Considered as a whole, the increasingly sophisticated and widely applied threats posed by cyber criminals is daunting. Steve Sanders, vice-president of internal audit, CSI, provides a rundown of specific avenues of attack banks may be susceptible to, and shares a number of tips as to what banks can do before they’re attacked.
“We have to be proactive. We have to be setting the stage. If we don’t do that we will forever be rocked back on our heels, feeling like we’re doing everything we can to keep our balance, wondering what the next attack will be,” Sanders says.
The first step is to have an understanding of the nature of specific attacks. The next step is to understand how vulnerable the organization is to them, and to prepare defenses. Sanders lists the following threats and tips.
Threats to beware of
• Distributed denial of service—Charging just a few cents per computer, cybercriminals for hire can co-opt hundreds of thousands of computers without their legitimate owners knowing about it. Then these computers can be directed to send messages to a targeted website, effectively bringing it down.
“They can generate 150 gigabits per second of traffic. I don’t care who you are, you’re not ready for that,” Sanders says. “Can you imagine if your bank website didn’t work for three weeks?”
• Malware—This is software cybercriminals surreptitiously install on target computers to do various misdeeds, such as steal confidential information or redirect assets. A lot of malware systems can be obtained very economically through the underground internet known as the “dark web.”
“The rate of return off of malware is 1,200%. That’s why the criminals are doing this,” says Sanders.
• Advanced persistent threats—These generally combine malware and social engineering to place software into target systems that linger for long periods of time before their operators activate them to do their misdeeds. They lie dormant—sometimes for years—in order to evade detection systems, all the while collecting information.
• Cloud breaches—Increasingly businesses contract with consumer-based cloud services to store confidential information, which can put them at risk. The cybercriminals target the cloud providers, either to swipe the confidential files or simply make them unavailable.
“If your cloud provider is not regulated they’re probably not putting into place the right solutions that you need, so you need to understand that. Ask good questions,” Sanders says.
Tips to counter the threats
• Vendor management—“Do you have a robust vendor management program? The key word is robust,” says Sanders.
The main thing is to understand how mature the vendors are in the cyber security process, especially if they handle data or the bank’s infrastructure in any way.
Sanders says to download and embrace the FFIEC’s Appendix J to the IT Examination Handbook.
“That’s the No. 1 thing you need to be doing,” he says.
• FFIEC cyber security portal—Bookmark this. It offers a wealth of statements, alerts, tools, and other resources regarding cyber security awareness and defense.
“It’s one of the best things they’ve put out in a long, long time,” Sanders says.
• Cyber security assessment tool—Located at the FFIEC cyber security portal, it’s a crucial tool in which to assess a bank’s vulnerability to cybercrimes. It’s not an easy thing to complete, Sanders says, but it’s worth it.