Third-Party Risk Dominates Day 1 Of Cyber Security – Financial Services Exchange

Financial services has been likened to the “bellwether” of the wider cyber security space – always at the forefront, shouldered into innovative change to adapt to a complex threat and regulatory landscape.

Technological advancements often come from solutions and best practices in the banking, financial services and insurance (BFSI) space, meaning information-sharing between financial institutions becomes paramount to the overall trajectory of security.

This is where industry events, or exchanges, as designated grounds for discourse and benchmarks, become integral. IQPC’s Cyber Security Exchange: Financial Services, is being held from June 10-12, 2018 in the financial capital of the world, New York City.

The exchange kicked off with presentations on the ongoing – and pervasive – talent crisis in the space, followed by a session on third-party vendor (risk) management.

Unit 8200, Education & The Skills Gap

Devon Bryan, EVP and Chief Information Security Officer (CISO), Federal Reserve System, kicked off the three-day event with his take on the skills gap, and ways to mitigate it from a grassroots, macro level.

The presentation, called “Fortifying Financial Services: Empowering Security Culture Beyond Breaches in a Changing Regulatory Climate,” went into threat-actor motives, as well as vital industry statistics.

Bryan said that financial motivation remains a key driving factor into breaches, along with espionage. The speaker also said insiders pose a real threat in the organization, too. What’s required to ameliorate this situation? Perhaps large-scale changes. This is especially true in the small business community. Small and midsize businesses (SMB) drive economic growth, so the fact that they’re increasingly under fire means the cyber security community may need to revamp its efforts.

Bryan added that in August 2017, there were an estimated 300,000 unfilled cyber security jobs. A staggering number of CISOs reported a workforce deficiency. The speaker said that perhaps models can be drawn from Israel’s efforts to strengthen its workforce; this is especially true with its Unit 8200, an Intelligence Corps. unit responsible for collecting signal intelligence (SIGNIT) and code decryption.

Bryan said that Israel does a nice job of recruiting talent from an early age; students with a knack for computer science are recruited into 8200. The speaker wrapped up this point by saying that national-level programs could further the security space – especially those geared around identifying students early enough in the pipeline to address unique challenges.

See Related: The Many 'Arms' Of Today's Cyber Security Team: An Inside Look

The Federal Reserve CISO continued, saying that culture is a product of “toolset, skillset and mindset.” He advocated “rethinking cyber security education” and exposing students at a younger age.

In the session, Bryan noted that much of the “kerfuffle” surrounding curriculum traces back to states’ rights issues – something that Israel does not encounter in its recruitment efforts.

“We need some major push, a countrywide adoption of something like the (Israeli setup),” he said. Other attendees also suggested “gamifying” the security space at a young age, along with Capture the Flag (CTF) exercises, and even a national skills “catalog” that can encourage discussion. Tapping into the veteran population along with non-traditional STEM candidates could also prove fruitful, Bryan said.

Third-Party Vendor Management

Nasser Fattah, Managing Director, MUFG Union Bank, then provided his take on third-party “partners.”

The speaker outlined some of the benefits of opting for a third-party vendor, including cost cutting, more focus on core business elements, tapping into intellectual “capital” and catalyzing digital transformations.

Some of the most sought-after avenues for outsourcing include a cloud-first strategy and implementing intelligent automation.

However, with outsourcing comes new concerns: privacy, politics and regulations chiefly among them. Fattah outlined the importance of a vendor management program, where onboarding vendors becomes a fully vetted process. He reminded attendees of the strategic, reputational and regulatory impact of this system. He said enterprises must “vet vendors appropriately.”

See Related: Security Analysts Becoming 'Data-Mining Gurus'? Q&A With Bay Dynamics' Ryan Stolte

Now, are third-party vendors the weakest link in the security chain? For a time, the user was considered the weakest link. But poor security posture at the vendor level does reflect on the organization.

Fattah said in beginning the onboarding process, organizations should understand security concerns, determine posture (gauging criticality), and compare internal controls.

Fattah said the “principle of least privilege” still applies, along with other fundamentals. He said you do not “deviate just because you do business with a third party.”

Social Engineering: A Thorn In The Side

In a “Masterclass” entitled “Best Practices and Future Direction of Security Awareness Training,” KnowBe4 Security Awareness Advocate, Erich Kron, outlined pivotal phishing statistics and enterprise-level best practices.

Kron cited ransomware, CEO fraud and other social engineering tactics as top organizational concerns. Kron said research shows 55% of people will click on a phishing link in under 60 minutes.

He also indicated that threat actors “leverage cyclical thinking” to allow for various attacks. The KnowBe4 advocate said that top phishing-related subject lines include the following: Delivery attempts, change of password requests, W-2 forms, company policies, UPS labels and vacation and paid time off (PTO) policies, among others.

However, he said security has progressed beyond the “Nigerian Prince” phishing campaign; it’s become more sophisticated. Some phishing instigators even utilize spelling and grammar checks before firing off their messages. The corresponding services guarantee higher click rates, too.

Kron also said that in CEO fraud-type phishing events, the biggest driver is “urgency,” which gets users to open messages. He said “bad guys” will go as far as perusing LinkedIn to study the company dynamic, to know which title(s) to use for name recognition.

One of the more prominent components to Kron’s session was the outlook for RaaS, or Ransomware as a Service. He said that you no longer have to be technical to push a phishing campaign – and see it propagate. That’s because there are Dark Web services that take care of the back-end infrastructure.

“You can now be some conman who doesn’t have to be technical,” Kron said, before adding that you simply need a faulty moral compass and the ability to craft an email.

How do security teams mitigate these deep-seated phishing threats? He outlined five best practices:

• Have explicit goals before starting
• Decide what behaviors you want to shape
• Treat the program like a marketing campaign with relevant information
• Phish frequently (at least once per month)
• Do not be a “jerk” (don’t alienate people)

Pictured l-r: Nasser Fattah, Jon West, Rod Aday and Clint Heyworth.

In Closing

Day 1 of the Financial Services Exchange came to a close with “Ignite Sessions” on sensitive data, third-party risk management and collaborative channels.

What’s more, an hour-long end-user panel on third-party vendor risk management tackled topics such as: visibility, vendor terms and conditions, changes in contracts, cross- and corporate communication, compliance, onboarding and even termination.

Panelists Jon West, CISO, Kemper, Clint Heyworth, CCO/ISO, Sutton Bank, Rod Aday, CISO, Dexia Credit Union and MUFG Union Bank’s Fattah, moderator, underscored the paramount importance of transparency, due diligence and advocacy within the enterprise to shore up gaps, outsource where necessary and adhere to regulatory requirements.

Stay tuned to the Cyber Security Hub for continued coverage of the Financial Services Exchange!

Be Sure To Check Out: Catch Up Or 'Swat Flies': Cyber Security Expert Touts AI, ML