As I have been writing about lately, we are experiencing a new level of cyber-attack sophistication and effectiveness. 2020 has seen not only very effective ransomware attacks, but also equally effective supply chain and DNS vulnerability attacks. Regulators and security personnel were shocked and somewhat at a loss on how to combat these threats other than by strengthening information security program and controls requirements. They are pressing down hard, and financial institutions such as wealth management firms are at the spear tip of their efforts.

To understand the cyber-risk that faces them, financial institutions need conduct risk assessments. Risk assessments can be limited in scope or can include the entire organization, but they all include many common steps and determinations. I still adhere to the processes outlined in NIST 800-30 2002. These include threat analysis, vulnerability assessment, probability of occurrence analysis, impact determination and controls analysis. Combining these factors allows you to assign a risk exposure rating. The formula is: risk = (threat x vulnerability x probability of occurrence x impact)/controls in place. But how do you actually apply this formula to the results of the various steps of the risk assessment?

One way, of course, is to just calculate it by feel. What I mean by that is looking at the threats, vulnerabilities, probabilities of occurrence and likelihood of impact information you have come up with, and balancing that against the controls that are already in place at the organization. Then, either unilaterally or in discussion among the group, you determine if the residual risk you are facing is high, medium or low. This is really the way most organizations determine their risk levels.

NIST has a few tools to help you with determining some of these steps. For probability of occurrence (likelihood determination), they advise considering three governing factors:

• Threat-source motivation and capability.
• Nature of the vulnerability.
• Existence and effectiveness of current controls.

They also have a likelihood table to help you decide:

For impact, they have produced another table that helps you rate the magnitude of impact:

Then, for the actual risk determination step, they have produced a risk level matrix and risk scale:

The risk scale for this matrix is: High (>50 to 100); Medium (>10to 50); Low (1 to 10).

The risk level scale table is:

Although NIST 800-30 2002 has been retired, I still find their risk assessment methodology useful. The tables and matrix shown above help me in making my risk determinations without resorting entirely to feelings. Perhaps they will be useful to you as well when you are faced with the thorny problem of assigning cyber-risk levels. They will at least give you some justification for making the decisions that you do.

The SolarWinds supply chain hack has really thrown organizations and businesses of all sorts for a loop! The scale, complexity, duration and effectiveness of the attack was awesome, and it is not over yet. On top of that, other supply chain attacks may even now be underway with all of us none the wiser. The problem lies in protecting ourselves from such attacks in the future. This, however, is a thorny problem.

Supply chain applications are designed for things like easy interoperability, connectivity and ease of use, just like the original code for what became the Internet was designed; functionality and user friendliness are the primary considerations in such applications. With these kinds of functions build into the chain, security problems are inevitable. People in the industry have known this for some time and have forwarded warnings about the vulnerabilities in the supply chain. NIST began to develop their cyber supply chain risk management (C-SCRM) program in 2008. They released a draft of NISTIR 8276: Key Practices in Cyber Supply Chain Risk Management in February of 2020.

This risk management paradigm was developed with input from across a number of organizations and disciplines, and was open for comment from early February to early March last year. This effort (in draft) produced eight practices that include:

1. Integrate C-SCRM across the organization.
2. Establish a formal program.
3. Know and manage your critical suppliers.
4. Understand your supply chain.
5. Closely collaborate with your key suppliers.
6. Include key suppliers in your resilience and improvement activities.
7. Assess and monitor throughout supplier relationship.
8. Plan for a full life cycle.

This seems like sound advice for the risk management part of the problem, although it will have to be tested in implementation. But what can you do now to help prepare yourself for supply chain attacks? One thing you can do is deconstruct a supply chain attack, see how it works and plan controls and procedures for thwarting the attack. In military terms, this would be called disrupting the kill chain.

There are several versions of cyber kill chain phases out there, but they all have much in common. The basic steps in a supply chain attack could include:

1. Reconnaissance – Mapping your organization from personnel and business functions to examining your network, the protocols you use and the security measures you have in place.
2. Intrusion – Leveraging flaws found during reconnaissance, using social engineering techniques or employing zero-days to gain access to the network.
3. Exploitation – Exploiting vulnerabilities you found during the reconnaissance phase to implant malware or perform other tasks.
4. Lateral Movement – Exploiting weaknesses in administrator password practices or system onboarding configuration practices to move to different systems across the network.
5. Privilege Escalation – exploiting weaknesses in privileged access control, configuration control, etc. to elevate your privileges on the system.
6. Finding the Gold – Accessing various systems to locate valuable information.
7. Exfiltration of Data – Copying and removing all that juicy data from the system.

