Ransomware, malware, and phishing—executives within financial services have become all too familiar with these methods of cybercrime.
Each year, banks spend an increasing amount of money and time fighting criminals who are attempting to steal valuable data.
Homeland Security Research says the U.S. financial institution cybersecurity market will exceed $68 billion by 2020. My own company’s 2017 Banking Priorities Study indicates 57% of banks expect to increase spending on cybersecurity initiatives this year.
To combat cybercrime, banks must adopt a variety of strategies, ranging from the required security protocols set out by federal regulators to exploring new cybersecurity models.
One innovative approach banks could begin to pursue is incorporating elements of a “Zero Trust” model into their security posture.
Zero Trust is an ideal that treats all attempts at accessing the network as suspicious until proven otherwise. While Zero Trust is not required by regulators, bankers can use its philosophy to strengthen their existing protections and build toward a more secure IT environment.
What is Zero Trust?
Zero Trust, a term originally coined by Forrester*, is a data-centric network model that puts “micro-perimeters” around specific data so that granular rules can be enforced. In practice, this means that banks rigorously inspect all network traffic, both internally and externally.
This method forces a bank’s IT team to look at even their most trusted employees as possible threats. Today’s criminals often target high-level employees, and they are often successful, even when targeting well-trained individuals. For example, in the case of Ubiquiti Networks, the company lost $46.7 million due to CEO spoofing, in which the attacker impersonated the CEO via email and authorized a wire transfer to an account owned by the attacker.
Zero Trust is based on three core concepts:
1. Secure and verify all data assets and resources.
2. Strictly control and limit access.
3. Inspect and log all traffic.
The process includes identifying, segmenting, monitoring, and protecting sensitive data. This process also provides an extra level of security and a competitive advantage due to the level of trust established with customers, employees, and partners.
Identifying critical data
The first step in working toward a Zero Trust model is identifying critical data sets in relation to all the data on the network—banks can’t build protection if they are unaware of what they have. They must know every piece of critical data, where it resides on the system, how long it has been there, who has access to it, and who is the “custodian” of those data sets.
Today, banks manage massive amounts of data, ranging from catering menus for a special event to customers’ personal information. The latter, not the former, would be considered a critical data set and would need specific protocols built around it to ensure its security. However, because some critical data must be accessible by customer-facing staff, it becomes less guarded than other information.
This expanded access to critical data often makes certain employees prime targets for hackers. And while most employees have no ill-intent and do not willingly participate in phishing, it can happen to anyone.
Even those most knowledgeable about phishing and cybersecurity threats fall victim to attacks, as seen when hackers breached highly trained Pentagon officials. What looks like a routine or harmless email could open the floodgates for hackers to gain access to all critical data sets within a financial institution.
This is why it is important to ensure every staff member is up to speed on both cyber threats and security processes associated with the bank’s cybersecurity protocols.
The next element of a Zero Trust model that banks can pursue is dissecting risk, which is where rules and privileges come into play.
Through each network, certain rules are set in place as the first layer of defense for critical data, with privileged access coming after trust has been established. While the rules help silo any suspicious content from the network in general, privilege is what allows individuals access to certain vital information through role-based access controls (RBAC).
In many financial institutions, especially community banks, this is especially difficult due to the multiple responsibilities many employees manage.
For instance, one person may be both a teller and a part-time bookkeeper, with additional responsibilities in Marketing. Setting RBAC limits can provide difficult because it is hard to define what role such employees specifically fill.
This challenge has only increased with the advent of the “universal banker” position, where an employee manages a wide array of customer-facing and back-office tasks.
A challenge for IT departments is defining and implementing controls as well as managing regulations, while not going overboard with protocols that make daily operations onerous. A delicate balance exists between protecting critical data sets and granting employees proper access to network information.
One defense tactic that Zero Trust recommends to combat this issue is setting clear data-retention policies. This means that every piece of data ultimately has an expiration date, even the food menu saved from the last catered event. This way, a phishing attempt may very well be deleted from the network before the criminals have an opportunity to unleash the malicious program.
While establishing a full-scale Zero Trust model in a bank is both costly and challenging, financial institutions can break down the model, and implement those pieces that best support their individual risk profile and cybersecurity needs.
One of the first steps could be as simple as assigning custodians to be responsible for certain sectors of critical data. These custodians review the data under their area of responsibility and ensure the proper data restrictions are applied.
After assigning custodians, another tactic banks can implement is logging, which is recording and inspecting all network traffic.
Easily said. However, because this includes everything from routers and firewalls to printers and cell phones, this is an enormous task. The average-sized bank can generate tens of millions of logs a day. And beyond the sheer scope of network traffic, processing all of those logs and identifying suspicious activity is a huge challenge due to the cost associated with being able to analyze and inspect all of the items plugged into their networks.
However, logging is possible: Many banks work with a managed services provider (MSP) to help defray the costs and staffing needs for the IT department. To establish Zero Trust protocols, banks also can work with an MSP to determine which devices require top-tier security and authentication. While ideally every device should be logged, banks often have to prioritize which devices apply.
Another Zero Trust tactic is implementing or subscribing to security monitoring services that allow the bank’s cybersecurity team to digest all of their data.
Such services enable the bank to create access controls and determine who is looking at that data and when, as well as process and identify behavior that contradicts established policies.
For instance, User A is not assigned to a particular role, but accesses critical data assigned to that role. Why? An effective monitoring service will flag this activity so that the bank can follow their policies and procedures in order to address the issue.
In today’s cyber-threat landscape, experienced and well-funded cyber crooks work non-stop to steal vital information from banks—and they’re doing so by attacking those with the most access to sensitive information. Where traditional security approaches may fail to protect critical data, the Zero Trust model might be the best approach to keeping the network secure.
While this may not be immediately feasible due to the cost and complexity associated with the model, it is important to begin implementing pieces of the Zero Trust model to enhance the protections already in place.
By going above and beyond what regulars require, banks can begin implementing new, innovative strategies that ensure their networks have the strongest lines of defense possible.
* The first Forrester report on this concept can be found here.
About the author
Stephen Smith is Manager, Network Operations Center Network and Security Services at Computer Services, Inc.