The list contains literally scores of highly technical presentations by experts, some of whom admit to being hackers or other types of cyber miscreants in former lives, but now have reformed. These talks go into incredible detail about the most arcane of subjects-yet all convey the common conclusion that the bad guys out there know more than you do.
Just check out the titles of some of these briefings, picked here somewhat at random:
• A practical attack against MDM solutions.
• Binarypig-Scalable malware analytics in Hadoop.
• BlackberryOS 10 from a security perspective.
• End-to-end analysis of a domain generating algorithm malware family.
• Fully arbitrary 802.3 packet injection: Maximizing the Ethernet attack surface.
There are tons more like this, all incomprehensible to us lay people.
The thing is, as a banker, you are expected to be an expert on banking, not on how CVSS is dossing your patching policy (which is the title of yet another Black Hat briefing.) Yet, as part of the business of banking, bankers increasingly have to at least be aware of the threats and recognize their constantly increasing sophistication.
Trustwave, which is endorsed by ABA's Corporation for American Banking for its network security and data protection services, recently issued its annual global security report. One of the report's basic conclusions is that "the combination of business and IT transformation, compliance, and governance demands and the onslaught of security threats continues to make the job of safeguarding data assets a serious challenge."
Specifically, Trustwave determined that:
• Mobile malware increased 400% in 2012.
• Businesses are slow to self-detect breach activity, taking an average of 210 days between breach and detection in 2012-itself an increase of 35 days from 2011.
• Web applications, particularly ecommerce sites, have become the No. 1 target for attackers.
• Businesses in general are embracing an outsourced IT operations model-in 63% of Trustwave's investigations into breaches, IT operations had been outsourced to a third party.
"Cybercriminals will never stop trying to compromise systems to obtain data. Organizations need to be aware of where they may be open to attacks, how attackers can enter their environment, and what to do if (and when) an attack occurs," the Trustwave report concludes.
The point about outsourcing particularly rings true. Any number of companies promote new and improved products, services, and even partnerships designed to offer protections against cyber attacks. Trustwave itself is in this business. The sad fact is that, because the bad guys not only are bad but smart at what they do, and because banks are such lucrative targets, and because the financial services industry as a whole admits that it will always be on the defensive-this is a large and growing market.
Here are some recent examples of how the security industry is offering its third-party services:
• WatchGuard Technologies introduced a "Data Loss Prevention" solution for its "Unified Threat Management" platform that seeks to simplify compliance with regulatory standards.
• Penn and Associates Inc. partnered with Aon Benfield to deliver services geared toward identity monitoring and privacy management.
• ID Analytics introduced a new version of its flagship fraud detection solution, "ID Score," combining real-time insight into identity risk with the option of insight into device risk.
• Easy Solutions partnered with Enterprise Risk Management to deliver fraud protection for transactions performed on online and mobile platforms, as well as via ATMs, point-of-sale terminals, and interactive voice response systems.
• Diebold introduced an intuitive online security management solution, "SecureStat," designed as a single gateway for connecting and managing security systems.
Each of these, as well as a legion of other offerings designed to provide cyber security of one form or another, has to be evaluated on its own merits and in relation to the prospective client's unique situation and requirements. One thing they do share, though, is the implicit assumption that the companies and people behind them actually do know more about the technical side of cyber protection, more so than the average banker does-and that's a good thing.
It doesn't mean, however, that the banker can transfer all responsibility to a third party. After all, no one gizmo or software packet is going to protect the bank from an unwary employee who innocently but unwisely clicks a malicious link in an email, particularly when they are trying to stay on top of the usual avalanche of emails.
So Trustwave suggests six specific actions any business, including banks, should consider understanding and then implementing, as a way to build a cyber-savvy base:
• Educate employees-They are the first line of defense. Specifically: Conduct security awareness training; run security awareness campaigns; and perform attack simulation exercises.
• Identify users-Every action should be tagged to a specific person. Specifically: eliminate generic, shared, vendor, and default accounts; review access management; enact password-complexity policies; employ two-factor authentication; and use biometrics.
• Protect data-Understanding the life cycle of data is paramount to protecting it, including how it is created, categorized, accessed, and stored. Specifically: Create a life-cycle methodology that governs data from creation to destruction; and layer the technologies to build resiliency.
• Register assets-From desktops to laptops, servers to mobile devices, anything that can connect to an organization's systems is capable of providing a unique identifier. Specifically: Manage assets; implement network access control; manage patches; and scan for vulnerabilities.
• Unify activity logs-Don't treat physical and information security controls separately. Specifically: Employ security information and event management technology; and analyze and tune systems to identify which systems need to be correlated to maximize the events captured.
• Visualize events-The ultimate goal should be to develop an environment in which security events are discovered innately, by both responsible security professionals or others in the organization. Specifically: Build or adopt interactive and sensory controls; understand the emerging threat landscape; and have an incident readiness program that includes training for key staff, an incident response plan, and an attack simulation exercise.
Sources for this article include: