As the complexity of a computer system increases so does the difficulty of securing it against cyber-attack. In fact, difficulty of protection rises at a more than one-to-one ratio with complexity. This is one of the reasons we at MSI so highly tout extensively segmenting complex networks into “enclaves” with individual firewalls and access controls, as well as strict trust rules on how each enclave can communicate with each other and the outside world. Although this process is complex to develop and implement, once in place it greatly simplifies the protection of critical assets such as industrial controls systems and administration networks.

One reason why it behooves utilities to consider cyber-protections at this level is the exponential rise in the availability and use of Internet of Things (IoT) devices. It seems like every kind of device there is now has a computer in it and can be accessed and administered over a network of some kind. And usually this network is the Internet or is routable to the Internet.

Systems at threat include industrial control systems and the enterprise networks that administer them; they employ more remote access devices every day. IoT devices that are connected to enterprise networks can be just about anything. Smart light bulbs, cameras, heat sensors, voice controllers, televisions, robots… the list is daunting and grows constantly.

Exacerbating this problem for most of the last year has been the pandemic emergency. The need for social distancing and remote working has exploded because of it. And as we all know, in an emergency functionality trumps security every time. Concerns have set up remote conferencing and remote administration systems at a record pace. And even if they have performed some form of risk analysis before, during or after implementation, chances are that they may not have been holistic in their threat and risk analysis.

This brings me back to the enclave computing scheme I mentioned above. To set up proper network segmentation, the first things you need to know are what data/devices are on the network, how data flows between these entities and what trust relationships are implemented in their setup. Until you have a grasp on all of these factors, there is no way you can gauge the full range of negative security effects hooking IoT devices to your enterprise network can have.

So, my advice to Utilities and other users of industrial controls systems is this: do a thorough business impact analysis (BIA) of your enterprise network and all of its connections. The BIA will reveal the factors I mentioned above. It reveals what devices and data are there and their relative criticality. It shows you how data moves and what trusts what. This information is the necessary precursor to accurate risk and threat assessment, and can be the beginning of a new level of information security at your enterprise.

Data breaches are happening every day, and presently, they are often accompanied by ransom demands. It used to be that most ransomware simply encrypted a firm’s data and wanted to get paid for the key to decrypt it again. The answer to this kind of attack is pretty simple: make and securely store backups of your data so that you can reload your systems without paying ransom. This works, but some concerns still pay the ransom to avoid downtime while backups are accessed and systems restored. Unfortunately, the bad guys have a worse trick up their sleeves: threatening to publish your data on the Internet if you don’t pay the ransom.

This is a very thorny problem. If you don’t pay, you are going to have private personal and financial data of your clients exposed, which is going to lead to regulatory scrutiny and loss of business. If you do pay, you are out the expense and you have no guarantee that the cybercriminals won’t publish your data anyway.

Besides ensuring that your data doesn’t get compromised in the first place, the only thing that wealth management firms can do to thwart this problem is ensure that their incident response plan is complete and ready to invoke at a moments notice. This takes good communications, especially internally. This is the responsibility of the CISO in most firms.

The first thing the CISO should do once the incident is validated is to notify the incident response team and get them working on containing the incident and researching how it was perpetrated. From there, the CISO should handle communications. All incident-related communications should go through the CISO. The team should communicate their findings with the CISO, and the CISO in turn should communicate pertinent information with the Board of Directors. They are primarily responsible for the information security program at the firm, and decisions on further communications with regulators, law enforcement and clients should come from them. It is also their responsibility to decide how ransomware demands are to be addressed.

To perform all these functions quickly and efficiently, communications methods and responses to incidents should all be pre-planned and included in the incident response plan. It is also important to practice responses to various likely incident scenarios (table-top exercises are generally used for this). These practice sessions help to speed up actual incident responses and expose holes in the plan that could cripple the response if not corrected.

As I’m sure most of you know, October is National Cybersecurity Awareness Month. The point of this yearly event is to stimulate awareness of the importance of cybersecurity in the workplace and at home. Every year, it seems, cybersecurity becomes more important in the lives of all of us. Identity theft, ransomware, denial of service attacks and a plethora of other cyber-dangers are running rampant and becoming more sophisticated every day. Awareness of these problems and following a few simple security rules can go a surprisingly long way in keeping your networks safe. So why not take advantage of National Cybersecurity Awareness Month to bring awareness to your own personnel and families?

