INSIGHTS
Current best practices for large banks attempting to protect their data against breaches begin with establishing a formal security framework and culturefor the institution, from which the institution can establish policies, procedures, and systems to identify and measure risks, mitigate those risks, and monitor and report events and breaches.
Encryption technology is virtually impregnable at this point, with data breaches instead coming from online social engineering schemes designed to exploit people and attacking weak network points.
A September 2016 white paper by the Federal Financial Institutions Examination Council (FFIEC) entitled the "FFIEC Information Technology Examination Handbook" is widely considered to be the authoritative guide for financial institutions wishing to secure their data by present-day sources.
The realm of data security in general, and for financial institutions such as large banks in particular, is a constantly-evolving arena. However, based on white papers published by the Federal Financial Institutions Examination Council and the National Institute of Standards and Technology, there are several common best practices that banks are currently encouraged to follow: First, to establish a formal security framework and culture for the institution. This framework can then develop policies, procedures, and systems to identify and measure risks, mitigate those risks, and monitor and report events and breaches.
Below is a deep dive of our findings.
A NOTE ON OUR SOURCES
The most authoritative source for data security in financial institutions in general, including large banks, is a white paper released in September 2016 by the Federal Financial Institutions Examination Council (FFIEC). While it is Wonder's nominal practice to use only sources published within the past two years in order to ensure that we are presenting the most up-to-date information available, this particular source is still quoted as the definitive source on the subject in current articles, and so will provide the backbone of our report. However, please note that the paper is 98 pages long, and so our summary here does not do it justice, even supplemented by other, more succinct sources. We therefore recommend downloading and reading the paper in its entirety.
Another key source, which is more recent but not specific to the financial industry, is the 2018 white paper, "Framework for Improving Critical InfrastructureCybersecurity ," published by the National Institute of Standards and Technology (NIST). The advice offered is very similar to that of the FFIEC in most respects, though couched in terms of the NIST-designed framework, which divides data security into the functions of Identify, Protect, Detect, Respond, and Recover, which obviously maps to the somewhat simpler structure of the best practices given below. These can be further divided into categories and sub-categories specific to the nature of the business or organization in question. The paper further formalizes risk management into four tiers: partial, risk informed, repeatable, and adaptive.
Since it is more industry-specific and more general in its approach, we will favor the FFIEC report and refer to the NIST's as a secondary resource; however, we recommend pursuing the NIST report in its entirety as well, as the structure provided could be very useful in formalizing an approach to data security.
ESTABLISH A FORMAL SECURITY CULTURE AND FRAMEWORK
With 35% of all data breaches being in the US financial industry, utilizing the best practices to protect large banks is obviously paramount. While nearly all sources refer to the need to formally train the bank's staff to identify, avoid, and properly report security breaches, the FFIEC rightly notes that an "information security program is more effective when security processes are deeply embedded in the institution’s culture." This begins with the institution's board, which must "reasonably understand the business case for information security," enabling it to properly guide policy at all levels of the bank. After all, they will need to ensure that the program is sufficiently staffed and funded. In some cases, it may prove easier to accomplish this via a designated board committee.
Data security must be integrated into all new initiatives "from the outset and throughout the life cycles of services and applications." Management should report at least annually on "the overall status of the program," with details on risk assessment, management, and control, as well as security breaches (see below) and recommendations to update the program. ( Note that this is just a summary; see the FFIEC report, pages 4-5 for a far more comprehensive description of the responsibility of management.)
This includes creating new norms of strong authentication, authorization, and accounting for remote banking customers, with a model of sharing responsibility for data and transaction security with the end user. As noted by BAI, this makes the banks heavily dependent "on smart devices to provide and enforce tools such as biometric authentication and safe browsing."
Network controls
Malware mitigation
Control of information
Logicalsecurity
Application security
Database security
Encryption
While anti-malware, for example, is critical, it is well-known to experts that the overwhelming majority of malware attacks are facilitated "through a series of online social engineering schemes that manipulate unsuspecting users to open the door wide for hackers." For example, emailing a user a seemingly innocuous spreadsheet in which a macro is embedded which prompts a remote server to upload malware to the target system. This means that the employees themselves must be trained to become the first line of defense against data breaches and should be trained to recognize a possible attack.