Of these steps in the kill chain, a couple stand out to me as the easiest for most organizations to control: lateral movement across the network and privilege escalation. For years we at MSI have been harping on the dangers of taking shortcuts when administering systems on the network. Attackers are often able to move laterally across a network because a group of systems all use a common administrative password. As big a pain as it can be, each system on a network should have a unique administrative password just like each user on the network should have unique access credentials.

Another problem that allows lateral movement is system administrators using the same password for simple network access and for administrative access. If an attacker can compromise a user system and crack the password hashes, there is a good chance that they can identify and use one of these passwords to gain admin-level access on the network’

Finally, privileged access to the system is the key attackers need to fully compromise the system and exfiltrate data. There cannot be too many precautions you can take when it comes to allocating and monitoring privileged access to the system! You should employ heuristics to identify odd behavior or odd time of system access for privileged users. Addition of a new privileged user to the system should generate alerts. All privileged access and use of the system should be logged and monitored. If you are really serious about protecting your system, you may want to implement dual controls for certain privileged user functions. These are just a few of the controls that could be implemented. My advice is to do a risk assessment, determine where your vulnerabilities may lie and design and implement controls that disrupt the cyber kill chain in a way that work for you.

Some credit unions own their ATM machines, others lease them or have a service in place. But however credit unions handle ATMs at their locations, they should ensure that proper physical and logical security controls are in place, and that security maintenance is regularly performed on the machines and their back end systems. It is unfortunately true that ATM machine vulnerabilities are still being exploited to empty machines of cash or to corrupt their back end operating systems and servers with malware, which could lead to possible compromise of private member data. Threat sources for these compromises include both external attackers and insiders such as credit union employees or employees of third-party ATM service providers.

Not only is member trust at issue if there is an ATM security breach, the credit union has to consider their responsibilities under Regulation E of the Electronic Fund Transfer Act. According to this act, risks to electronic fund transfers (including ATM transfers) should be included in the risk awareness program, and both physical and logical security controls should be in place to address these risks. In addition, policies addressing these risks should be included in the credit union’s written information security program and approved by the Board of Directors.

Some of the control needs that should be addressed include:

• Dual controls for ATM access and maintenance, as well as dual controls for card stock and printer refills access.
• Security maintenance including updates and patches for ATMs and back end servers, applications, firmware and operating systems.
• Removal of default, easily guessed or dated passwords on ATM systems. Passwords should be changed often, and multi-factor authentication techniques should be implemented if at all possible.
• All the normal network security measures such as user access and account management, email security, internet access, change management, configuration control, malware protection and detection, logging and monitoring, etc.
• Fraud monitoring and protection.
• Control for electronic communications devices such as:
  • Access time-outs and logon attempt limits.
  • Anti-skimming software and hardware.
  • Monitoring for physical tampering.
  • Payment card security controls
• Consider implementing the highest level of endpoint security on ATM machines to prevent connection of devices or uploading of malware onto the machines.
• Ensure that autorun and boot features have been disabled on ATMs,

In addition to these controls, credit unions should have periodic security audits or risk assessments performed on ATMs and the policies and procedures surrounding them performed by qualified third-party information security firms. Another set of eyes and a different perspective are always beneficial to any information security program.

The rapid pace of change and confusion caused by the COVID 19 epidemic seems to have super charged the cybercriminals that continue to plague us. 2020 has seen a tremendous rise in the number and sophistication of ransomware attacks across the board. Also, the number and sophistication of phishing attacks, notably targeting Office 365 users, have also increased of late. In addition, the recent very successful supply chain attacks that affected high-value SolarWinds users were incredibly well conceived, coordinated and executed. These attacks required great cyber skill, meticulous planning and manual interaction and monitoring by the attackers. They should be of particular interest to utilities, since utilities may face the same level of sophistication if attacked by nation-state level cybercriminals.

Since cybercriminals have upped their game significantly, it behooves utilities to up their game as well. They need to make it very difficult for cybercriminals to get a foothold on their systems in the first place, and if those efforts fail, they need to be able to detect, react and recover from attacks quickly and surely.

However, utilities are in a particularly bad position to implement adequate operational and technical security controls to properly secure these systems. For one thing, industrial controls systems and components used by utilities are long lived and generally were not designed with network security controls in mind. They are hard to retrofit, and so must be replaced with modern equipment or be secured with operational controls rather that technical controls. One fix means money and time for new equipment, the other fix means money and time for increased personnel.

