Breaking Down the Government's Security Advice for Banks

The Department of Homeland Security recently issued data security guidance to owners and operators of critical infrastructure. It applies to organizations whose networks have been compromised by a cyber-attack as well as to those who want to improve their network security preparedness; banks fit nicely into both categories.

The Department of Homeland Security is obviously not an enforcement agency, so it can't make companies follow its guidelines. Yet banks should pay close attention to the advice and take it to heart, according to Bill Stewart, a senior vice president who leads the Cyber Technologies Center of Excellence at Booz Allen. We asked Stewart what the guidelines mean for bank IT departments from a practical standpoint.

"The overall guidance is very good and very helpful," he says. "Even though it doesn't feel good that we're now realizing the extent to which corporations are exposed, the positive side is that folks are taking more initiative now to actually respond. There are a lot of technologies, processes, and procedures that can be done to help ourselves and make our infrastructure more secure."

The first surprising piece of advice in the guidelines (to us, anyway) is that in the event of a network break-in, companies should not immediately try to oust the intruder. "Organizations that suspect a compromise should first consider how to preserve forensic data and stop movement of the intruder through the network," the paper states. "While the tendency might be to first find and eliminate the intruder, unless adequate steps are taken to preserve data and prevent lateral movement, the recovery processes will not likely be successful."

This feels like an approach that would benefit the government in its nationwide security efforts more than it would help the victim. But according to Stewart, it makes sense on both sides.

"If I'm trying to defend my company and find something malicious, a natural reaction would be, let's get rid of it, let's take that computer offline and take all the software off and restart it," Stewart says. "The problem with that is the intruders, who are watching, know you found them and they now know to move to other places. So what you really have to do is watch them. It's a game of cat and mouse. Try to figure out where else they are, then do something in a well-coordinated way, rather than taking one computer down and re-imaging it, which is like putting a sign on the door announcing that you have found a breach."

There is a risk trade-off. "If you're bleeding dollars, you have to shut it down," Stewart acknowledges. "If there's damage occurring, you have to respond to the damage." But in a proper proactive hunt mode, it's possible to find the attackers and shut their whole operation down before the damage starts, he says.

Sophisticated adversaries such as nation-states embed malware in financial services networks that's often inactive for a long time in what are called advanced persistent threats. In such cases, there often is time for a bank's security or IT department to plan a broader counterattack.

The second broad recommendation of the report is that companies should use strong intrusion detection technology, which is commonplace on corporate networks.

What is that state of the art technology that will catch all malicious visitors to a network? "If we could build it, we would," Stewart notes. "Intrusion detection systems typically are about pattern matching, which is good stuff and you need it. However, that's the kind of thing the sophisticated adversaries can get around because they know what these IDSs are looking for, and when their new malware is detected, they don't use it any more. But you need to supplement the software by keeping analytics and humans in the loop."

The rest of the guidelines are common sense, technical recommendations for preserving forensic data, managing login credentials, designing secure networks, capturing network logs, whitelisting applications and related security measures.

Banks have a particular challenge in that they have many entry points to watch, including online and mobile banking. "These things have allowed the banks to drop their costs and provide better service from more points of presence, which is all good from a business standpoint," Stewart says. "But in so doing, you're running all this stuff on a network that is difficult to secure from a sophisticated adversary who has a lot of money and time. Because the stakes are high and they can steal lots of money and financial capital, those entities are paying attention and putting resources into the exploitation of bank networks."

But bank security professionals are finding that due to recent cyber attacks on financial services firms, the business case for investing in better security technology is easier to make. "The reality is that because of the threat activity that's happened over time, the financial services industry is further along than other industries in responding to some of these things because they are tested by real threats that have done real damage," he says. "They're using the IT infrastructure to provide more services and to get more efficient and drive their costs down, which is all good but at the same time that creates more exposure, to which they've had to respond."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER