I have written a number of blogs lately about the dangers of ransomware to all industries including the financial industry. Ransomware is proving to be the most dangerous and prevalent form of cyber attack today. Realizing this, the Bankers Electronic Crimes Task Force, State Banking Regulators and the United States Secret Service has developed and Ransomware Self-Assessment Tool to be employed by credit unions and other financial institutions to provide them with an overview of their preparedness towards identifying, protecting, detecting, responding and recovering from ransomware attacks. Many financial institutions already have, or soon will be, asked to complete this tool.
As many of you may recognize, “identify”, “protect”, “detect”, “respond” and “recover” make up the five functions of the Framework Core of the NIST Cybersecurity Framework. This is a good clue that credit unions would be wise to base their information security program on this framework if they wish to be proactively compliant with regulatory scrutiny and current “best practices” standards. In my blog post of December 3, I discussed the importance of embracing the Cybersecurity Framework if you want to resist ransomware attacks to the extent possible.
But the Self-Assessment Tool is not limited to questions about your adherence to this framework. In fact, the very first question in the tool asks if Center for Internet Security (CIS) controls are used to mitigate common cybersecurity attacks at your institution. Unless you have actually mapped your information security controls against CIS Top 20 you may not be able to answer this question. The current version of these controls is 7.1 and the control categories included are:
- Inventory and control of hardware assets
- Inventory and control of software assets
- Continuous vulnerability management
- Controlled use of administrative privileges
- Secure configuration for hardware and software on mobile devices, laptops, workstations and servers
- Maintenance, monitoring and analysis of audit logs
- Email and web browser protection
- Malware defenses
- Limitation and control of network ports, protocols and services
- Data recovery capabilities
- Secure communication for network devices, such as firewalls, routers and switches
- Boundary defense
- Data protection
- Controlled access based on need to know
- Wireless access control
- Account monitoring and control
- Implement a security awareness and training program
- Application software security
- Incident response and management
- Penetration tests and red team exercises
Mapping your controls against the Top 20 is not only useful in responding to the Self-Assessment questionnaire, but is another good way of comparing your information security program to best practices recommendations.
However, the Self-Assessment tool does not stop there. To complete the tool, you will have to have to be able to pinpoint the location of your critical data and who manages it, identify third party vendors who have remote access to your network, identify how all your administrative and user-level access controls are implemented and much more.
If your credit union needs to prepare for responding to this tool, I highly recommend starting out by mapping your information security program to the NIST Cybersecurity Framework and the CIS Top 20 controls. Doing such will pay benefits far beyond completing the tool itself.