I was in a movie theater recently and sat in one of those new lounger seats. I had my popcorn, my soda, and I was ready to start the movie. Just as the lights dimmed, something drew my attention to the exit signs. As the theater employees walked down the main aisles to make sure everything was functioning, nobody snuck into the movie, and there were no safety or security issues. It was at that point that I thought about my youth and how kids used to sneak into the movie theater. While the kids would have been caught if there was someone consistently watching, most theaters were too busy and didn’t have enough employees to cover every exit.
Strangely enough, this reminded me of the ways electronic information gets in and out of a financial institution’s network. I know, not what most people think about during their time at the theater, but that is the way my brain works. Some exits need to be guarded better than others, mainly because there is more to lose.
Have you contemplated who may be getting into your network when you are not aware? While technology service providers and other business partners remotely access your resources and electronic information on a regular basis, most enter by remote access through an authorized path. If they are not monitored, however, a breach of one vendor could attempt to move into an area not originally permitted, or could be let in by authorized individuals. This may be through insider threats or breaches of vendors that have a high level of access to the financial institution’s resources. Knowing the ways information enters and leaves is an important measure to mitigate this.
With this in mind, the Federal Financial Institutions Examination Council (FFIEC) created the Cybersecurity Assessment Tool in June of 2015. The FFIEC Cybersecurity Assessment Tool provides financial institutions with baseline requirements for establishing controls for protecting customer information. One of the questions asked in Domain 4, External Dependency Management, addresses whether the institution has an inventory of its third-party connections, including:
- Customer connections.
- Connections to and from third-party service providers.
- Business partners.
- Connections to the Internet.
This calls for remote data connections to be documented. Whether this is through the use of a network diagram or data flow diagram, the purpose of the exercise is to determine how these connections impact the risk landscape of your institution. In addition, it is important to know whether the connection is encrypted or whether the level of encryption is adequate. As technology moves forward, authentication methods and encryption technologies need to be improved to reduce risk. Keep in mind, some encryption technologies are subject to vulnerabilities and can permit sophisticated cyber attacks that expose sensitive information.
So, where do these practices come from? Like most of the baseline requirements in the Cybersecurity Assessment Tool, they are derived from industry standards. This baseline objective draws closely from the NIST special publication 800-53A revision 4 section “SA-9 – External Information System Services,” which takes an in-depth look at security. You can start the security assessment process by asking the following questions:
- Does the organization that you trust with your information or services comply with the same standards that you hold your institution to? Keep in mind, a breach of a vendor could lead right into your environment or allow someone (such as an attacker) to operate as if they were you.
- Does the amount of documentation you have allow you to draw conclusions about the risk associated with these connections? And do you feel comfortable with the risk associated with these connections?
- How does your institution monitor access to ensure that only authorized access is granted? Do you feel that through monitoring you would be able to detect malicious or unauthorized activity?
It also makes sense to look at the following:
- Review your list of vendors and identify IT-related systems that your financial institution connects to or uses to conduct business.
- Collect information from the various network logs (IDS, firewall, Web traffic monitoring, etc.).
- Interview departments that use these systems to determine how they are being accessed.
- Test or review connections to ensure that data is securely transmitted.
Once you are able to assign risk to these areas, you are able to determine the amount of monitoring that is acceptable. Perhaps some of these connections need to be reviewed annually. Others may need to be monitored constantly. The more you know about what is occurring, the more you can narrow your focus based on risk. This should turn a mountain into a manageable mound.