18th May 2015 – Vulnerabilities, malicious insider threats, cyber security tools and the cyber world post-Snowden, topped a packed agenda at the SWIFT Institute cyber event at the University of Delaware.
As a part of its ongoing programme to bridge the gap between academia and the financial industry, the SWIFT Institute partnered with the University of Delaware to bring cyber security experts together to discuss the ever evolving cyber threat in financial services. With a mix of academics, cyber technology and security experts, along with former and current U.S. federal law enforcement officers, the event provided an enlightening view of the growing trends in cyber security, highlighting new vulnerabilities and threats to watch. The event also provided a forum for academics and practitioners to share tools, technology and best practices to help financial institutions better manage and defend against threats.
“The threat is constantly advancing,” said Dr. Starnes Walker, Founding Director, Cyber Security Initiative, University of Delaware. “Technology moves exponentially as a function of time,” he elaborated. Walker welcomed the nearly 150 attendees, sharing his insights on cyber security, particularly in light of technology advancements. He pointed out that this can be good for firms on the defensive, however, technology advancements also enhance the capabilities of adversaries, which is concerning.
On behalf of the SWIFT Institute, SWIFT’s new Chief Technology Officer, Craig Young, opened the event and shared his insights on cyber security highlighting the importance of this topic to SWIFT. “At SWIFT, we take our role as the global market infrastructure for the financial industry seriously. On top of continued investments and an already strong cyber security programme, SWIFT has embarked on a multi-year cyber vigilance programme to cater to those black swans and extremely remote scenarios.” said Young. As a neutral actor serving the world’s financial institutions, SWIFT is uniquely placed to facilitate these events as a way to help identify best practices across people, processes and technology. “Cyber security is an arms race between hackers and financial institutions with a growing number of bad actors, both politically and at the state level that attack services and capabilities, which makes it difficult for all of us”, said Young. He went on to say, “Whether we are talking about financial services or other industries, the cyber actors’ means and methods remain the same. This is a universal challenge.”
The cyber threat landscape
“Cyber security is not the next industry, it is the industry and we are all in it today,” said Elizabeth Petrie, Director, Strategic Analysis at Citigroup and former Head of Cyber Intelligence at the FBI. “Across the industry, players are working together to actively mitigate millions of threats that are coming at us each and every day.”
Petrie also addressed the cyber threat landscape and its evolution over the last 25-30 years, looking at how the financial industry is responding. “The industry has evolved from a model of hacking for fun to hacking for profit to now hacking for destruction,” said Petrie. These actors used to be individualistic and motivated by ego, but over time evolved into a loosely knit, underground network of hackers. Today, these groups have become better organised and sophisticated in their communications and approach. Hackers actively communicate with one another and work together to identify targets that will yield high returns at the lowest risk. “The shift over time finds that actors are becoming better networked thereby enabling better communications with one another. For us, the defenders, we have to abide by country laws, policies and regulations, which can slow down the dissemination of threat information, requiring us defenders to shift and adjust our posture on defines to keep the attackers out.”
15 billion connected devices today; will grow to 50 billion in five years
Petrie also provided insight into a common question: Why is this happening now? PCs have been around for a long time, so why now? Her response was staggering; there are 15 billion devices connected to the Internet with a projected growth to 50 billion in five years. “We are more connected now than ever before,” said Petrie. Businesses are pushing for more digitisation. Even paper-based businesses are finding new ways to digitise their processes and systems. This is providing a lot more data for hackers to go after. In addition to the loss of data, companies also need to keep in mind the cost of a system compromise, which is roughly USD $113 billion. However, this cost could grow to USD $3 trillion in five years. “If companies are not in a good posture related to cyber security, it could force them out of business, which would be catastrophic.” Petrie warned.
