News & Commentary

09:36 AM
Ben Knieff, NICE Actimize
Ben Knieff, NICE Actimize

Cyber Security – Avoid Prescriptions When Keeping Up With Threats

Banks are part of a interconnected ecosystem with law enforcement, vendors and other critical industries when it comes to cyber security. New cyber security regulations should help to facilitate cyber security efforts among these players instead of burden banks with a checklist of to-do’s.

The start of 2013 has included substantial focus on cyber security issues, from President Obama’s Executive Order for critical infrastructure standards from NIST to the continuation of DDoS attacks against a range of financial institutions. These issues have put a spotlight on the challenges financial institutions face in protecting their systems, data, and customers from criminals with financial, political, and activist motives. Now the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC) has responded to the NIST’s requests for comments from the industry on how to establish cyber security framework requirements, providing extremely well-reasoned and practical comments and highlighting a key fact: the financial services industry has already established itself as a leader at protecting their infrastructure, data, and customers. The industry is rightly concerned that new standards and regulations add to the burden of requirements from a wide variety of sources such as the FFIEC, GLBA, SOX, and a multitude of others. It also very rightly points out that the notion of “cyber security” covers a range of practice areas from data protection to intrusion detection to financial malware, each of which have very different risk mitigation approaches, skill sets, and technical solutions.

No prescriptive checklist can effectively address all of the multitude of risks within any industry, much less across industries. As the FSSCC points out, only a risk-based approach focused on outcomes, harmonized with various regulations will help institutions approach the challenge effectively. We have observed the criminal community adapt extremely quickly to defenses put in place by institutions; a checklist approach is akin to giving them the game plan so they know exactly what not to do and which weaknesses to exploit. Yet, this shifts the burden to institutions to ensure they have strong risk assessment techniques and adequate threat intelligence. This can be challenging for smaller institutions relying on service providers for many technology needs. Vendors have a responsibility to be responsive to these needs, assess their own risks, and act accordingly to protect the institutions that depend on them not only for solutions, but also risk and threat management expertise. This interconnectedness between financial institutions, vendors, law enforcement, and other providers of critical infrastructure means risks and severity of threats are asymmetric, and this is where regulatory requirements can bring the most value. When Party A’s enhancement of security has a greater benefit to Party B than itself, regulation can provide a path to improve the system as a whole. An excellent example is technology to enable signing emails. While not a panacea, it’s an existing technology that can help reduce threats from phishing and malware distribution. Yet ISPs have little economic incentive to broadly deploy the technology and, as such, financial institutions and businesses of all kinds continue to face these threats.

As seen from the previous example, interdependence both within and across industries and law enforcement requires critical review to ensure collective benefit, especially when that involves sharing sensitive information. Balancing privacy and civil liberties is of primary concern, but in many cases even non-personal information that would be valuable to share is not shared due to lack of clarity as to whether it is allowed. Many privacy laws and regulations make exceptions on sharing data for purposes such as fraud prevention, yet there are so many applicable laws and regulations that it is easier to err on the side of caution. Improving clarity on what can be shared, with whom, and when will dramatically improve the ability for industries and law enforcement to collaborate, identifying and responding to threats more quickly. When threats are understood more quickly, critical infrastructure industries and vendors can develop responses more rapidly.

The financial services industry is already leading in defending against a variety of cybercrimes, and more attention and cooperation will only improve the ability for institutions to defend themselves against threats. Care must be taken to ensure new guidelines and regulations provide appropriate incentives and do not lead to prescriptive measures that cannot keep up with the rapidly evolving threats. Coordination between the public and private sector should enable and encourage financial institutions to continue to respond to threats and improve their defenses.

Ben Knieff is the director of global fraud product marketing for NICE Actimize, a security and compliance solutions provider for financial institutions.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.