Another problem is that, one way or another, many utilities can be attacked from remote locations over the Internet. To be efficient, centralization of control systems has increased, and inevitably it seems, industrial control networks are linked up at some point with administrative networks and the Internet. So, if your back-room network and the personnel who use it aren’t perfectly vigilant, they can be used as a vector for attackers to access the industrial control system. Also, industrial control devices can often be administered directly over web-based applications. This makes another vector for clever attackers to take advantage of.

In my opinion, the answer to fixing the utilities security problem does not lie solely or even primarily in technological fixes. I think the most effective way to resist modern cyberattack is through implementing operational controls and ensuring there are enough well-trained personnel to implement them. For example, all possible routes of access to industrial control systems need to be fully mapped and updated constantly. Any access from the administrative network or the Internet to industrial controls systems needs to be strictly white-listed and monitored. Administrative-level access controls should be fully implemented, and networks should be configured so as to make lateral movement across the network or elevation of privileges extremely difficult to accomplish. Dual controls should be implemented where appropriate, and utilities should consider using all three possible types of identification for particularly sensitive access to the system (i.e. remote administration and control of systems, adding and removing users).

Embrace the latest in information security guidance, what we like to call “best practices” level security. It’s difficult, frustrating and expensive, but nothing compared to what could happen in the event a sophisticated, coordinated and wide-spread attack on our utilities occurred.

The ransomware problem just seems to be getting worse and worse. A recent study showed that ransomware increased from 39% to 51% just from Q2 to Q3 this year. This was record growth, and put ransomware attacks as one of the top threat vectors out there. But we have noticed that many organizations, including financial institutions such as wealth management firms and credit unions, have yet to include ransomware attack as a specific threat vector in their incident response plans. Because of this, we recommend that financial institutions should conduct a specific ransomware risk assessment to determine how this threat could impact them, and to examine the probable effectiveness of the security controls they currently have in place in ameliorating it.

When conducting such risk assessments, the organization should start with threats and threat vectors. For ransomware, the primary threat vectors according to CIS include:

• Malicious attachments or links sent in email messages.
• Network intrusion through poorly security ports and services, notably Remote Desktop Protocol (RDP) and Server Message Block (SMB).
• Dropped by other malware infections such as an initial TrickBot infection leading to Ryuk ransomware attack.
• Wormable and other forms of ransomware that exploit network vulnerabilities such as WannaCry.
• Employing compromised managed service providers to push ransomware to multiple entities.

In addition, attackers have been employing legitimate pen test and network administration tools as a part of their attacks. These tools can be used to help minimize detection and maximize the impact of attacks. Use of these tools as attack mechanisms is increasing the scope of attacks possible to cyber criminals. Just this week there was a report of a massive fraud operation using emulators that allowed attackers to steal millions of dollars from online banking accounts. Emulators are tools used by legitimate developers and researchers to test how apps run on mobile devices. Using these, criminals were able to spoof many thousands of accounts in a very short time, leading to massive illicit profits.

The next step in the risk assessment process is to examine your business processes and security controls to see where vulnerabilities that could be exploited by attackers to promulgate ransomware may lie. In other words, the organization should list the threat vectors (such as those listed above), and determine for each where the organization’s own systems may be vulnerable and what can be done about it if they are. Once that list is complete, the organization can decide if and how they are going to implement these needed controls.

One of the controls that is sure to arise from this process is proper incident response planning. Incorporating the results of your risk assessment can greatly enhance the organization’s ability to effectively detect and respond to ransomware attacks. Knowledge of how ransomware is going to come at you and the proper way to react to it is invaluable! And, as with any good incident response program, ransomware attacks should be included in incident response practice exercises. Lessons learned from these exercises will help to prevent chaos in the event of an actual ransomware attack against your organization.

It’s the end of the year again (already!), and as usual, there are lots of scams out there having to do with the holidays and tax time. Cybercriminals use such scams every year because they work. People are busy trying to shop and get ready for the holidays, and often become a little frazzled and careless. Prepping for tax time often just adds to these burdens. A perfect time to pull a scam! Here are a couple that were in the news this week.