For financial institutions, cyber security is critical. “Financial services are at the heart of all business being done everywhere.” said Petrie. The placement of financial institutions in the ecosystem and touch points that are external to financial institutions makes these companies an extremely high value target for hackers. “It is not just the money that financial institutions hold, it’s the ability to transfer money combined with the vast amounts of access to data that make financial institutions a lucrative target that will be consistently attacked.” said Petrie, The threats are not just external. Insider adversaries are a big threat too, with external adversaries trying to compromise various insiders to do nefarious deeds. This raises the level of complexity of what financial institutions need to do to defend its systems over time. “The good news is that knowing the anatomy of an attack, there are programmes we can implement to shut down that adversary,” said Petrie. “We need to build as strong a network as the adversaries, leverage forums, talk across countries and share information.”
Teamwork, talent and technology can reduce vulnerabilities
Standardisation, best practices, data quality, information sharing and the looming problem with talent were common themes heard throughout the day.
Information sharing is a big challenge. “There is information available, but not at the level that is helpful,” said Raj Kedda, Global Head of IRM, Barclaycard. Shaun Brady, Principal, MITRE echoed the need to share actionable information in a timely manner. “This is the real problem we face today. Lots of progress is being made, but there is also a lot more to do,” said Brady.
David Ebert, Director of DHS Visual Analytics Center of Excellence, Purdue, notes it’s not just about the information sharing, but also the tools and talent. “There is no real standardised tool to address vulnerabilities,” he said. “There needs to be a mix of technology and humans. Fraud detection is often a good tool, but not the only one available. We really need to enable people to find the information quickly, which can be done through risk analytic tools, visualisation tools, etc.”
Sarah Cortes, President, Inman Technology identified frameworks as a solution to help mitigate vulnerabilities. “Frameworks provide a set of controls enabling best practices, policies, technical directives and standards on where operations need to go,” said Cortes. Other panellists offered some caveats to frameworks, in that they are good and can help, but like other areas, there is more work to be done. “80% of security breaches are discovered by third parties, and most breaches can go undetected for several months,” Brady added.
Data quality, big data analytics and liability are major hurdles that need to be overcome to make information sharing beneficial. Mining the vast amount of data is very difficult and mining vast amounts of data in a timely manner is even harder. Data cleansing and classification tools will help, whilst regulations are also required. “New regulation will ease the liability challenge, making information sharing more actionable,” said Kedda.
Cyber security is a people problem
Turning to insider threats, which always start with humans, experts say these threats can fester inside an organisation for up to five years before manifesting into a breach. These cases often involved very little technical sophistication with individuals utilising regular access credentials to perpetuate these breaches. These threats have always started with human beings. Long before technology, there was critical information that required protecting. Today is no different, but the emphasis has changed. David Feather, Senior Director, Transformation, Honeywell FM&T said, “It is always important to know your people, know their roles and control access limiting the potential impact. Monitor what is normal so you know what abnormal looks like.”
Benjamin Stone, Supervisory Special Agent at the FBI, Philadelphia, suggested looking at people instead of technology. People are using technology to accomplish a goal. “Cyber security is not a technology problem, it is a people problem,” he said. It is worth noting that when individuals join a company it is generally not their intent to become a malicious insider. Employees may become disgruntled or upset with employers over time, which may take them down a road they never intended when the first joined the organisation. This highlights the need to interact with employees; understand their motives and where they align with the organisation.
Technology can play a role in helping to track insider threats by providing greater visibility into the activities of employees. Dan Velez, Director of Insider Threat Operations, Raytheon, suggested that you need to know what trusted users are doing with the access they have been granted. “Technology can restore vision into people’s activities, creating more supervision of staff and checking what they are doing with the access you have given them,” he said. The most effective programmes combine art with science; they involve staff that understand the business, networks or the arts and couple that with analytics or science.
Mind the cyber security gap
Another area that can get overlooked is those parts of the network that support day-to-day business operations. There are a variety of systems that make up a network that do not generally receive a lot of thought within an organisation: environmental controls, energy management, security systems, etc. Pete Fischer, Intelligence Surveillance and Reconnaissance director of Technology with Sierra Nevada Corporation said, “These cyber challenges are twofold. Not only is it an access point into the network, but these systems can be manipulated to disrupt day-to-day business operations.” These systems are IP enabled and remotely monitored and controlled, and whilst they provide business efficiencies, they also create new cyber security challenges. “Every possible threat vector on the network needs to be addressed,” noted Fischer.
