A few weeks ago Shelbi Rombout from MasterCard, Nick Ritter from Fifth Third Bank, Bruce Phillips from Williston Financial Group and I all participated in an interesting panel discussion at the FS-ISAC Annual Summit in Lake Buena Vista, Florida. We used an interactive format to engage the audience on current cyber threats and patterns in advanced cybercrime. During this discussion we touched on certificate security, endpoint protection and threat actor profiles which generated some great discussion.
For me, one of the most interesting aspects of the forum was the different perspectives on which types of attacks constitute a threat -- “What was a threat to me was not a threat to the others on the panel.” Even though all the panelists were part of the financial services industry, the types of threats our organizations face are fundamentally different. Point-of-sale bots and malware are a key concern for the payments industry, but in the mortgage industry phishing attacks that target the home buyers realtor relationship are a significant hazard. When you think about it, this makes sense because access to agent email accounts provides all the necessary information required to set up real estate escrow wire fraud.
We also had some “in real life” discussions about the specific threats that target each type of industry. This exchange was very enlightening because there wasn’t nearly as much overlap as you might expect. I was not surprised by this because in previous positions I’ve held PII or other data, not credit card data, was most at risk and in each of those organizations we faced different types of threats.
Specialization is an area where the security industry as a whole needs to evolve. In general, the industry has a tendency to look at threats with a narrow view. One reason for this is that we rely on outside resources for information about the constant shifts in the threat landscape. For example, we evaluate what is in the most recent Microsoft Patch, or the security-related Cisco patches, or threat feeds from research organizations. We also follow what’s going on in the media with the most recent vulnerability, malware or breach. This information tends to be non-specific, and since media attention plays a significant role in the general noise level in security, it often creates knee-jerk reactions to the cyber threat du jour. This is one reason why there were a whole lot of people focused on patching for WannaCrypt over Mother’s Day weekend even though the patch has been available since February.
Instead of this automatic response to what the industry is doing and what media is talking about, I think we need a far more customized approach. Organizations need to take outside threat information and combine it with the specific architecture of their unique network, any vulnerabilities they know about and any compensating controls they have in place. The output of this effort is a threat index that’s specific to your unique organization and will keep you from chasing after the latest shiny new object. Instead, you’ll be able to focus on doing the things you need to do to keep your organization secure for the long term.
This near-field thinking can have a negative impact on the disaster recovery and business continuity programs as well. Most organizations do an analysis on what it would cost to lose the functionality of a specific platform or service for a few hours, a business day or even a week. The results of this analysis focus primarily on the potential impact of an event to the organizations’ customers, partners, employees and bottom line rather than prevention. It’s pretty rare that this outage analysis is linked back to the cyber threats that are most likely to cause serious business disruptions.
The reality is that most organizations are under resourced in security and IT. They are chronically short of resources needed to just maintain the status quo. The team spends more time working on the tool then in the tool. If they’ve never experienced a significant breach or a serious malware infection they won’t see the ROI on doing the kind of analysis that prevents knee jerk reactions to cyber security news. By the time an organization experiences a significant security event (and let’s face it, it’s going to happen to everyone sooner or later) it’s too late to put in place the controls and processes necessary to limit the damage.
When organizations spend the resources to do the analysis, they have the information they need to stop reacting to breathless media reports and focus on doing the things they need to do to protect their unique organization. Let’s do it now, before it’s too late.
Shane Durham, Security Threat Intelligence and Analytics Director at global payments provider Worldpay US. To learn more, visit www.worldpay.com/us.