Boston Fed conference: Security still comes down to the basics

BOSTON - Not every bank has the money or the staff to do everything on the “best practices” lists of multiple regulatory agencies.

As one member of the audience at the Federal Reserve Bank of Boston’s 2017 Cybersecurity Conference this week noted, it is much more difficult for the “minnows” to comply with all the “guidance” out there, than it is for the “big fish.”

But multiple speakers and panelists agreed that most financial institutions, no matter their size, can do the basics. And, if they do the basics, while it won’t make them bulletproof, they will no longer be “low-hanging fruit” for cyber criminals.

But too many of them, said the Boston Fed’s Lead Security Systems Engineer Jasvinder Khera, aren't doing the basics, as evidenced by the low priority they put on information security.

In a presentation on the benefits of threat sharing, Khera said a survey of the more than 60 participating organizations found that 67 percent had five or more full-time equivalent (FTE) staff in IT, but 33 percent had zero information security FTEs and another 37 percent had only one.

Among other weaknesses, the survey found that only 37 percent of the participating organizations required users of their guest wireless network to enter a unique ID and password. The majority – 54 percent - didn’t require it, while the remaining 9 percent required only a passphrase, used a shared ID and password or were “starting soon” on an authentication program.

An overwhelming majority, 84 percent, used third parties for data processing or storage, which meant their security depended not only on their own security posture, but that of vendors as well.

Khera said improving security doesn’t always have to be costly – that a policy change can have a major impact. He said a major topic at the group’s first meeting was social media. He said the Boston Fed now blocks all employee access to social media – with a few exceptions like the public relations department.

“Any change like this will produce resistance,” he said, “but it was worth it. The drop in malware was significant and immediate.”

Speaking to other preventive measures, Khera suggested using automation as a means of flagging external emails in order to reduce the number of successful phishing attacks. “It would help you think twice,” he said, noting that criminals have become much better at overcoming skepticism by improving the apparent credibility of their phishing attempts.

Indeed, throughout the day there were several mentions of the most recent Verizon Data Breach Incident Report (DBIR), which found – yet again – that technology can’t trump human weakness. It reported that 43 percent of data breaches came from phishing and 81 percent of hacking-related breaches succeeded because of stolen and/or weak passwords.

Other recommendations for covering the basics came during a session titled, “Supervising Cybersecurity: Regulator Perspective.”

Michael Flynn, an examination specialist in IT for the Boston area office of the FDIC, noted that the agency has produced 11 handbooks for examiners and bankers, covering a range of cybersecurity issues, and that also provide cybersecurity assessment tools (CAT). Again, most of it came down to basic cyber hygiene, including employee awareness. 

Peter Chiola, bank information technology lead expert for the Northeastern District of the Office of the Comptroller of the Currency, said that, “phishing is more of a threat than zero-days."

“Patch, patch, patch,” Flynn added. “Most attackers are going after low-hanging fruit. So understand what you have. If you have reasonable controls, you will reduce the target tremendously.”

Holly Chase, of the Massachusetts Division of Banks, said all financial organizations should, “start looking through cyber attack scenarios. You need an incident-response plan. The only way to make it effective is to walk through it,” she said. “You can’t be scrambling around on a Friday afternoon and expect it to work.”

Finally, former CIA officer Daniel Hoffman, in an earlier presentation on using a human intelligence model for cyber defense, noted that the humans can be an enormous advantage – even better than high-tech surveillance.

He cited Russian intelligence officer Oleg Penkovsky, who in an effort to prevent nuclear war between super powers, spied for the U.S. and Britain in the late 1950s and early 1960s. He was eventually caught, tried and executed in May 1963. (Also see 7 of the most famous spies.)

But Hoffman said he had, “provided critically important intelligence during the Cuban missile crisis.”

But humans, especially malicious insiders, can be just as damaging to US national security, he said, citing massive document leaks by former NSA contractor Edward Snowden or former US Army private Chelsea Manning.

“None of us wants to think we have malicious insider,” he said. “We didn’t want to think that at CIA. But it’s true. So one good principle is need to know. Not everyone needs access to everything.”