Four questions every NED should be able to answer.

Following my previous article on the ‘Challenges to NEDs in Financial Services’, it was suggested that a checklist of questions that a non executive might ask would be useful.

After giving this some thought, I started to put together a few simple questions around the risks of Cyber security, and quickly realised that without at least a base knowledge of the topic it would be difficult for the uninitiated to interpret a response.

While I have run large bank services and been responsible for managing their risks including cyber, I would be the first to admit that I am not a cyber expert. What follows is a very simplified view, but it should allow NEDs get a feel for the basics.

Attackers and Attacks

The terminology of cyber security it built up around the concepts of being under attack. Attacks have characteristics, methods, modes, patterns and signatures, which allow you identify the attack and defend against them. They occur across an attack surface, which is simply a term used to describe the potential points of entry into the organisation. 

Attackers come in many guises, they may be protest groups, professional criminals, governments or even just teenagers, known in the hacking community as script kiddies. 

Attacks can be active or passive. Passive being the term where an attacker is performing a recon to identify weaknesses and help plan a future attack.

Attack Types

The most common form of cyber fraud is probably still down to customers or employees providing fraudsters access, but for this piece I want to focus more on forced entry. In this space the Distributed Denial of Service (DDOS) attack is the most common method used to disrupt service or gain access to the organisations data.

A DDOS attack, as the name implies, is an attack originating from many locations whose purpose is to overwhelm the software and hardware of the organisations defences and gain entry.

This type of attack utilises software that has been distributed to the PC’s of unsuspecting internet users. These bots can then be grouped into botnets and used by a bot master to attack specific organisations. The scale of botnets can be staggering with tens of millions of devices being used simultaneously to overwhelm the systems defending the targeted entry points.

Typical Defences

Multiple lines of defence are normally put in place across the attack surface of the organisation with a buffer area being established to separate the points of entry from the organisations core system. These Demilitarised Zones (DMZs) are structured to physically separate the external networks and contain special hardware and software (Firewalls, Intrusion Detection Systems (IDS), Intrusion Protection Systems (IPS) etc.), whose sole purpose is to prevent unauthorised penetration into the organisations systems and data.

Even behind this primary defensive wall secondary monitoring needs to take identify unauthorised/suspicious activity which may indicate a potential incursion. In an effort to keep the article reasonably short I will not focus on this further monitoring, but it could include further IDS,IPS software on networks, packet sniffing etc. (There is plenty of good material on the internet if you want to investigate further)

Dealing with an Attack

As I have said, attacks can be active or passive. Active attacks such as a DDOS are primarily targeted at overwhelming the targeted service, so initial activity needs to be focussed at ensuring continuity of service for genuine customers. While bringing more processing capacity into play may deal with some attacks, the scale of botnets is such that action needs to be taken to quickly screen out and block the malicious traffic. There are now specialist providers, such as Verisign, who can perform this type of screening service. Essentially the company will redirect all traffic to these providers and receive back genuine customer traffic. The advantage of using these companies is that they hold libraries of know attack patterns and have the skills to quickly deal with new occurrences.

Passive attacks are much more difficult to identify as they are not designed to be service disrupting, the criminals are looking to test security measures and identify weaknesses to exploit in a future attack. They are attempting to do this without alerting the company and may leave very little trace of their activity. In many cases monitoring and alerting to suspicious activity is the only way to identify a breech, but as hackers often boast or sell information on weaknesses, intelligence gathering on the darkweb can often prove useful. Interestingly, another useful technique is to use a honey pot to tempt criminals, deliberately leaving a weakness, monitoring this for activity. If nothing else the hacker is then forced to deliberate whether the weakness is genuine or a trap.

The Questions

And so to the questions. I have tried to structure these to create a dialogue in key topic areas, the depth that you go to with executives will really depend on the response that you get and the subsequent questions you ask.

1. What measures do you have in place to identify you are under attack?

The reason for asking this question is to understand how proactive the organisation is in determining an attack is underway. Continuously screening traffic for attack patterns is expensive and potentially disruptive for genuine customers, and therefore being able to quickly identify an attack in order that counter measures can be initiated is key to keeping services running. In addition to monitoring performance internally, it is also useful to use social media monitoring to understand impacts from a customer perspective. This can sometimes give an earlier indication of issues.

As above passive attacks are much more difficult to identify, but with monitoring and effective intelligence the organisation can mount a defence and deter criminals.

2. What processes and procedures do you have in place to defend and ensure continuity of customer service?

No two organisations will be same. Their businesses and external connections will vary, but the concepts of segmented networks, DMZs, firewalls etc, are standard in architecture terms across the industry. Asking this question should be able to allow you to understand how your organisation has structured its specific defences.

Remember it is not just consumer internet interfaces that are at risk, corporate client dedicated interfaces, and even ATMs can present a potential point of entry. These should be considered on your attack surface.