In addition to unwitting participants, the bank must be aware of the possibility that disgruntled employees may collude with hackers by deliberately ignoring company protocols, downloading malware, or sharing passwords.
The use of encryption is key. In fact, as of 2017, "no one speaks of breaking the encryption algorithm anymore." Rather, the vulnerable points of attack are weak network points and the aforementioned social strategies. Despite this, only 92% of US financial services organizationscurrently make use of encryption technology.
In addition, many data centers use careful micro-segmentation and isolation silos to prevent a data breach in one sector from compromising the whole. Likewise, banks should onlywhite-list applications with "a clean Product Development Lifecycle (PDLC) record," and even then, it may be advisable to only allow white-listed applications to operate "inside a designated container."
Ambiguity about any of these policies, e.g., an unclear classification policy, could result in a delay in the event being reported, or its severity being underestimated.
Finally, there must be an incident response program with clear policies and guidelines designed "to minimize damage to the institution and its customers." This means containing the incident, preserving evidence, providing assistance to affected customers and, as required, coordinating with the appropriate law enforcement agency and/or other third parties. The response program must make it clear not only which entities should be informed of a breach, but who is ultimately responsible to report it to them. For example, if a customer's datais compromised , there should be an individual or team responsible for contacting the customer immediately.
CONCLUSION
While the current best practices are fairly well-mapped at this point, data security experts note that we're still very much in the early days, and the landscape could change rapidly. As noted in a Northrop Gruman report, we still need to develop "new frameworks for security as a science with the rigor of physics and mathematics." Indeed, a white paper by the Advanced 365 Thought Leadership Series argues that we need "new, as-yet-untested models of security" if we are to provide adequate protection to the financial services industry. Thus, the final best practice for large banks to protect their data is to make sure that their people stay on the forefront of data security practices and technology and build a security framework that allows for adaptation as the landscape evolves.
Current best practices for large banks attempting to protect their data against breaches begin with establishing a formal security framework and culture
Encryption technology is virtually impregnable at this point, with data breaches instead coming from online social engineering schemes designed to exploit people and attacking weak network points.
A September 2016 white paper by the Federal Financial Institutions Examination Council (FFIEC) entitled the "FFIEC Information Technology Examination Handbook" is widely considered to be the authoritative guide for financial institutions wishing to secure their data by present-day sources.
The realm of data security in general, and for financial institutions such as large banks in particular, is a constantly-evolving arena. However, based on white papers published by the Federal Financial Institutions Examination Council and the National Institute of Standards and Technology, there are several common best practices that banks are currently encouraged to follow: First, to establish a formal security framework and culture Below is a deep dive of our findings.
A NOTE ON OUR SOURCES
The most authoritative source for data security in financial institutions in general, including large banks, is a white paper released in September 2016 by the Federal Financial Institutions Examination Council (FFIEC). While it is Wonder's nominal practice to use only sources published within the past two years in order to ensure that we are presenting the most up-to-date information available, this particular source is still quoted as the definitive source on the subject in current articles, and so will provide the backbone of our report. However, please note that the paper is 98 pages long, and so our summary here does not do it justice, even supplemented by other, more succinct sources. We therefore recommend downloading and reading the paper in its entirety.
Another key source, which is more recent but not specific to the financial industry, is the 2018 white paper, "Framework for Improving Critical Infrastructure
Since it is more industry-specific and more general in its approach, we will favor the FFIEC report and refer to the NIST's as a secondary resource; however, we recommend pursuing the NIST report in its entirety as well, as the structure provided could be very useful in formalizing an approach to data security.
ESTABLISH A FORMAL SECURITY CULTURE AND FRAMEWORK
With 35% of all data breaches being in the US financial industry, utilizing the best practices to protect large banks is obviously paramount. While nearly all sources refer to the need to formally train the bank's staff to identify, avoid, and properly report security breaches, the FFIEC rightly notes that an "information security program is more effective when security processes are deeply embedded in the institution’s culture." This begins with the institution's board, which must "reasonably understand the business case for information security," enabling it to properly guide policy at all levels of the bank. After all, they will need to ensure that the program is sufficiently staffed and funded. In some cases, it may prove easier to accomplish this via a designated board committee.
