In a Nutshell: Despite the best intentions of federal and state regulators, many financial institutions have discovered that simple compliance-level security standards may leave gaps that can be found and exploited by cyberattacks. Security solutions provider Tripwire knows security and compliance aren’t always the same thing, and while digital criminals are becoming more sophisticated, executing complex attacks following a cyber kill chain, Tripwire provides adaptive solutions designed to fill security and compliance gaps. Used by Fortune 500 companies and major financial organizations around the world, Tripwire Enterprise security configuration management (SCM) suite provides a fully integrated solution capable of managing policy, file integrity, and remediation for comprehensive security.
Once existing as little more than a theory about self-replicating computer programs, the simple computer virus now has a long and substantial family tree — one leading all the way to the masses of malware infecting our computers today. Making matters more complex, the modern cyberattack can involve not just a single virus or its kin, but a group of talented hackers with an entire armory of digital weapons at their disposal.
For financial institutions, which are loaded with everything from potentially valuable data, such as consumer Personally Identifiable Information (PII), to patently valuable assets like, well, money, the risks of a significant cyberattack are greater than those of your average corporation. In fact, a survey of global cyber security experts by AIG identified financial services as the industry most likely to sustain a systemic attack in 2017.
And many in the financial services sector may not be dealing with cyberattacks as well as they believe. When security software provider Tripwire surveyed 134 financial services IT professionals, it found that only 65% of the security vulnerabilities unearthed by the respondent’s organizations were fixed within 30 days of detection.
At the heart of the problem may lie an overconfidence in — or, perhaps, overreliance on — the myriad federal regulations put in place to help protect consumer information. While the regulations, specifically the Safeguards Rule, do require institutions to maintain a basic level of cyber security, many professionals feel that maintaining compliance-level security isn’t enough to thwart the threats faced by the industry.
“Compliance and security are not the same thing,” explained Tim Erlin, VP of Project Management & Strategy at Tripwire. “While many best practices are mandated by compliance standards, they are often implemented in a ‘check the box’ fashion. Addressing compliance alone may keep auditors at bay, but it can leave gaps that allow criminals to gain a foothold.”
Since any given institution can have tens of thousands of endpoints to secure, traditional security measures can be circumvented in a variety of ways. In the modern digital business landscape, every connected device — including those operated by employees and customers — can be an opening for a cyberattack.
“Ransomware and other types of malware take advantage of vulnerabilities in operating systems and software that are used by all,” described Irfahn Khimji, Senior Security Engineer for Tripwire. “And issues like identity theft and phishing rely on tricking users to give up sensitive information, such as the username and password for their accounts. The concept behind these types of attacks is deception. This can affect individuals and organizations of all sizes.”
The Cyber Kill Chain: Anatomy of a Cyberattack
Although once thought of as the realm of tech-smart miscreant teenagers, the cyberattacks launched today are rarely the work of adolescent hackers. Organized groups or gangs of professionals — and even some governments — are said to be behind many of today’s biggest and worst cyberattacks, and their weapons are far more sophisticated than the simple viruses used by their predecessors.
In fact, the term used to describe the modern cyberattack methodology was adapted from a term used to describe a tactical military attack: the kill chain, or cyber kill chain. Adapted by Lockheed Martin’s Computer Incident Response Team, the cyber kill chain model is described in Tripwire’s Unified Security Solutions for Financial Services and outlines the steps an adversary must complete to achieve a cyberattack objective, providing an effective illustration of the anatomy of a successful cyberattack.
The initial stage of any successful campaign, the first link of the kill chain is the reconnaissance phase, during which attackers scout a system for weak points and vulnerabilities. Everything from firewalls and perimeter security to endpoints and user accounts are identified and explored in this stage as attackers note any potential entry points.
2. Weaponization & Delivery
Once possible vulnerabilities are discovered in the target system, the attackers move on to the next phase — weaponization and delivery of an attack payload. Customized to the specific host system, the attack payload can be delivered via a phishing email, compromised website, or any other unsecured endpoint discovered during reconnaissance.