The number one tip I wish to emphasize is this: be wary, think and make sure before you click on a link or answer questions posed by unknown telephone callers. We are all human which means we get in a hurry, we get bored, we lose focus, we get preoccupied and a dozen other frailties. Cybercriminals rely on these human weaknesses to make their cash, and very successful they are at it. As an addendum to this advice, I want to emphasize caution when clicking on links or accessing websites having to do with the Covid-19 emergency or the impending national election. These two subjects are the subjects of more than half of all current phishing attacks.

Next tip: ensure that all of your devices, software applications, operating systems and firmware applications are included in your security maintenance program. Relying solely on WSUS and patching Windows vulnerabilities just doesn’t do the job. All your non-Windows network entities should be updated and patched as well. Also, updating and patching should be applied as soon as possible. You can bet that cybercriminals will not be slow in attacking vulnerable systems.

Tip number three: be very wary of social media use. The amount of private information that we blithely upload to social media sites is astounding! Having been in the intelligence field myself, I know how much information analysts can glean and infer from seemingly harmless business or family facts. You should remember that the information you provide your friends or colleagues on social media is only as private as their own security settings and habits. A good rule of thumb is to not post anything you wouldn’t want a stranger to see. Once again, think before you post!

The last tip I’ll provide here is to use very strong access controls and encrypt every connection and bit of private information you can. With so many of us working from home now, web conferencing is at an all time high. Make sure you use a service that will allow you to encrypt communications. If at all possible, employ multi-factor authentication for web conferences and other sensitive communications as well. If MFA is impossible, use a nice long passphrase instead of some weird nonsensical eight-digit password you can’t remember anyway. Entropy is where it’s at!

Automobile dealerships have problems when it comes to information security. One of these problems is that, being relatively small organizations, they have limited resources to expend on information security. Exacerbating this problem is the fact that dealerships are difficult to secure and are juicy targets for cyber-criminals and identity thieves.

What do I mean by “juicy targets?” Dealerships of necessity must collect a great deal of personal private information about their customers in order to do business. This not only includes names, addresses, phone numbers and email addresses, but also potentially includes information such as Social Security Numbers, credit ratings and other financial information. Criminals can exploit this level of information to cause all sorts of mischief and make lots of money.

What do I mean by difficult to secure? Dealerships typically have various sales departments (i.e. new, used, fleet), service departments, finance departments and body shops. All of these departments employ computers and most of these departments are also accessible to customers. In addition, dealership personnel are often called upon to leave customers and computers unattended while they perform various tasks away from their areas. This means that there are lots of “attack surfaces,” both physical and cyber, for cyber-criminals to try to exploit.

One  inexpensive and effective way for dealerships to fight these problems is to ensure that access to your computer networks is well secured. There are basically two ways for attackers to access your computer networks: through a physical connection or a wireless connection. If your dealership still uses wired connections for workstations (many don’t), you should ensure that these connections are secure from tampering. You don’t want unattended customers to be able to successfully plug their devices into an open port and get access to your network. Access via these ports should be limited to approved MAC addresses, or should employ some other access controls to prevent casual network access.

Even more important than this, though, is ensuring that your dealership wireless networks are properly configured and secured. On top of having the same vulnerabilities as wired networks, wireless networks have the added weakness of working via electromagnetic signals that can be accessed by anybody in range. To secure your wireless networks, you should follow best practices advice including:

• Use strong access controls to limit access to wireless networks to only authorized users. Multi-part authentication is strongly recommended for this.
• Ensure that your wireless network employs strong protocols like WPA2 and is fully encrypted.
• Ensure that wireless access points and other networking equipment are fully secured. It is preferable to have this equipment secured in locked rooms or cabinets. It’s even better if access to this equipment is logged to individuals.
• Ensure that your wireless systems are securely configured. Change all vendor default passwords, and ensure other device settings conform to best practices recommendations.
• Ensure that your wireless devices and software applications receive proper security maintenance, and are well updated and patched.
• Separate your wireless networks into segments and ensure that only those with a business need to know can access each segment.
• Ensure that guest networks are available and properly secured. Each user of the guest network should have separate access control to prevent other guest network users from illicitly spying and compromising others on the network.
• If you are allowing your employees to use their own devices to access the production wireless networks, ensure that these devices are secured according to best practices recommendations. Also ensure that users are fully educated in their responsibilities for maintaining wireless security.
• Monitor your wireless networks with an eye for anomalies and misconfigurations.