Data security must be integrated into all new initiatives "from the outset and throughout the life cycles of services and applications." Management should report at least annually on "the overall status of the program," with details on risk assessment, management, and control, as well as security breaches (see below) and recommendations to update the program. This includes creating new norms of strong authentication, authorization, and accounting for remote banking customers, with a model of sharing responsibility for data and transaction security with the end user. As noted by BAI, this makes the banks heavily dependent "on smart devices to provide and enforce tools such as biometric authentication and safe browsing."
IDENTIFY AND MEASURE RISKS
A large bank's data security program needs to develop groupings, aka a taxonomy, of significant threats tocybersecurity . This makes it easier to collect and use data regarding potential threats. As explained by the FFIEC, "Institutions should consider using threat modeling to better understand the nature, frequency, and sophistication of threats; evaluate the information security risks to the institution; and apply this knowledge to the institution’s information security program."
Among these risks are vulnerabilities, which range from the technical to weaknesses in the bank's policies and procedures. These vulnerabilities often develop because of untested assumptions about the way a process should work, especially when interdependent and interconnected systems are developed with third party clients and vendors. Such vulnerabilities must be identified (perhaps through a third-party audit) and corrected.
Once identified, the risks should be mapped and deconstructed into possible breach events and stages in which an event might take place. This allows the bank to determine effective and efficient means of mitigating their risks of a data breach (see below). Some common tools used in this process include event and attack trees, kill chains, and "other security-related schemata." Outside sources, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), may provide useful perspectives at this stage.
The FFIEC provides its ownCybersecurity Assessment Tool on its website "to help institutions identify their risks and determine their cybersecurity preparedness," by providing "a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time."
MITIGATE RISKS
After risks have been identified and measured, plans can be put into place to mitigate the risks. This requires an honest assessment of the institution's "extent and quality of the current control environment," rather than only the individual discrete controls over any particular procedure. Next, the bank should develop/update policies, standards, and procedures to guide the decisions and activities of its users, "specify the mechanisms through which responsibilities can be met," and provide guidance for future information systems, from acquisition to maintenance tooperation . These will establish the controls for the system.
Controls may be categorized both by timing (e.g., preventative, detective, or corrective) and by nature (e.g., administrative, technical, or physical). As noted by the FFIEC, "It is important to have a layered control system, which deploys different controls at different points of a business process and throughout an IT system so that the strength of one control can compensate for weaknesses in or possible failure of another control," further mitigating risk. See pages 13-14 of the FFIEC report for a list of organizations who have published control listings and implementation guidance.
Just a partial list of controls for data protectionincludes :
A large bank's data security program needs to develop groupings, aka a taxonomy, of significant threats to
Among these risks are vulnerabilities, which range from the technical to weaknesses in the bank's policies and procedures. These vulnerabilities often develop because of untested assumptions about the way a process should work, especially when interdependent and interconnected systems are developed with third party clients and vendors. Such vulnerabilities must be identified (perhaps through a third-party audit) and corrected.
Once identified, the risks should be mapped and deconstructed into possible breach events and stages in which an event might take place. This allows the bank to determine effective and efficient means of mitigating their risks of a data breach (see below). Some common tools used in this process include event and attack trees, kill chains, and "other security-related schemata." Outside sources, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), may provide useful perspectives at this stage.
The FFIEC provides its own
MITIGATE RISKS
After risks have been identified and measured, plans can be put into place to mitigate the risks. This requires an honest assessment of the institution's "extent and quality of the current control environment," rather than only the individual discrete controls over any particular procedure. Next, the bank should develop/update policies, standards, and procedures to guide the decisions and activities of its users, "specify the mechanisms through which responsibilities can be met," and provide guidance for future information systems, from acquisition to maintenance to
Controls may be categorized both by timing (e.g., preventative, detective, or corrective) and by nature (e.g., administrative, technical, or physical). As noted by the FFIEC, "It is important to have a layered control system, which deploys different controls at different points of a business process and throughout an IT system so that the strength of one control can compensate for weaknesses in or possible failure of another control," further mitigating risk. See pages 13-14 of the FFIEC report for a list of organizations who have published control listings and implementation guidance.
