Articles

"DDoS attack that disrupted internet was largest of its kind in history, experts say," was the headline from The Guardian on October 26^th 2016.  What followed explained how this attack brought down some servers that provided online gaming and streaming video services.  As a banker who may have read a similar article, you may have thought to yourself, "So some kid couldn't play his video game, so what?"  It is hard to envision how something like a DDoS (Distributed Denial of Service) attack can affect the banking industry, but it can.  First, it is important to understand what a DDoS attack is and then how it relates to information security in the financial industry.

We know encryption is the bees' knees, that's why we've been coming up with ways to encrypt messages since the time of ancient Greeks. But do our coworkers and family members understand what it means to
 use encryption in today's technology landscape, if they're using encryption at all?

In layman's terms, encryption is about putting data inside a virtual safe and locking it with a key that only you have. In terms of communication, there are a series of locks and keys passed back and forth to turn your data into gibberish which can only be understood by the parties with the keys. 

"It's hard to educate customers…..but we still have to try."  My boss uttered this the last time we broached the subject of customer education, and I think it perfectly captures the difficult task that banks are facing now and will continue to face in the future.

Customer education is sort of the grad school of training, right?  Most of you are still working on training your employees not to click on links in email as you hope and pray that your social engineering test goes well this year.  But customers?  How do you create training materials for customers?  How do you grab their attention when you don't sign their paycheck?

"Everybody, hands in the air! This is a stick-up!"  This traditional well-worn cliché has just about run its course in the bank robbery world.  Now, the would-be robbers are using ones and zeroes to hold bank data hostage and take their money.  What about making this simple – "Ransomware is a hot topic because it works. Criminals are stealing millions of dollars."  Fortunately, there are some strategies institutions can use to mitigate the threats this attack vector poses and help prevent its spread if a machine becomes infected.

Let's have a password discussion once again. We all know the problem: multiple special characters, longer is better, avoid dictionary words, etc... As a result, many of us have opted for password managers such a Lastpass, Dash Lane, or 1password to manage the multitude of credentials we must use on a daily basis. My question is: do your organization's controls cover the use of these third party password managers?

Institutions, no matter their size, should seriously investigate their personnel's use of these password managers. We routinely encounter customers whose IT staff utilize such services but not always at the enterprise level. Even if your institution is currently using an enterprise option, it would be advantageous to ensure policies cover the following: controls utilized by the password manager, mixing of personal and professional credentials by your employees and post-employment access.

Skimmers, tastic thief, sniffers, Internet of Things… you may or may not know what these things are and how they pertain to attacks. A simple online search for hacking equipment returns a variety of results for inventions made for the sole purpose of infiltrating your corporate network. Most people envision a hacker as a guy in his mom's basement building sophisticated hardware. But it's really much simpler. The reality is… it's very easy to acquire usernames and passwords without a substantial monetary investment. Most of the successful attacks you read about today began with very humble beginnings: just a phone call or email. 

Have you ever left your garage door open or forgot to lock the front door? It happens. When I was young, almost every day as we were on the way to school, my mom would ask, "Did I shut the garage door?" Sometimes we felt sure, but other times we turned around to go check. Now that I own my first house, I completely understand this frustration. It's just not a thing I always remember to do.

The same goes for our virtual doors. Do we remember to close the door to our home wireless access points or our smartphone Bluetooth? It's easy to forget. If you're the kind to forget to close your doors, then the recent DEF CON event could have been a real doozie for you. At the beginning of August, the annual DEF CON event took place in Las Vegas. Even if you don't know the name, you may be familiar with the premise. DEF CON is a massive hacker convention for anyone interested in anything that can be hacked. Speakers present on finding vulnerabilities, how people can exploit these issues, and ways to attempt securing your digital assets. Attendees participate in hacking competitions, with prizes often won by those with the most innovative techniques. This year, 22,000 people attended the 24^th annual event. In short, it's a lot of smart people doing smart things for fun. Whether white hat or black hat, the skills of these hackers are impressive.

If I were to ask you to list your top security threats, how would you respond? No doubt many would mention cybersecurity, seemingly the hottest topic at banking conventions, forums and with examiners. A Google search for "top cybersecurity threats" produces lists like these:

Some of the aforementioned items might be in your own list and, like me, you may not even be familiar with some of these threats. How would you answer if I rephrased the question: "What is your weakest link in security?"

You Are The Weakest Link!

If one took a geographic look at many internal networks, they might see something that reminded them of the Great Plains: flat, open, and unregulated. They would find a terrain that allows someone to get from one place to another by traveling in a straight line.  Those terms are fine when applied to the Great Plains; however, the time has come to fence in and segregate internal networks.

Segregation or Segmentation?

Many networks already have some form of segmentation in place. Network segmentation could take the form of different subnets for each location, floor, a specific switch, or a group of ports. Technologies like virtual local area networks (VLANS) can also help achieve segmentation. Network segregation goes a step further by restricting access to devices and services offered on each network segment and within network segments to only those devices that have been explicitly allowed. Network segregation defines what can communicate on the network and how that communication can occur. Technologies used to implement network segregation can include router, switch, and VLAN access control lists, and network, virtual, and host based firewalls.