The Federal Financial Institutions Examinations Council (FFIEC) recently issued a warning for financial institutions to review their cybersecurity as it relates to fraudulent transfers and global payment networks.
The warning comes two weeks following the FBI’s private alert to banks on possible attacks leveraging SWIFT messages. As those in finance undoubtedly know, in February, cyber criminals stole more than $80 million from a Bangladesh bank account at the Federal Reserve Bank of New York. The attackers used SWIFT credentials to access the account and transfer money to the Philippines.
The warnings from the FBI and FFIEC come as little surprise to those of us working in the financial and cyber-security worlds and serve a clarion call that we are constantly under attack.
As American Banker reported, the FFIEC said in its recent warning that financial institutions should conduct ongoing information security risk assessments; perform security monitoring, prevention, and risk mitigation; protect against unauthorized access; implement and test controls around critical systems regularly; manage business continuity risk; enhance information security awareness and training programs; and prticipate in industry information-sharing forums
These are all excellent first steps in establishing stronger security postures in any industry. Risk assessment, threat detection, threat hunting, continuous monitoring and education programs are all key points I discuss with industry leaders on a regular basis when tackling “Cybersecurity 101.”
It’s that last bullet, however, “participate in industry information-sharing forums” that should resonate the loudest. It’s also the bullet that might be most easily overlooked and will take a concerted effort from industry professionals to truly upset the economic balance of cyber attacks.
The current trajectory of the cyber-security industry puts the “good guys” at a significant economic disadvantage. Most security teams, even at large financial institutions, are a handful of people battling against a relentless wave of well-funded, patient and organized attackers. Thinking of attackers as “businesses” (they are, after all, in it to make money) is the first step in acknowledging the underlying threat they pose.
Attackers are very, very good and sharing with each other. They collaborate on the tools, techniques and procedures they use to successfully attack banks. In contrast, defenders have been largely working in individual silos.
There is a bit of a silver lining here, though. Attackers target different organizations using the same patterns of attack they have used successfully time and again. That’s because to their “businesses” it is very expensive (to the tune of $1 million or more) to change their underlying attack behaviors.
When a security team successfully defends against attacks, the lessons they learn typically remain within that corporate silo. This leaves other security teams in the industry vulnerable to the same attack. To succeed in this battle, we cannot continue to perpetuate the idea that we can do this alone. In order to shift the economic balance of cyber-attacks back in favor of the “good guys,” we need to empower the humans that are fighting this war to collaborate.
It’s very easy to say that “cybersecurity is part of our DNA” to assuage consumers, board members and media that something is being done. However, it’s another thing to say: “We are committed to seeing the entire industry succeed in the battle against attackers.” That commitment starts with sharing the precise patterns of attack that are being used to steal data, intellectual property and millions of dollars.
Evolving to a culture of sharing will not be quick or easy, but it is a fundamental step in moving beyond “Security 101” to ensure that more than just individual businesses are protected. Attackers are waging a war against the entire industry. Without effective collaboration among all of us with the righttypes of attack behavior, we will remain at risk of being targeted by the same genre of attacks time and time again.
The FFIEC warning and accompanying suggested steps are sound. It’s up to the financial industry now to move beyond the game of “whack-a-mole” we’re currently playing in cybersecurity and team up together to share our lessons learned (sometimes the hard way). Cybersecurity will never be “perfect,” but if we make attacks more expensive for malicious actors, we position ourselves to earn a significant competitive advantage in a game that has become almost exclusively economic.
Eric O'Neill is Carbon Black's national security strategist.