Following these and other good network security recommendations can greatly increase information security at your dealership without having to expend inordinate amounts of money and employee time.

Ransomware has been a sad fact of business life for some time now. It has proven to be an effective money maker for cyber-attackers, and so is constantly being developed and improved by the bad guys. We think of the typical ransomware attack as someone compromising your network, encrypting your data and demanding ransom payment for the key to decrypt it again. But credit unions are one of those businesses that are regulated; they must protect private Member information according to FFIEC and NCUA 748 recommendations and requirements. That makes them especially sensitive to another, enhanced type of ransomware attack in which the attackers also threaten to release private information to the public unless paid off. This type of coercion bypasses incident response and business continuity measures. It doesn’t matter if you can restore your systems from backup if you already have a public data breach.

Even if a compromised credit union has kept an average information security program in place and therefore is not heavily trod upon by the regulators, the business will still be damned by the court of public opinion if data breach occurs. This loss of reputation could seriously affect the credit union and could also lead to large expenditures in credit monitoring and spin doctoring efforts. So, for credit unions, the best answer is to protect your network and private information from being compromised in the first place.

First, strong encryption and key management are a must with this type of regulated information. Private member information should be well encrypted not only when being transmitted, but also when at rest on all systems. Over years of security testing, we have noticed many businesses that do a pretty good job of encryption, but then miss something crucial like databases or backups. This is like building a safe with a screen door in it! Another encryption problem we have noticed is poor key management practices. We have seen keys stored on production systems and not properly protected in other ways. An encryption system is only as good as its key management system. If you do the encryption and key management part correctly, the attackers won’t be able to read Member data even if they manage to get their hands on it.

Next is network security mechanisms and monitoring practices. It’s not good enough to simply build a series of walls to keep the bad guys out; you need to post guards to keep an eye on things as well. It’s the same with network security; you not only need to have effective security mechanisms in place, you need to have humans in the loop to add that detection ability that no machine can truly equal. That is why we recommend that credit unions don’t spend all of their infosec dollars on extravagant machines or software, and ensures adequate resources are set aside to properly staff the information security department. A decent, well configured firewall, full logging and log aggregation, an adequate AV package and egress filtering and monitoring can go a long way when properly employed and monitored by competent staff.

Configuration and privileged access control are also key. In most ransomware attacks, cyber-criminals employ phishing techniques or exploit network vulnerabilities to gain a foothold on businesses’ internal networks. But to mount a successful ransomware attack, they must also be able to maneuver around the network and to elevate their network privileges. On most networks, unfortunately, this is not a daunting task. Attackers can crack password hashes on user machines looking for admin passwords that they can then use to access other hosts and repeat the exercise. They can do this because most networks use common admin passwords on multiple machines. They also have generally “flat” networks that are not properly segmented according to the principles of least privilege and need to know. These practices can allow attackers to gain domain admin-level access to the system, and that is game over. In addition, many businesses are lax when it comes to privileged access control. Many sys-admins use the same password for simple network access as well as for admin access to the system. Plus, when a new admin user is added to the system, or privileges have been highly elevated for a normal user, no alerts are made and nobody is monitoring the access control list. All of these practices should be curtailed if you want to get serious about network protection.

The final control I’ll mention in this blog is user education and buy-in to the information security program at your credit union. Employees and partners can be your worst security enemy or your greatest security asset. To be truly effective, personnel not only should receive infosec training and awareness reminders regularly, they should also be actively enlisted by the credit union as troops in the fight against network compromise. Their worth to the company in this effort should be extolled, and good performance should get praise and recognition. Even little perks like a good parking spot or small bonus can really motivate personnel.

