Financial services companies and others are building up their defenses against mounting cyberattacks, but they need to sharpen their focus on where systems connect.
It's critical that businesses and organizations that move or store personal data invest in the proper hardware and software, and assure they work together securely, Lyn McDermid, chief information security officer for the Federal Reserve, said Thursday during the Women in Finance and Technology Symposium in Washington.
"We have created, in every institution, very complex environments," McDermid said. "Technology has grown up rather haphazardly in many of our organizations."
-
Like any well-run business, the Dridex cybercrime gang is growing and diversifying. It's stepping up its efforts to break into banks, through increased phishing attacks and ransomware.
March 17 -
There are a lot of things banks can and must do to guard against the oldest trick in the cybercriminal book: deceptive emails. Don't laugh: The crooks are getting smarter, but many executives, employees and customers aren't.
March 10 -
The tax agency's struggle to protect sensitive data mirrors banks' own, and its shortcomings can also be found at financial institutions.
March 8
Understanding the company environment and having good documentation and processes in place will go a long way toward monitoring all of a network's interfaces, she added.
"Where I think we are at the greatest risk is in the seams, not in the actual hardware and software, but where it all connects," McDermid said, citing application interfaces and gateways as components of those seams.
And it is not difficult for criminals to sneak in through those seams.
Even though major data breaches and nation-sponsored cyberattacks garner much public attention, a majority of successful attacks are accomplished at a low-to-moderate difficulty range for criminals, said Ellen Richey, vice chairman of risk and public policy for Visa Inc.
"We are making it way too easy; you don't have to be an expert to cyberattack or get into systems in this world today," Richey said. "Why? It's primarily because of the human factor."
Employees training and awareness of security trends, and keeping the topic in the forefront around the clock, are key to successfully thwarting attacks, Richey said.
"It sounds obvious, but people just aren't doing it," she added. "A company sending out fake phishing emails to its employees all sounds kind of hokey, but it is really important."
Visa deploys fake emails to employees as part of its own education process, and monitors how many mistakenly open them. "If you click on it, you get a picture of a bomb going off," Richey said. "And if you get that, you get sent to training."
Establishing stronger business processes related to security "may not be sexy and not technical," but it's crucial in fighting attacks on networks, Richey said. "These breaches are happening because of failures in business processes and basic access controls."
In the payments sector, Visa continues to push EMV chip technology for guarding sensitive data in physical stores, and tokenization for data in storage or transmitted through mobile devices, Richey said.
The panelists addressed the topic of third-party vendor access weaknesses, which has been cited as the cause of the Target breach in 2013 and the Home Depot breach in 2014. And this month American Express informed some of its cardholders that their card credentials might have been accessed through a breach occurring through network entry from access of a third party that services various merchants.
Maria Filipakis, executive deputy superintendent of capital markets for the New York State Department of Financial Services, said her agency conducted a survey of banks and insurance companies to assess vulnerabilities in policies and data networks.
The survey found that there's "a true challenge in a continuing reliance on third-party service providers," Filipakis said. "Often, these third-party service providers have access to sensitive data that the companies and financial firms have, and have entry into their internal system."
The findings helped those banks and companies engage in more discussion about how to address that problem, while heightening awareness of cybersecurity regulations and requirements, Filipakis said.
At its most basic level, security starts with every person at an institution or company — and every piece of wireless technology those people bring to the workplace, said Leslie Ireland, assistant secretary for intelligence and analysis for the Treasury Department.
"We may have a tendency to think about this as it relates to our work station," Ireland said. "In fact, cybersecurity is important because of your smartphone, your BlackBerry, your tablet and frankly any device you have that has a Bluetooth connection."
Even workers who wear a Fitbit to work may bring in some vulnerabilities they wouldn't expect, Ireland said. "Fitbits represent a cyber challenge in today's world," Ireland added. "We need to think very holistically about that."
It's difficult to spend so much time and money on security technology and processes when none of the defensive barriers can stop a criminal who has somehow made it through the "front door" of a system via a network's regular user, Ireland said. Cybercriminals steal users' credentials most often through email phishing.
In addition, the "insider" threat remains a major problem for networks as employees, former employees or contractors often have system access they can use to intentionally or unintentionally cause harm, Ireland said.
This week the Treasury Department learned that the Central Bank of Bangladesh had millions of dollars illegally withdrawn by someone who had bank credentials. "Those credentials could have been obtained through phishing or from an insider, we just don't know at this point, but it illustrates the real threat," Ireland added.
Government and state regulators have to agree on standards to follow in protecting data from cybercriminals, said Sarah Bloom Raskin, deputy secretary of the Treasury.
"One thing we do not want to see emerge is the development of multiple sets of standards and multiple sets of guidances or, certainly, regulations," Raskin said. "That would create a lot of uncertainties and unnecessary pause."