OFFICIAL PUBLICATION OF THE COLORADO BANKERS ASSOCIATION

Pub. 11 2021-2022 Issue 5

Technology Research

Cybersecurity in Times of Tension

Review and ensure that backups and compliance understand the new reporting requirements and keep up with any changes.

The crisis unfolding in Ukraine is creating a ripple effect in the United States that impacts our daily life. This article consolidates information on what is expected of financial institutions and suggests strategies for mitigating potential nation-state attacks.

Some financial institutions have already taken such actions in the course of business, and others began making changes as a preventive measure in today’s cyber threat-ridden climate long before the invasion of Ukraine. The following recommendations are meant to be an addendum to your already strong cybersecurity posture.

CISA hosts a Shields Up page (cisa.gov/shields-up) which is a resource to help reduce cybersecurity risk.

Please include these contacts in your incident response policies and business continuity plan:

Seriously consider performing a documented review/internal audit of the following in early 2022:

  • Look into your cybersecurity insurance policy and ensure that it will cover nation-state attacks and a ransomware negotiator to whom you will have access.

  • Review and ensure that backups and compliance understand the new reporting requirements and keep up with any changes. There is a bill currently going through Congress which will require critical infrastructure to report to the Department of Homeland Security within 72 hours with the ability to shorten that timeframe significantly. Additionally, CISA may shortly become the hub for cybersecurity concerns.

  • Validate all remote access, administrative access, and privileged access controls.

  • Verify multifactor authentication is present on all the above. If not, ensure access is accepted with compensating control lists. If MFA is not available on a device, consider having it set as an explicit exception.

  • Confirm that the review/audit has been completed and all ports and protocols that are not essential are blocked. In addition, use this opportunity to go through the firewall and clean out any stale entries or old rules.

  • Make sure any cloud services have been audited recently and have appropriate security. CISA has posted suggestions at cisa.gov/uscert/ncas/analysis-reports/ar21-013a. This is a growing priority in regulation and a heavy focus of threat actors. Knowing how to secure your cloud environment is not the same as securing on-premises or in a data center. Both the senior management of your bank and the regulators need assurance that you recognize those differences. Make sure the risk assessments and control lists reflect that distinction.

  • Verify that detective controls are in place. Because we cannot prevent every threat, the ability to recognize and stop them immediately is key. Document which tests and exercises have been done to determine the detective controls are functioning. Detective controls are only as good as what they can detect. If your controls have never been tested or found any threat, there is no proof that your systems work.

  • Run an incident response team test/tabletop or live exercise to ensure that everyone knows their duties, that appropriate backups are available, and have the appropriate authority. Sometimes exercises can be as simple as taking a random sampling of your organization and asking, “What do you do if you think ransomware has been installed on your workstation?” Ensuring that all employees know what to do is as important as a well-prepared incident response team.

  • Run a recovery test on all backups.

  • Ensure social engineering testing is performed in your organization regularly.

  • Execute vulnerability scans on a regular basis and perform focused penetration tests as needed.

  • If you have internal development or utilize contracts, audit the development process and ensure that the code has current security tests and that any front-facing applications have been tested using OWASP Top 10 found here owasp.org/www-project-top-ten/.

These proactive steps will help senior management and the board understand the cybersecurity landscape of your business. Carrying out these actions reflects a level of maturity, especially during this time of tension as our regulators and the world at large are watching to see if we are taking the necessary steps to protect the people and businesses we serve — and our country itself.