Implementing these kinds of effective controls can seriously increase your resistance to all type of network attacks including ransomware. However, I don’t mean to say that these controls can replace the need for decent incident response and business continuity programs; you need those too. This is because, as we all should know by now, no information security program is or can be perfect!

As I discussed in my last blog concerning wealth management firms, the Securities and Exchange Commission (SEC) and their Office of Compliance Inspections and Examinations (OCIE) has placed a strong emphasis on information security and privacy practices. As 2020 began, the focus of OCIE examinations seemed to be concentrating on cyber governance, cyber resilience, privacy and data security, and outsourcing risks. Although these considerations still exist, the advent of the COVID-19 crisis has prompted the SEC to augment their thinking on current risks for brokers/dealers and investment advisors. Pursuant to this effort, they released a Risk Alert entitled Select COVID-19 Compliance Risks and Considerations for Brokers-Dealers and Investment Advisers (https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf). The OCIE’s observations and recommendations have been grouped into a number of categories. These are discussed below:

Protection of Investor Assets: The OCIE is encouraging firms to review their operating practices surrounding collecting and processing investor checks and transfer requests to ensure social distancing practices and remote working are not impacting the security of these practices. As well as updating policies to reflect these changes, the OCIE is recommending implementing additional steps to validate the identity of investors and the authenticity of their disbursement instructions.

Supervision of Personnel: The OCIE is recommending that firms should review and adjust their personnel supervision policies and procedures to ensure that the current situation does not seriously impact brokers/dealers’ ability to provide sound advice in a volatile market, and to communicate with their customers effectively.

Fees, Expenses and Financial Transactions: Recent market volatility has put pressure on both investors and wealth management firms. It is thought that this increased pressure may have increased the potential for misconduct among brokers/dealers. Because of this, OCIE recommends that firms should review and adjust their policies and procedures surrounding fees and expenses.

Investment Fraud: Volatile times and business situations can increase the risk of investment fraud through fraudulent offerings. The OCIE recommends that firms should be aware of these risks and take them into consideration when conducting due diligence reviews on investments to ensure that said investments are actually in the best interest of the investors. They solicit firms and investors that suspect fraud to contact the SEC.

Business Continuity: The OCIE is recommending that firms should consider their ability to operate critical business functions during the emergency situation and review their business continuity plans. They cite the fact that working from remote sites could raise compliance issues. They specifically state that compliance policies and procedures used under normal operating conditions may need to be modified to address risks and conflicts of interest present in remote operations. They also state that security and support for facilities and remote sites may need to be modified or enhanced.

Protection of Sensitive Information: The current emergency has forced firms to employ video conferencing and other electronic means to communicate while working remotely. Often personnel are using personal devices and web-based applications as a part of this process. The OCIE points out that employing these means increases the risk that investor PII or private company information may be compromised. These practices also increase email/phone phishing risks. To help fight this, the OCIE recommends that firms enhance their identity protection practices, provide additional training for users and investors, conduct heightened reviews of access rights and privileges, use encrypted communications, ensure patching and updating is well undertaken, consider enhancements such as multi-factor authentication, and address risk issues related to partners and third parties.

MSI points out that the best way to ensure that all your information security practices are effective and compliant with guidance such as that listed above is to conduct regular security reviews and testing. These include risk assessments, application security assessments, network vulnerability and penetration testing and other security testing such as Wi-Fi security testing and social engineering exercises.

Calculating cyber risk is at best an imperfect science. There are a number of factors that need to be calculated to determine risk, and the accuracy and completeness of each of these factors determine the overall accuracy of your risk determination.

There are two different types of risk assessments commonly used: qualitative risk assessment and quantitative risk assessment. A qualitative risk assessment does not try to assign a specific dollar amount or number value to the possibility of occurrence, impact or risk rating. Rather, these factors are expressed as severity ratings such as high, medium or low (or very high, high, medium, low and very low if you want to be more granular).

For whatever cyber asset you are assessing, you begin with determining threats to the asset paired with vulnerabilities that could be exploited by attackers to adversely affect that asset. These are called threat / vulnerability pairs. For each threat / vulnerability pair, you then determine the possibility that that threat may be realized (likelihood determination) coupled with the probable impact to the asset / organization if the threat is realized. You then subtract from this calculation the effectiveness of the security controls you have in place to prevent the threat actor from exploiting the vulnerability.