Just a partial list of controls for data protection
Network controls Malware mitigation
Control of information
Logical
Application security
Database security
Encryption
While anti-malware, for example, is critical, it is well-known to experts that the overwhelming majority of malware attacks are facilitated "through a series of online social engineering schemes that manipulate unsuspecting users to open the door wide for hackers." For example, emailing a user a seemingly innocuous spreadsheet in which a macro is embedded which prompts a remote server to upload malware to the target system. This means that the employees themselves must be trained to become the first line of defense against data breaches and should be trained to recognize a possible attack.
In addition to unwitting participants, the bank must be aware of the possibility that disgruntled employees may collude with hackers by deliberately ignoring company protocols, downloading malware, or sharing passwords.
The use of encryption is key. In fact, as of 2017, "no one speaks of breaking the encryption algorithm anymore." Rather, the vulnerable points of attack are weak network points and the aforementioned social strategies. Despite this, only 92% of US financial services organizations
In addition, many data centers use careful micro-segmentation and isolation silos to prevent a data breach in one sector from compromising the whole. Likewise, banks should only
MONITOR AND REPORT EVENTS
Monitoring of risks and threats should be both continual (e.g., automated malware detection) and ad hoc (to reduce predictability). This monitoring "address indicators of vulnerabilities, attacks, compromised systems, and suspicious users, such as those who do not comply with or seek to evade security policies." Security personnel should be assigned adequate authority to conduct their jobs, and while they should have management oversight, they should also oversee those with higher authority within the institution.
Despite the best system in the world, given the number of actors attempting to obtain access, it's no surprise that data breaches still occur. What is surprising is how long they take to surface: "The average breach inside a major company goes undetected for 229 days." Therefore, when an event takes place, there should be a policy in place to quickly accomplish the following (quoted verbatim):
Identify indicators of compromise.
Analyze the event associated with the indicators.
Classify the event.
Escalate the event consistent with the classification.
Report internally and externally as appropriate.
Monitoring of risks and threats should be both continual (e.g., automated malware detection) and ad hoc (to reduce predictability). This monitoring "address indicators of vulnerabilities, attacks, compromised systems, and suspicious users, such as those who do not comply with or seek to evade security policies." Security personnel should be assigned adequate authority to conduct their jobs, and while they should have management oversight, they should also oversee those with higher authority within the institution.
Despite the best system in the world, given the number of actors attempting to obtain access, it's no surprise that data breaches still occur. What is surprising is how long they take to surface: "The average breach inside a major company goes undetected for 229 days." Therefore, when an event takes place, there should be a policy in place to quickly accomplish the following (quoted verbatim):
Identify indicators of compromise.
Analyze the event associated with the indicators.
Classify the event.
Escalate the event consistent with the classification.
Report internally and externally as appropriate.
Ambiguity about any of these policies, e.g., an unclear classification policy, could result in a delay in the event being reported, or its severity being underestimated.
Finally, there must be an incident response program with clear policies and guidelines designed "to minimize damage to the institution and its customers." This means containing the incident, preserving evidence, providing assistance to affected customers and, as required, coordinating with the appropriate law enforcement agency and/or other third parties. The response program must make it clear not only which entities should be informed of a breach, but who is ultimately responsible to report it to them. For example, if a customer's data
CONCLUSION
While the current best practices are fairly well-mapped at this point, data security experts note that we're still very much in the early days, and the landscape could change rapidly. As noted in a Northrop Gruman report, we still need to develop "new frameworks for security as a science with the rigor of physics and mathematics." Indeed, a white paper by the Advanced 365 Thought Leadership Series argues that we need "new, as-yet-untested models of security" if we are to provide adequate protection to the financial services industry. Thus, the final best practice for large banks to protect their data is to make sure that their people stay on the forefront of data security practices and technology and build a security framework that allows for adaptation as the landscape evolves.