After the infiltrators have delivered the attack payload into a system, the next phase is to begin exploiting the system’s vulnerabilities and to execute — well, anything they like. Attackers can install additional tools, modify network security certificates, and create new files to begin establishing control of the host system.
4. Command & Control
As soon as the attackers have established a controlled foothold in the system, they can then begin to gain increased access to the system. They can extract and alter credentials to move freely throughout the system, as well as restrict legitimate access to the system’s resources. If multiple systems are connected, the attackers can use their entry to one system to move throughout the associated systems.
5. Malicious Action
With the compromised system under their control, the attackers can set about accomplishing their goals. Depending on the nature of the attack, this stage could include the exfiltration of critical data or proprietary information, which can be transferred to another location for future use, ransom, or sale. Another common goal is the disruption or disabling of the host system to prevent the victim’s normal business functions.
Tripwire Enterprise Provides Real-Time Detection, Compliance Enforcement & Remediation Management
In the face of coordinated, systemic threats and ever-evolving digital weapons, many people have realized that there needs to be a stronger focus on security — comprehensive security.
As described by Tripwire, “Cybercrime attacks and security breaches are top of mind among financial institutions, and there has been much discussion of the Cyber Kill Chain. This heightened awareness has brought a new realization: traditional security, which is reliant on network and signature-based solutions, like malware protection, antivirus and intrusion protection systems, are not enough.”
Of course, traditional approaches aren’t completely obsolete; they are key components to a solid security solution. According to Tripwire, however, they can still leave security gaps that need to be addressed on endpoints and vital servers.
The company believes creating successful cyberdefenses goes hand-in-hand with the ability to validate the level of security required for regulatory compliance. To help fill critical gaps in the security and financial strategies of financial institutions, Tripwire developed solutions aimed at detection, remediation, and prevention that go beyond the regulated basics.
“Tripwire solutions help with identifying what systems are on a network — because if you do not know what is there, how can you protect it? In addition to this, Tripwire helps with identifying the security risk and posture of the assets on an organization’s network,” said Irfahn. “And as new threats emerge and evolve, Tripwire helps to continuously monitor that risk posture, and guide organizations toward reducing that risk.”
Specifically, Tripwire Enterprise security configuration management (SCM) suite provides a fully integrated solution capable of managing policy, file integrity, and remediation. The Enterprise suite allows IT teams to achieve a foundational level of security throughout their infrastructure, increasing system integrity and delivering continuous compliance.
“Tripwire Enterprise can detect the presence of an attacker through real-time detection of changes they make to host system configurations in an attempt to exploit them,” described Tripwire. “By combining detected changes from Tripwire Enterprise with security events identified in Tripwire Log Center®, financial firms can more definitively determine which changes and events correlate to indicate a true attack or breach in progress.”
Advanced Security for the Modern Threat Landscape
Because it houses vast reservoirs of valuable information, the financial services industry is constantly under threat of cyberattacks. And as technology continues to outpace legislation, security minimums required by regulations are expected to continue to fall short of providing adequate protection for that data.
But some people are fighting to improve the current regulatory requirements. On March 1, 2017, New York became the first state to enact its own individual set of cybersecurity regulations for the financial services industry. The New York Department of Financial Services’ (DFS) Cybersecurity Regulations have more stringent requirements than currently regulated, including periodic risk assessments, data encryption procedures, and the establishment of an incidence response plan.
Regardless of the regulatory landscape, however, Tripwire feels companies should be focused on putting in place security procedures that are effective — not just compliant. “Regulations are created and maintained to ensure the safety of the users of various services,” said Irfahn. “At the end of the day, each regulation or standard is designed to increase security. However, compliance does not always guarantee security.”
Editorial Note: Opinions expressed here are the author's alone, not those of any bank, credit card issuer, airline or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.