You can express this as a formula such as: (threat / vulnerability) x possibility of occurrence x impact – control effectiveness = risk (or residual risk). Although this is expressed mathematically, it should be understood that this is really a mind model rather than an actual quantifiable formula when performing qualitative risk assessment.

The same factors are also in play in a quantitative risk assessment. However, in quantitative risk assessment you try to assign actual numbers and dollar amounts to some factors. In other words, you might determine that the possibility of occurrence is 50% for a given period of time and that the impact of an occurrence will cost you $150, 000.

Although quantitative risk assessments give you harder data, they are best used for individual processes, applications or systems. Quantitative risk assessments are very hard to perform for complex systems such as are found in an enterprise level risk assessment. The number of factors to assess and the manner in which threats and vulnerabilities intermingle render actual dollar amounts, time spent, etc. simply too difficult to determine with any accuracy. That is why the vast majority of risk assessments carried out by organizations are qualitative in nature.

However, whether qualitative or quantitative risk assessments are performed, the key to their overall usefulness is the accuracy you achieve in uncovering valid threats, finding all vulnerabilities, determining the true likelihood of occurrence and accurately calculating the impact to the organization. Garbage in then garbage out no matter which method you use.

Many small businesses have a problem they may not even be aware of: they don’t have an incident response (IR) plan in place. This is a problem they should fix, especially with the Covid emergency multiplying the already plentiful malware and social engineering attacks that appear each day. Small businesses often have limited funds and personnel for IT security, and incident response may end up near the bottom of their priority lists. However, not having the ability to react quickly and correctly when an incident strikes can end up costing far more that setting up a basic IR plan and program. Plus, putting together such plan need not be difficult at all. Below are some simple steps small businesses can take to set up their own IR plan.

• Identify likely security incidents that could impact your business. This information can easily be found on the Internet. Write this down.
• Decide how the business should react to each one of these incident types and write this down. This advice is also readily available online. Write this down.
• Decide which personnel are going to be responsible for handling incidents (the incident response team). This usually includes IT and management personnel of various levels. Other personnel like legal advisors and security experts should also be identified. Once the team is chosen decide who is going to be in charge of response efforts. This is the person first contacted once an incident is detected. Write this down.
• Decide how and what you are going to communicate not only among the team, but with employees, customers who have been affected, regulators, law enforcement personnel, news media, third party security service providers, etc. Also decide who is going to do these communications. Make sure phone lists are included in this document. Write this down.
• Take all the information from above that you have written down and consolidate it into one plan.
• Train your personnel what their responsibilities are and who they should contact if they detect an incident. This includes both the team and employees.
• Finally practice the plan and make adjustments and improvements as needed. A good way to practice incident response is by performing table top exercises that are as realistic as possible.

The above is a very simplified version of an incident response program, but it is really all you need to get started. Having such a plan in place is a kind of insurance that could pay real dividends if a data breach or other serious incident occurs.

Wealth Management Firms are under a lot of pressure as regards information security and privacy issues. These firms are regulated by the Securities and Exchange Commission (SEC) and the nongovernmental Financial Industry Regulatory Authority (FINRA) here in America.

In 2016 the SEC itself announced a security breach of their main investor database resulting in over one hundred million dollars in illicit trading profits and other gains. This event was particularly damning and embarrassing to the SEC as the Government Accountability Office had spent the previous eight years warning them about lax security practices.

This caused the SEC to make cybersecurity a priority of its National Exam Program. This program is actually conducted by the SEC’s Office of Compliance Inspections and Examinations (OCIE). Wealth Management Firms are under scrutiny from these examinations as well as those conducted annually by FINRA. The SEC can use its civil authority to bring cyber-related enforcement actions against bad actors, and FINRA has the power to impose substantial fines and penalties (including permanent revocation of registration) for those who fail to comply with their rules.

Unfortunately, all financial institutions suffer under the same vague information security requirements found in the statute laws that they are regulated under. An example of such language from the National Credit Union Administration’s 12 CFR part 748 follows: “1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems…” As you can see, this kind of guidance gives you a goal, but it doesn’t include any specific guidance to tell credit unions how to accomplish it. It’s like that across the body of financial institution regulation.