This one was in Security News, and this is the gist: “Experts Urge Users to Ignore Facebook Christmas Bonus Scam. Identity theft experts are warning Facebook users to be on the lookout for a “Christmas bonus” scam which appears to be endorsed by their friends on the social network. Variations on these scams appear to have been circulating on Facebook since at least 2015. Most recently, users are being targeted by messages claiming to offer them a “Christmas bonus” or “Christmas benefit,” according to the non-profit Identity Theft Resource Center (ITRC). …Although there are variations on this theme, the bottom line is that the scammers want either victims’ personal information or their money, or both. They will usually ask for personal details in order to process the ‘bonus.’ They may also ask for a small ‘transfer fee’ in order to wire the winnings into the victim’s bank account”. Social media: always a ripe venue for scamming.

This is another one that was in Security News about a fraudulent IRS form. Here is a sample: “New IRS Form Fraud Campaign Targets G Suite Users. A new scam using an IRS form as its mechanism has been found targeting users of Google’s G Suite, with as many as 50,000 executives and “important” employees affected so far. The campaign, discovered and reported by researchers at Abnormal Security, claims to contain an IRS W-8BEN form in PDF format. The attached form asks for far more personal information than required on the actual W-8BEN, which is the form needed to maintain a nonresident tax-exemption status. While there is no malware payload attached to the email, providing all the requested information would give the attacker’s a treasure trove of personal info that could be used for identity theft and other fraud.”

Watch out for these and other scams like them. Never trust that simply because a website or document looks legitimate it really is. Smoke, mirrors and misdirection updated for the age of cybercrime!

I have written a number of blogs lately about the dangers of ransomware to all industries including the financial industry. Ransomware is proving to be the most dangerous and prevalent form of cyber attack today. Realizing this, the Bankers Electronic Crimes Task Force, State Banking Regulators and the United States Secret Service has developed and Ransomware Self-Assessment Tool to be employed by credit unions and other financial institutions to provide them with an overview of their preparedness towards identifying, protecting, detecting, responding and recovering from ransomware attacks. Many financial institutions already have, or soon will be, asked to complete this tool.

As many of you may recognize, “identify”, “protect”, “detect”, “respond” and “recover” make up the five functions of the Framework Core of the NIST Cybersecurity Framework. This is a good clue that credit unions would be wise to base their information security program on this framework if they wish to be proactively compliant with regulatory scrutiny and current “best practices” standards. In my blog post of December 3, I discussed the importance of embracing the Cybersecurity Framework if you want to resist ransomware attacks to the extent possible.

But the Self-Assessment Tool is not limited to questions about your adherence to this framework. In fact, the very first question in the tool asks if Center for Internet Security (CIS) controls are used to mitigate common cybersecurity attacks at your institution. Unless you have actually mapped your information security controls against CIS Top 20 you may not be able to answer this question. The current version of these controls is 7.1 and the control categories included are:

1. Inventory and control of hardware assets
2. Inventory and control of software assets
3. Continuous vulnerability management
4. Controlled use of administrative privileges
5. Secure configuration for hardware and software on mobile devices, laptops, workstations and servers
6. Maintenance, monitoring and analysis of audit logs
7. Email and web browser protection
8. Malware defenses
9. Limitation and control of network ports, protocols and services
10. Data recovery capabilities
11. Secure communication for network devices, such as firewalls, routers and switches
12. Boundary defense
13. Data protection
14. Controlled access based on need to know
15. Wireless access control
16. Account monitoring and control
17. Implement a security awareness and training program
18. Application software security
19. Incident response and management
20. Penetration tests and red team exercises

Mapping your controls against the Top 20 is not only useful in responding to the Self-Assessment questionnaire, but is another good way of comparing your information security program to best practices recommendations.

However, the Self-Assessment tool does not stop there. To complete the tool, you will have to have to be able to pinpoint the location of your critical data and who manages it, identify third party vendors who have remote access to your network, identify how all your administrative and user-level access controls are implemented and much more.

If your credit union needs to prepare for responding to this tool, I highly recommend starting out by mapping your information security program to the NIST Cybersecurity Framework and the CIS Top 20 controls. Doing such will pay benefits far beyond completing the tool itself.

Over the last months I have written several blogs concerning the burgeoning problem of ransomware attacks. Ransomware has been evolving rapidly of late and is liable to explode. According to Kapersky’s predictions for cybercrime in 2021, “cybercrime is set to evolve, with extortion practices becoming more widespread, ransomware gangs consolidating and advanced exploits being used to target victims.” When you add to this such problems as rising business email compromise problems and the difficulties of information security in the age of Covid, you can picture a pretty bleak outlook for data breaches and ransomware attacks next year.

