We hear about a large world bank hack almost every week these days. From the recent Capital One breach to the European Central Bank attack, how can you trust that your bank is safe? The financial industry must follow a number of compliance frameworks on their IT systems to secure and protect data. Unfortunately, we too-often discover that auditing controls are insufficient by news headlines about the Russians or Chinese hacking a large global bank. Even the Equifax breach was caused by a simple misconfiguration that should have failed a routine audit.
Financial Cybersecurity Regulations in the USA
Some of the regulatory bodies that financial institutions have to report to include:
- The Board of Governors of the Federal Reserve System
- Federal Deposit Insurance Corporation
- Office of the Comptroller of the Currency
- Federal Trade Commission (FTC)
- Consumer Financial Protection Bureau (CFPB)
- Securities and Exchange Commission (SEC)
- Commodity Futures Trading Commission (CFTC)
- Financial Industry Regulatory Authority (FINRA)
- US Treasury
- Federal Communications Commission (FCC)
With all those reporting agencies comes a lot of compliance controls and regulations. To name a few:
- PCI DSS – Payment Card Industry Digital Security Standards
- GLBA – Gramm–Leach–Bliley (FFIEC – Federal Financial Institutions Examination Council)
- SWIFT – Society for Worldwide Interbank Financial Telecommunication
- SOX – Sarbanes Oxley Act
- CJIS – Criminal Justice Information Services
- GDPR – General Data Protection Regulation
- FISMA – Federal Information Security Management Act
Financial Cybersecurity Controls
Many of these regulatory frameworks have a similar framework that the NIST CSF has broken down into five key areas: identify, protect, detect, respond, recover. Within those areas follow a similar set of rules to cover the following areas:
- Patch Maintenance. Enable the automatic patching of operating systems and third-party software to remediate the latest vulnerabilities. (CVE)
- Secure System Configuration Baselines. The Center for Internet Security (“CIS”) publishes baseline recommendations for what they consider a secure operating system. Consider implementing the Azure CIS or Microsoft’s security and compliance baselines for Windows 10.
- Identity and Access Management. Just enough access or just in time (JEA/JIT) limits the attack surface of a breached account. Stop using accounts named admin or administrator. Review user accounts and privileges at least quarterly to ensure privilege creep does not occur due to employees switching departments.
- Vulnerability Scanning. Use commercial software to scan for common vulnerabilities and exposures. CVE vendors include Microsoft Defender ATP, Tenable.io, Qualys, and SanerNow’s SecPod to name a few.
- Endpoint Malware Protection. Install commercial-off-the-shelf (COTS) software on organization owned computers and servers.
- E-mail and Browser Protection. Rely on a service such as Office 365 ATP, Barracuda, or Mimecast for attachment detonation chamber scanning.
- Perimeter Security. IDS/IPS on your core server workloads is a must. Shift to an identity-based perimeter for user access at offices. IDS/IPS at the office is still important, but using cloud managed vendors such as Ubiquiti can reduce firewall subscription costs that can be diverted to Microsoft 365.
- Security Awareness Training. All new hires must complete cybersecurity training upon being hired, and at least annually thereafter. Ongoing phishing simulations and password spray attacks can be completed automated to keep employees on their toes.
- Risk Assessments. Conduct annual and ongoing risk assessments to validate device compliance before granting access.
- Data Protection. Encrypt everything. Backup your data offsite or in a different geo. Regularly test the firm’s ability to restore data. Consider blocking USB data storage devices.
- Third-Party Risk Management. Make sure your supply chain is secure. Review System and Organization Controls (SOC) or SSAE 18 reports for third party vendors and other partners with access to confidential firm and customer data to ensure they have security controls commensurate with, or better, than the firm’s. With the impending CCPA and GDPR legislature, make sure that all contracts have provisions to enforce data protection and prompt breach notifications.
- Branch Controls. Ensure that branches apply and enforce relevant firm cybersecurity controls, which may include many of the controls identified in this list, as well as other relevant controls such as those elsewhere in this report or in the Small Firm Cybersecurity Checklist
- Policies and Procedures. Make sure you have a standard set of policies and procedures that are reviewed annually. Make these documents available to your employees by sharing them in the All Company Team channel or integrating them with your employee handbook.
If you’re interested in moving to Microsoft’s cloud, we can help you understand the complex compliance frameworks that are required to help get you there. The next time you hear about a world bank hack, hopefully, it’s not you.