Read the top 5 questions we received from our Cyber bank heists tech talk webinar, answered by our experts.
1. How might institutions better protect against advanced attackers?
By their very nature the advanced Tactics, Techniques, and Procedures (TTPs) exhibited by the Bangladesh Bank attackers are difficult to both prevent and detect. This is in part due to the asymmetric capabilities of the respective threat actors, but also the sheer breadth of the attack surface global institutions need to defend. That said, there are steps that institutions can undertake to better protect themselves.
- Maintain situational awareness of organisational endpoint and network assets. Many organisations have IT infrastructures that have grown organically, and subsequently ‘shadow IT’ is prevalent. Develop appropriate Change Control processes, and undertake proactive assessments to enumerate and categorise organisational assets.
- Focus on endpoint and network visibility. Without effective detection capabilities in place, you will be relying on external factors to trigger the organisational breach response capabilities.
- Continually test your organisation’s basic cybersecurity hygiene. What specifically constitutes ‘cybersecurity hygiene’ is open to debate, but at the core are; appropriate levels of access, password management, vulnerability management, etc. – these should be constantly revisited and assessed for business critical systems and processes.
2. What is best practice for breach response preparedness?
The key to any form of preparedness is planning. In the context of breach response, this means spending the time to create an effective Incident Response Plan (IRP) that is tailored to the organisation, and undertaking regular crisis simulation exercises to generate a form of organisational breach response “muscle memory”.
In particular, organisations should understand the various internal and external stakeholders, as well as define an agreed upon incident categorisation and associated escalation process for handling a cyber incident.
3. What are the requirements for the SWIFT Customer Security Program (CSP)?
The SWIFT Customer Security Programme (CSP) was developed as a baseline and to reinforce the cybersecurity of the more than 11,000 institutions that implement SWIFT. To ensure its compliance across the global financial community, SWIFT has put in place an attestation process that requires adherence to 16 mandatory and 11 advisory security controls. Depending on the type of SWIFT participant, will have to either Self-Attest, Self-Inspect, or have a registered 3rd party perform an assessments of the respective SWIFT security control set.
4. Are Red Team assessments mandatory?
No, Red Team frameworks are currently all voluntary, however any institution selected by their associated regulator may be strongly encouraged by the regulator to perform one. One exception to this is in the UK, where the PRA and FCA now have the power to mandate a CBEST test under Section 166 of the Financial Markets Act (“Skilled Persons” reviews) for regulated organisations.
Even though Red Teaming is usually a voluntary test of an organisations cybersecurity, in the last 18-24 months we have seen a significant increase in requests from clients. This could be due to the number of high profile Advanced Persistent Threat (APT) style cyber-attacks which have hit the news wires causing companies to put more resources into their proactive cybersecurity programs. But the result is, many companies are now including red team testing as part of their proactive efforts.
Below is some additional information on this topic:
- Webinar recording: Regulatory Red Teaming
- Top 5 Q&A: Regulatory Red Teaming
- Blog: How to choose your cybersecurity Red Team Vendor
- Blog: Penetration Test or Red Teaming Exercise: A Decision Maker’s Guide
5. What is Operational Resilience in the context of cyber?
Operational resilience refers to the ability of a firm or system to prevent, adapt, respond to, and recover from an operational disruption. At first glance this appears to reiterate many of the best practices the security industry already promotes in cybersecurity, but the subtle focus on operational disruption makes business processes rather than individual organisational assets the area of concern. This shift is likely to emphasise recovery over response for financial institutions moving forward.