3. What risks do we run if an attacker breaks through this defence ?

What you are trying to understand here is whether multiple lines of defence are in place. For example is equipment behind the Demilitarised zone (DMZ) secure, is internal messaging encrypted, is alerting and monitoring in place to identify intruders. Basically what damage could be done if defences are breached. 

It is not uncommon for less focus to be given to the security of internal networks on the basis they are behind the firewalls. While this may be a valid commercial decision it needs to be done consciously in line with the organisations risk appetite

4. What pro-active steps are you taking to prevent attacks ?

The purpose of this question is to understand if intelligence is being gathered directly, through government agencies, other banks, Dark web, about potential attacks, and if pro-active steps are being taken both defensively and in conjunction with law enforcement bodies to prevent attacks.

The above is only a brief dip into the world of cyber, but hopefully it provides enough of a flavour to be of use when discussing this topic with your executives. Good luck.

About the Author

Richard has an extensive career in technology and operations spending the last 30 years in Financial Services. Until recently he was responsible for the design and implementation of Banking Reform changes in one of the world's largest banking groups. He now runs a advisory and professional services company supporting Board and Executive level management. If you wish too discuss any of the above topics in more detail please contact Richard at [email protected].

___________________________________________________

Some Further Useful Cyber Terms and definitions

Attack method/mode

The manner or technique and means an adversary may use in an assault on information or an information system.

Attack pattern

Similar cyber events or behaviors that may indicate an attack has occurred or is occurring, resulting in a security violation or a potential security violation.

Attack signature

A characteristic or distinctive pattern that can be searched for or that can be used in matching to previously identified attacks.

Attack surface

The set of ways in which an adversary can enter a system and potentially cause damage.

Air Gap

To physically separate or isolate a system from other systems or networks (verb).

Easter egg

An unexpected ‘feature’ built into a computer program by the author. Can be added for fun or malicious intent.

Bot

A computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under remote the command and control of a remote administrator.

Bonet

A collection of otherwise unrelated PCs which have been infected by a virus and which are under the central control of criminals or hackers. Abbreviation for Robot Network.

Bot Master/Herder

The controller of a botnet that, from a remote location, provides direction to the compromised computers in the botnet.

Honey Pot

A security feature built into a network, designed to lure hackers into meaningless locations to avoid harm to genuine, crucial data.

Dark/Deep Web

The portion of World Wide Web content that is not indexed by standard search engine generally attributed to hacking and illegal cyber activities.

DMZ

(DeMilitarized Zone) A middle ground between an organization's trusted internal network and an untrusted, external network such as the Internet. 

Firewall

Hardware or software designed to prevent unauthorised access to a computer or network from another computer or network.

Moving Target Defence

The presentation of a dynamic attack surface, increasing an adversary's work factor necessary to probe, attack, or maintain presence in a cyber target.

Passive Attack

An actual assault perpetrated by an intentional threat source that attempts to learn or make use of information from a system, but does not attempt to alter the system, its resources, its data, or its operations.

Pharming

An exploit in which criminals disrupt the normal functioning of DNS software which translates internet domain names into addresses. The user enters a correct address but is redirected to a fake website.

Phishing

An attempt at identity theft in which criminals lead users to a counterfeit website in the hope that they will disclose private information such as user names or passwords.

Ransomware

Is a type of malware that holds your data hostage. It has been a problem with computers for many years, but it’s only recently started showing up on mobile devices. When you activate the program or app, it blocks you from accessing the data on the device and displays a message demanding payment by untraceable methods like Bitcoin or MoneyPak.

Rootkit

A set of software tools with administrator-level access privileges installed on an information system and designed to hide the presence of the tools, maintain the access privileges, and conceal the activities conducted by the tools.

Script Kiddies

Hackers who carry out their illicit activity for notoriety rather than criminal intent.

Spoofing

When an unauthorised person makes a message (typically an email) appear to come from a genuine sender by using either the genuine or a very similar address.

Spyware

Malware that secretly monitors a user's activity or scans for private information.

Trojan

Software posing as an authentic application, which actually conceals an item of malware. Term comes from Trojan Horse in Greek mythology.

Intrusion Detection System (IDS)

A system that interrogates information from systems and networks to determine if a security breach or security violation has occurred

Intrusion Protection System (IPS)

Intrusion detection system that also blocks unauthorised access when detected.

Keyboard Logger

A virus or physical device that logs keystrokes to secretly capture private information such as passwords or credit card details.

Marco Virus

Malware (ie malicious software) that uses the macro capabilities of common applications such as spreadsheets and word processors to infect data.

Malware

Software intended to infiltrate and damage or disable computers. Shortened form of malicious software.

Virus

Malware that is loaded onto a computer and then run without the user’s knowledge or knowledge of its full effects.

Virus signature

A virus’s 'fingerprint' which contains the characteristics of a virus or type of virus. Internet security software uses a database of signatures to detect viruses. 

Vishing

The practice of attempting to obtain personal or financial information via a telephone call in order to commit fraud or identity theft.

Worm

Malware that replicates itself so it can spread to infiltrate other computers.