Cybersecurity continues to dominate headlines, budgets and bankers’ attention. In today’s evolving business landscape, cybercriminals are working overtime to steal valuable data that can be sold, held for ransom or used to undermine an organization’s credibility.
Given the intense focus from bankers and other business leaders on mitigating cyber threats, CSI recently held a cybersecurity update webinar with guest speaker Joseph Blankenship, Forrester senior analyst. The following questions were asked by webinar attendees and answered by Blankenship.
- Is a Zero Trust network something a financial institution needs to deploy now to keep up with the competition?
Financial institutions rely on customer trust. In the early days of banking, vaults were featured at the back of the bank where customers could see them and feel assured that their money was secure inside. Financial assets are now digital assets moreso than physical assets. That means that financial institutions must portray the same level of digital security as they once did with physical security.
That’s where Forrester’s Zero Trust framework comes into play: In a Zero Trust network, sensitive data and systems are isolated into microperimeters where security controls, policy and management can be consolidated.
Zero Trust is based on three core concepts:
- Verify and secure all resources and data assets.
- Limit and strictly control access.
- Log and inspect all traffic.
Zero Trust networks protect financial institutions’ most important asset — their data. By properly identifying, segmenting, monitoring and protecting sensitive data, financial institutions can keep their customers’ trust. Earning and maintaining that trust is a competitive advantage.
- How should financial institutions, especially those with limited IT resources, approach Zero Trust networking to ensure a smooth, successful implementation?
Implementing Zero Trust doesn’t have to be a costly, resource-intensive endeavor. The first step is to identify sensitive data and understand how that data is used; then, the next step is to design segmentation such that only users who need access to specific data have access to it.
For example, limit access to customer account information to only users who need access in order to perform their duties. Customer-facing users may need certain account access to serve customers, but users in back-office or support functions may not need access to customer data to carry out their duties.
Once segmentation is in place, organizations can then monitor and log access to sensitive data to enable faster detection and response. By prioritizing the organization’s most sensitive systems and data, security professionals are better able to concentrate efforts on protecting the things that matter most.
- If a financial institution falls victim to ransomware, what’s the first thing it should do?
As Douglas Adams said in his tome The Hitchhiker’s Guide to the Galaxy, “Don’t panic.” If targeted by ransomware, the first course of action is to isolate the affected device(s) from the network to prevent further infection. You should not take any actions, like powering the system down or wiping it, that will make getting forensic data from the device difficult or impossible.
Once the devices are isolated, you should enact your incident response plan, check other systems for signs of infection and conduct forensics to see if the attackers were able to extract any data. If you have sufficient backups, there should be no need or temptation to pay the ransom. You should also notify law enforcement and the Financial Services – Information Sharing and Analysis Center (FS-ISAC) about the attack.
- With the threat of ransomware expanding, what’s the best approach our financial institution should take to protect our data?
Regular backups are the best defense against ransomware. If you are able to recover crucial data from backups and no data was taken, the attack is only a nuisance.
Since ransomware is a form of malware, financial institutions should take the steps they would take to prevent any malware infection: vulnerability scanning and patching. Organizations should also utilize malware detection both at the endpoint and in the network to identify and stop malware before it’s able to infect systems.
Also, since most ransomware infections are the result of phishing or watering hole attacks, make sure your email and web security controls are updated. Your users are the last line of defense against ransomware, malware and phishing attacks. Strengthen the “human firewall” by educating users and regularly testing them, so that they are educated about attack methods and how to avoid becoming a victim. Also make sure to create, test and regularly update your incident response plan. Knowing how to respond to security incidents like ransomware attacks can significantly reduce their impact.
- Reports indicate that cybercriminals are using internet of things (IoT) devices to amplify their distributed denial of service (DDoS) attacks. As our financial institution starts bringing in new devices that may have IoT capabilities, how do we go about ensuring those devices remain secure from DDoS exploitation?
As we learned from DDoS attacks like the 2016 attacks on the DNS service provider Dyn, IoT devices have become a new and potent cyberweapon. Unfortunately, device manufacturers have not taken security into account when building many of these devices.
Keeping IoT devices secure will require segmenting them away from systems containing sensitive data.
A Zero Trust network will help to isolate IoT devices, allowing you to put controls in front of those systems to protect and monitor them. Using next-generation firewalls as segmentation gateways also can provide security controls for IoT networks. You should also monitor these networks for signs of intrusion or malware infection.
Interested in learning more?
For a more in-depth examination of these cybersecurity topics, please watch Blankenship’s full presentation via our free on-demand cybersecurity update webinar.
Joseph Blankenship is a Forrester senior analyst with more than 10 years of security experience. He has an extensive background in IT, telecommunications, and consulting, having worked with such companies as Nextel, IBM, Philips Electronics and KPMG.