices and other types of intrusion prevention systems. This can prevent the hijacking of information moving to and from an employee (such as a remote employee) and the parent organization.

14. Security Awareness and Skills Training

Enterprise-wide communication and understanding of the importance of adhering to policies and procedures is critical to prevent cyberattacks. You should develop and maintain a Security Awareness Training program focused on keeping your employees motivated and proactive in upholding security policies and procedures.

15. Service Provider Management

Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

16. Application Software Security

You also should be proactive in managing your entire Software Development Life Cycle, end-to-end. You need to know exactly what goes into your source code to ensure that it’s “clean” and doesn’t cause problems in the applications where it will ultimately reside.

17. Incident Response and Management

Bad things will happen, but you can be prepared to respond to attacks and restore normal operations quickly. An incident response and management plan should be practiced and rehearsed regularly, and it should include:

• Risk mitigation procedures
• Appropriate mechanism for reporting anything out of the ordinary
• How data and forensics should be collected
• Responsibilities of upper management
• Any necessary legal protocols
• A communications strategy for all concerned

18. Penetration Tests and Red Team Exercises:

Penetration testing is as close as it gets to the real world and one of the best ways to discover all of the security vulnerabilities that could exist in your organization. The red team can report on weakness they discover in your environment and recommend how to correct issues. This process can help you understand the mind and tactics of an attacker, and your organization can become more adept at protecting against real-world cyberattacks.

While many organizations implement many of these controls, they may often fall short on a few. The problem is that all 18 need to be in place at a minimum to achieve effective security. The good news for you is that cyberattackers often seek out financial services organization with holes in their security, as it’s easier to go after the low-hanging fruit. If you implement the 18 controls outlined here that makes you a harder target and you present a disincentive for attackers to pursue.

Of course, these controls are the price of entry for effective cybersecurity. When you’re ready to take protection to the next level through active detection and response to threats, and work with a partner that can simplify the complexity of cybersecurity overall, it’s time to consider MDR. Learn more about Critical Start MDR here.

Read part 2 as we dig deeper into Q-Bot ransomware and other threats to the financial services industry, and how MDR can help simplify breach prevention.