Unfortunately, compromised business email information, weak remote working security practices and advanced vulnerability exploits can all be employed by organized gangs of cybercriminals to perpetrate ransomware; a type of attack that can present businesses with no-win solutions. If you pay the ransom, what is to keep the cybercriminals from revealing your stolen information publicly anyway, or coming back to you again with additional demands for money? If you pay, you can also possibly be in violation of U.S. laws and regulations. If you don’t pay, your private client information could be exposed publicly, possibly exposing you to regulatory sanctions and legal actions.

Of course, the best protection possible is to harden your business and personnel against successful social engineering attacks and cyber exploits. The problem is, no matter how good your information security program, you still may be compromised. To protect your business responsibly in this environment, you need to embrace all aspects of a good information security program: identify, protect, detect, respond and recover. These activities make up the framework core of the NIST Cybersecurity Framework (Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (nist.gov).

Identify basically refers to knowing your business. It includes asset management (i.e. software and hardware inventories), examining the business environment, identifying risk, coming up with a risk management and governance strategy and examining supply chain and third-party risk. If you don’t know your business deeply and exactly, you have little chance of protecting it properly.

Protect refers to all those programs you put in place to prevent cybercriminals from compromising your systems and information in the first place. These functions include access controls, data security measures (i.e. protection for data at rest and in transit), information protection processes and procedures (i.e. configuration and change management control, security policies and procedures, etc.), protective technologies (i.e. email security systems, SIEM, etc.), security maintenance (i.e. patching and updating), and the ever-important security awareness and training.

This leads into the “detect” part of the framework. As we have pointed out in past blogs, all the security systems in the world won’t keep you safe if you don’t actually monitor them and leverage their output to detect anomalies when they occur. And to perform this function properly, you need to involve humans. The human mind remains the most effective detection tool there is.

The last two parts of the framework core are “respond” and “recover”. These basically refer to your incident response and business continuity/disaster recovery programs. As was stated earlier, no matter how good your program is, there is always the possibility of compromise. That is why responding quickly and effectively is so important. This entails both planning and practice. As does business continuity/disaster recovery. Proper planning and realistic testing programs are essential.

Cybercriminals are looking forward to their best year ever in 2021. Do what you can to thwart their ambitions. A good, well rounded information security program is the best you can do in this respect. We recommend embracing the paradigms included in the NIST Cybersecurity Framework in this effort for their clarity, effectiveness and relative ease of implementation.

No matter what industry you are in, you need to practice emergency procedures to build proficiency and identify glitches in your planning. For example, we all went though fire drills back in grade school, or if you’ve been on a cruise ship, you have received lifeboat drills. These kinds of exercises have proven their worth time and again over the years. For wealth management firms, one such program that needs practice exercises is the incident response program. And tabletop incident response exercises are an effective way to conduct these practices.

We at MSI have had years of experience in developing and conducting tabletop incident response exercises for organizations in a number of industries. In the financial industry, the most prevalent and dangerous attack type currently is ransomware. Ransomware attacks can lead to data breaches, lawsuits, regulatory involvement, loss of reputation and financial loss. Let MSI assist your firm in tabletop exercises designed to test your response preparations and to make adjustments and improvements in your response.

First, we will work with your firm to design a real-world ransomware attack scenario that is relevant to your particular organization. From there we will construct the scenario and set a time with your firm to conduct the exercise. MSI will provide two personnel for the exercise: the exercise moderator and the exercise observer/recorder. It should be noted here that these exercises can be conducted in either the real or virtual world. During these days of pandemic emergency this can be an important consideration.

Once the tabletop begins, the moderator will unfold the details of the exercise one by one, just as they’d come to notice if a real incident were occurring. Your incident response team will then follow your incident response plan, communicate with each other and relate just how they would address each issue as it unfolds. As the exercise continues, the moderator will continue to introduce complexities built into the ransomware exercise scenario. Once the exercise concludes, MSI will help your team conduct a “lessons learned” discussion that points out what worked well during the exercise and what didn’t seem to work well and needs improvement. Finally, your firm will receive a report from MSI recapping the exercise and including suggestions for improving your response techniques and mechanisms.

In our experience, incident response tabletop exercises have never failed to expose flaws in the incident response plan. These exercises also lead to spirited discussion and innovative thinking among the team members. Remember, the key to minimizing the negative effects of any cyber-attack, including ransomware attack, is quick and accurate response.