This basically left it to the regulators themselves to determine what measures financial institutions should take to maintain proper information security. These bodies in response turned to NIST for the basis of their information security guidance. Entities such as the FFIEC, FDIC and OCC all use this guidance as the basis for their own infosec requirements.

Dissatisfaction with this guidance has seen changes and improvements in information security and privacy paradigms in the last decade or so. New thinking in information security recommendations such as the CIS Critical Security Controls and MSI’s own 80/20 Rule of Information Security have started to take hold. The goal of all these newer information security recommendations is to ensure that the most effective infosec controls are prioritized, allowing the user to get the most bang for their information security buck.

My recommendation is that Wealth Management Firms should leverage these programs to meet SEC and FINRA infosec requirements. It would also be advisable to couch these security measures according to the NIST Cybersecurity Framework. This year the focus for OCIE examiners is liable to be:

• Cyber Governance
• Cyber Resilience
• Privacy and Data Security, and
• Outsourcing Risks

The OCIE also released a handy document called Cybersecurity and Resiliency Observations (https://www.sec.gov/files/OCIE-Cybersecurity-and-Resiliency-Observations-2020-508.pdf). The purpose of this document is to relate security practices that they have observed being used by the industry. It includes sections on Governance and Risk Management, Access Rights and Controls, Data Loss Prevention, Mobile Security, Incident Response and Resiliency, Vendor Management and Training and Awareness. I suggest that Wealth Management Firms should employ these observations when structuring their own information security programs according to the guidance mentioned above. This should provide them with a compliant, effective and low-cost information security program.

When you think about it, automobile dealerships can have a lot of very detailed and private information about you. For example, when you buy a car, the dealer may collect your identity and location information (name, address, telephone number, email address and even information about family members and pets). If you finance the vehicle through them, they also may collect a great deal of financial information about you (Social Security Number, credit history, bank(s) you use, account numbers and credit rating). And, of course, they have detailed information about at least one of your vehicles such as make, model, accessories, vehicle identification numbers, etc. All of this information is very desirable to cyber-criminals and hackers.

Not only do auto dealerships have a lot of your private information, the nature of the business gives online and on-site attackers numerous opportunities to access and compromise this information. Employees and customers move about a great deal in automobile dealerships often leaving their work areas unattended. There are numerous workstations around a dealership from the parts department to the service department to the finance department to the sales departments. If users share their passwords with fellow employees for convenience sake or leave their computers active when they are away from them, compromise of private information is made easy. In addition, auto dealership networks are usually connected to numerous service providers, partners and information systems. If these systems are compromised, then compromise of the dealership system could soon ensue. There are also liable to be paper documents containing private information that could be left exposed on desks or in unlocked drawers.

Luckily, auto dealerships that extend credit to someone, arrange for someone to finance or lease a car for personal, family or household use, or that provide financial advice or counseling to individuals are identified as financial institutions and are regulated by the Federal Trade Commission (FTC) under the Gramm-Leach-Bliley Act of 1999 (GLBA). These businesses therefore are required to comply with the FTC Privacy Rule and the FTC Safeguards Rule. Auto dealerships may also be subject to state or local ordinance, or some private regulatory body such as the PCI DSS. This is a good thing for the consumer.

Under the FTC Privacy Rule, dealerships are required to protect private customer financial information, and are required to provide customers with a number of written notices detailing their rights under the Privacy Rule. Under the FTC Safeguards Rule, dealerships must protect physical, paper and electronic customer information. They are also required to have an information security program designed to protect the confidentiality, integrity and availability of private customer information. Since dealerships are considered to be financial institutions, these security requirements are much the same as those your bank must adhere to. There are fines in place for failure to comply with these regulations, and lawsuits may also be filed against dealerships that fail to adequately protect your private information.

Although these regulations don’t guarantee your private information won’t be compromised, they do put a big roadblock in the path of information thieves. Plus, auto dealers know that 84% of those surveyed said they wouldn’t do business with a dealership that has had a customer data breach incident. That surely helps inspire dealers to take information security seriously.