Data is an essential part of thwarting cyber security issues. Companies need to be able to ingest all sorts of data in near real-time. Xin Hu, Research Scientist, IBM Research, said, “Know every corner of your data from your network.” Fischer added, “Identify a threat as it happens, act in real-time, be adaptive.” There are useful tools to handle vast amounts of data, but companies need additional analytical tools to make good use of that data. “The challenge with cyber security tools,” said Johan Hybinette, CISO, Hosting.com, “is that there are lots of tools and they all speak different languages. There is no common language, making it difficult to implement, which is a big problem.” For systems where all of the tools communicate, the amount of data coming in is immense. “We need additional tools built in that can help with behaviour analysis and reporting, which is very important to detecting malicious threats,” noted Hybinette.
Cyber security tools, however, will only take a company so far. It comes down to people. “Companies need skilled people running and managing these tools,” said Hybinette. “The software and tools will only be as good as the people running them,” he added. Hu commented, “In some cases, companies have the software and tools, but do not know how to use them. They just have them so they can check it off the list from a compliance perspective. If you really want to protect a system, just buying tools is not enough.”
Fischer added, “These tools can put adversaries in a box to slow them down so a company can figure out what they are doing.” Defence is only as strong as your weakest link. “Hackers only have to guess one right thing; defenders need to do everything right,” added Hu.
99% of attacks are not something someone could have warned you about
Information sharing is deemed a useful tool to thwart cyber threats, but there are different theories on its usefulness. 99 out of 100 attacks are not something someone could have warned you about. Usually it is a design flaw, or it is a zero day vulnerability that people could not have known about. Information sharing should be something organisations do, but experts say sometimes organisations can overplay its usefulness.
Lance James, Head of Cyber Intelligence, Deloitte & Touche, LLP has two views on information sharing. “Information sharing can be good in advance, when you understand the problem and are following a group, but sharing information for the sake of sharing information can end up being a waste of time.” For information sharing to be helpful, people need an overall understanding of the problem to put it in context, otherwise it is just contributing to the big data challenge of having too much information to process and analyse. Translation or analysis of what the information means into a language the non-technologist can understand might help mitigate some of the challenges with information sharing. John Ryan, President & CEO, Conference State Bank Supervisors, said, “We translate the information for the community banks into a language they can understand or hold back information that is not actionable for the financial institutions.” Ryan believes it is important that information put out to banks is understood by all of the banks’ executives, not just the technologists.
Evan Wolff, Partner, Crowell & Moring, LLP, sees information sharing as having both tactical and strategic benefits to companies. “There are a lot of commonalities in infrastructures across industries, and sharing information around best practices and other experiences can be useful. Information sharing is not the only answer, but it is progress and can be helpful.”
Rethinking information security
The cyber security event illustrated just how challenging it is for financial institutions to keep pace with the ever changing cyber security landscape. Good cyber security methods (and possibly some retooling of current processes, thinking, talent and tools) will harness better results against attacks. As Lance James from Deloitte & Touche, LLP said in his closing address where he demystified advance persistent threats and cyber espionage, “The key to defending your network is knowing your network and really understanding your adversaries.” Based on the many discussions throughout the day, it seems these threats against financial institutions will continue, whilst the good news is that there are ways to address these challenges – stay ahead of the latest technology, leverage the right talent, engage employees, know your adversaries, know your network. All of which may require organisations to rethink how information security is managed.
The level of attendance and engagement at the event suggested that financial institutions are taking these threats seriously. Along with academics, consultants and technology providers, they are working hard through research, testing and networking via forums such as the SWIFT Institute, to uncover new ways to help mitigate these challenges. As Citigroup’s Elizabeth Petrie said in her opening address, “Cyber security is the industry today, it is not the next big thing”.