Know Thy AttackersWhy Information Sharing is Key to Security
Everyone is coming out with year-end predictions, but here's a list that caught my attention.
Booz Allen Hamilton issued a list of the top 10 cyberthreat trends for financial services in 2013. Among the top trends:
- Information sharing will be more critical, as legislation could push industry standards to improve threat intelligence information sharing.
- Vendor and third-party risks will pose security challenges for financial institutions of all sizes.
- Boards of directors must create and embrace a culture that encourages information sharing across the industry.
- Hacktivists and extremist groups will increasingly target institutions to disrupt services and destruct data.
- Cyberbenchmarking will be used to show how banks stack up, from a security standpoint, to their competition.
Until you understand the actors, you can't adequately prepare for the threat.
The remaining five trends highlight the need for stronger identity and access controls, more focus on risk-protection processes and people, the need for predictive threat intelligence, and why reliance on the cloud and mobile is critical.
Underlying those 10 trends is the need for banking institutions to understand who's behind attacks waged against them, says Bill Wansley, a financial fraud and risk consultant for Booz Allen Hamilton.
Wansley's three-pronged approach to fighting cyberthreats: Identify the attackers' capabilities, know their intent and appreciate the opportunities they have to do harm. A distributed-denial-of-service attack, for instance, may not cause long-term damage to your infrastructure or compromise consumer privacy, but it definitely can do some damage to your reputation, depending on the intent of the attack and the actors behind it.
Hacktivists attack to damage reputation; criminals attack to commit fraud. Until you understand the actors, you can't adequately prepare for the threat. That's Wansley's key point, and it makes perfect sense.
But I believe that the most critical step is information sharing. The more we share about attacks - vulnerabilities and vectors - the more we will learn about how the attacks are waged, what they're after and who's behind them.
Besides, that need for more information sharing supports Wansley's notion: In order to fight an attack, you have to know the attacker.
"Today, everybody gets attacked, so it's not such a bad thing to say someone attacked you," Wansley says.
I agree. And really, the industry has already proven this point. Institutions embraced the need for more information sharing during the Izz ad-Din al-Qassam Cyber Fighters DDoS attacks that ran from mid-September to mid-October. Banks and credit unions took that information and addressed internal and external infrastructural concerns.
Zions Bank spokesman Rob Brough, in response to a DDoS attack that targeted the bank in early November, said it best: "What I can tell you is that we were well-prepared because of the other incidents. When we recognized that it was a DDoS attack, we had plans in place."
Information sharing, of course, can always improve, and new cybersecurity legislation will likely demand it - particularly between government and critical infrastructure entities, such as financial institutions. So more sharing will happen naturally as banks and credit unions get more accustomed to reporting attacks and communicating with regulators, banking groups and peers.
But banking institutions also need to make information sharing part of their culture. As Booz Allen notes in its top-10 for 2013, the need for information sharing requires buy-in from the top down in order to be effective.
That's my take. I'd like to know yours. What trends have you or your organization identified for 2013?
If information sharing and knowing your attacker aren't atop the list, what is?