Mike Hart, Vice President Central Europe FireEye FireEye
It’s no secret that banks are one of the most popular targets for cyber criminals. The pre-commitment of the hackers is mostly similar in this respect. Attackers currently rely primarily on weak authentication to penetrate networks. Stolen credentials, inadequate access controls – hackers already have access to important data, people and systems. But how can banks protect themselves before the worst happens??
by Mike Hart, Vice President Central Europe FireEye
Defending against any type of attack is about putting con-trol in place in the right places to detect, analyze and respond to the threat and reduce it in the future. Despite this, there are still hackers that find their way into the network. But the similarity of attacks makes it possible to identify measures that offer banks good protection against hackers.
1. Identification of critical corporate assets
As with any other risk assessment, the first step is to determine where potential vulnerabilities lurk. When trying to protect everything, it is easy to end up with nothing that is really protected well enough – according to the motto: a little bit of everything, but nothing really.
Accordingly, it is important to identify the systems, resources and processes with a particular need for protection before implementing security measures."
2. Proper access data management
In almost every attack, access data is stolen and misused.
So it is particularly important to protect credentials. A possible first approach is to reduce the number of authorized administrators and privileged accounts."
It’s also a good idea to use multiple authentication domains to mitigate damage through them. For example, a separate authentication domain with different credentials can be used for a critical system. In addition, password management solutions should be used for local administrator and privileged accounts. To secure remote access and all access to sensitive systems and applications, multi-factor authentication offers increased protection. To prevent misuse from being noticed when it is already too late, monitoring credentials acts as a kind of early warning system. Every administrator action should be thoroughly investigated. In addition, it is recommended to strictly separate administrators who can change access permissions from those who can make system changes. Some companies now use smart cards for critical systems – but even these are not safe if left unattended in devices. The best option is to store them in a safe with physical security control.
3. Implement proper segmentation
Segmentation can help protect critical systems. However, it is often improperly implemented and monitored, leading to a deceptive sense of security.
Where possible, air gaps (physical separation) are recommended for sensitive systems."
Of course, there are costs associated with the manual processes involved – but these must be put into perspective with potential damage from hacks. In places where air gaps are impractical, only compartmentalization helps – because advanced hackers can easily manipulate firewalls or network access controls. The only effective way to combat this is to provide administrative access for firewall management consoles, for example, over a separate network. Also, use a separate authentication domain with multi-factor authentication so that, for example, stolen remote access credentials cannot be reused. Remote desktop technology would also be helpful, for example, to provide jump-host control for access between networks.
4. Data segregation
Data for live operations should not be entered into development, test and QA systems."
These systems are often accessible with lower privileges or embedded in less secure environments. This means that users who should not have access to live data can also access it. Randomized, synthetic, anonymized or otherwise insensitive data should reside outside of live environments, as this greatly reduces the attack surface for theft of sensitive data.
5. Protection against spear phishing
Modern email-based attacks rely on sophisticated social engineering techniques that could fool even the most experienced user.
In fact, the majority of attacks on financial service providers begin with a spear phishing email. Merely relying on spam filtering and anti-virus software is no longer sufficient – targeted spear-phishing emails are very well set up and personalized, and are almost indistinguishable from legitimate emails."
Therefore, a technology solution that prevents such emails from reaching the victim in the first place is critical. Such a solution must be capable of two main things: First, detect malicious links and malware-laden attachments in emails. On the other hand, also look for non-malware attacks, such as attempting to impersonate a trusted sender or fishing for access credentials.
Mike Hart is Vice President Central Europe at FireEye . He has years of expertise in the IT industry, gained at Veritas and Symantec, among others. Originally from the United Kingdom, Hart has lived in Germany for more than 20 years.
6. Gathering evidence
Forensic measures are recommended to log all network traffic into and out of core applications."
The information obtained from this should be retained for at least 30 to 90 days so that it is available for follow-up investigation and to actively search for possible attackers. This logging should be used for all critical systems.
7. Vulnerability scanning
How secure all critical systems really are needs to be thoroughly tested – and not just once, but after every configuration change.
In addition, financial service providers should make greater use of red teaming."
Unlike penetration testing, which only replicates a direct attack on exposed attack surfaces, red teaming is a real-world attack that reflects the techniques and methods of advanced attackers. This is the most realistic way to assess the effectiveness of security controls.
8. Move from a SOC to a cyber defense center
Most financial service providers have a security operations center (SOC) in place. However, many of these SOCs are passive and only respond to alerts generated by their security tools. A better option would be a cyber defense center approach. A cyber defense center transforms a financial services company with a compliance-driven, alert-driven approach to security into one that can detect, track, target, respond to and mitigate advanced threats.
9. Detecting hacker attacks
Good security technology is able to detect different types of attacks, such as credential misuse or lateral movement of attackers across the network. It must be able to detect even previously unknown attacks in near real time by performing a comprehensive analysis of the entire system behavior. In addition, every incident should be investigated. A distinction between "advanced" and "commodity" threats cannot be made in a financial institution.
For example, a seemingly common malware infection can be sold to a more sophisticated hacker, who then uses that access to steal credentials, deploy additional tools, and then move laterally across the network to other hosts."
10. Use threat intelligence
Properly deployed, threat intelligence can improve detection quality and incident response speed, assist in threat hunting, provide contextual information about those threats, and thus help drive the risk management program.
The best way to protect against hackers is to combine all these tips together, rather than looking at them in isolation.
Security is a process that must constantly evolve along with the changing threat landscape. Attackers currently rely primarily on weak authentication to compromise financial services networks."
It is important to understand the attack points that exist and then segment them with strong authentication and other network controls. It is also important to protect yourself from threats such as spear phishing, as this is the most common way attackers get into the network.
Overall, financial services firms would do well to move from a purely preventative security approach to one that also considers how to effectively respond to an attack. This includes, for example, building a cyber defense center with strong detection methods, threat intelligence, and forensics, as well as permanently reviewing the effectiveness of the security program and controls through exercises such as red teaming. When all these aspects are taken into account in the security strategy, the result is a complex, interlocking defense system that slams the door in hackers’ faces, if it wasn’t already closed anyway. aj