Stopping the Cyber Buck
While a wonderful tool, Spell Check is not always available. And sometimes a misspelling can have a major ramification. That’s what hackers found out in 2016 when a spelling mistake in an online bank transfer instruction prevented them from stealing nearly $1 billion from the Bangladesh central bank and the New York Federal Reserve.
The hackers, now believed to belong to three separate groups that planned the heist for more than a year, breached the Bangladesh bank’s systems, stole its credentials for payment transfers, and then bombarded the Federal Reserve bank of New York with almost 36 requests to move money from a Bangladesh bank account to accounts in the Philippines and Sri Lanka.
“Four requests to transfer a total of about $81 million to the Philippines went through, but a fifth, for $20 million, to a Sri Lankan nonprofit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation,” Reuters reported. Instead of spelling “foundation,” the hackers wrote “fandation,” which grabbed the attention of the Deutsche Bank employee routing the transaction and led to the suspension of the transfer.
The hackers, however, managed to get away with about $80 million, making the heist one of the largest bank thefts in history. A later investigation determined that Bangladesh central bank officials “deliberately exposed its computer systems and enabled hackers” to steal the money, a top police investigator told Reuters.
The heist also brought new attention to financial institutions’ cybersecurity practices and the effects a cyberattack on a major institution could have on the rest of the economy. To address these concerns at the U.S. state level, the New York State Department of Financial Services (DFS) proposed cybersecurity regulations for financial institutions operating in the state.
The rules were initially slated to go into effect on January 1, but were delayed and went into effect on March 1 to allow time for revisions and industry input. The rules, as of Security Management’s press time, apply to any “person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York banking law, the insurance law, or the financial services law.”
Those covered by the rules are required to have written policies and procedures that identify and assess the data security practices of third parties that access or hold their nonpublic information. Third parties must meet minimum requirements for cybersecurity practices, and periodic assessments (at least annually) of third parties and their cybersecurity practices are required.
Additionally, the rules require covered entities to designate a qualified chief information security officer (CISO) to be responsible for overseeing and implementing their cybersecurity program and enforcing cybersecurity policy. They also must hire cybersecurity personnel to perform cybersecurity functions, such as identifying cyber risks, responding to cyber events, and recovering from them.
While these seem like good polices on paper, Vice President of Technology and Risk Strategy for BITS and member of the Financial Services Roundtable Heather E. Hogsett said the rules are proscriptive and present a one-size-fits- all solution that doesn’t work for the New York financial industry, which is made up of international firms, as well as medium-sized and small banks.
The DFS rules also conflict with other regulatory measures, making it difficult for organizations to comply with them, Hogsett explained in an appearance at the New America Foundation in December.
“The question is, where does this end? And we do run the risk…the more you require information to be reported to different places in different formats, you’re taking your security professional’s eye off the ball and focusing more on compliance instead,” Hogsett said. “And it’s a national security concern. You’re creating honeypots of really sensitive information for a critical sector of the economy for attackers to really go hard at.”
New America recently called this out in a report, something Hogsett said she appreciated, and requested that all federal agencies follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It called for regulatory bodies to go back through their frameworks and harmonize them to the NIST framework.
One recent effort by the U.S. federal government to do this is an advanced notice of proposed rulemaking (ANPR) on Enhanced Cyber Risk Management Standards by the U.S. Federal Reserve Board, the U.S. Federal Deposit Insurance Corporation (FDIC), and the U.S. Office of the Comptroller of the Currency (OCC).
“As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyberattacks,” the ANPR says. “Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.”
The three agencies are considering applying the new standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve Board. The standards, however, would not apply to community banks.
“This ANPR would build on the existing framework of information technology guidance already in place,” said FDIC Chairman Martin J. Gruenberg in a statement. “The enhanced standards for large and interconnected entities would be aimed at increasing their operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities.”
The ANPR addresses five categories of cyber standards: cyber risk governance, cyber risk management, internal dependency management, external dependency management, and incident response, cyber resilience, and situational awareness.
The agencies are considering a two-tiered approach for an additional, higher set of expectations that would apply to covered entities that are critical to the financial sector. Security Management reached out to both the FDIC and the OCC for comment and was referred to the Federal Reserve, which did not return requests for comment for this article.
As part of the proposed rulemaking process, the agencies had asked for extensive feedback from stakeholders before the open comment period closed on January 17, 2017.
However, as of Security Management’s press time, only one person had submitted a comment on the ANPR: Reginald P. Best, president and chief product officer of the Lumeta Corporation, which provides network situational awareness services.
Lumeta has worked with the financial community for the past decade and has provided network-based cyber situational awareness analytics tools and services to seven of the largest financial institutions with more than $50 billion in assets that may be covered by the ANPR.
“We’ve had a fair amount of experience in some of the underlying issues that we think are problems that may potentially lead to more substantive breaches,” Best explains. “As I looked at the proposed rule, we wanted to provide some of our insights to help the industry in figuring out what they need to do and what they should be doing.”
In his comment, Best focused on responding to three of the agencies’ questions that asked for information on how entities evaluate their situational awareness which forms the core of a strong cybersecurity program.
“Without fundamental situational awareness of the network infrastructure, which is easy to say and hard to do, nothing else that you do will matter or be as complete as it needs to be,” Best tells Security Management.
One of the biggest problems right now, however, is that many large financial institutions have a false sense of security about their situational awareness—they feel like they know what is happening on their networks.
“Despite investment in multiple tools at various places in the enterprise ‘security stack’…the very basic understanding of what constitutes the network, how it changes in real time, what the infrastructure comprises (approved versus rogue), what the authoritative topology of the network and network edge is, remains elusive and is often an afterthought,” Best wrote.
Some financial institutions miss this infrastructure because they forget to document it, aren’t aware of it, and aren’t hunting for network state changes to validate that they have an accurate understanding of their network.
With his feedback, Best says he hopes that if a proposed rule is created from the ANPR process, it will include a mandate for covered financial institutions to have an automated way of understanding their infrastructure.
However, Best adds that it would be a mistake for the agencies to require all processes of monitoring, identifying, and remediating cyber threats be automated.
“I think that could be challenging for most organizations to do today,” he says. “Ultimately, that may be required in the future—that networks be self-healing. But it might be a mistake to enforce that extent in the proposed rulemaking.”
Instead, Best says he hopes that the agencies focus on getting the basics right when it comes to cybersecurity—like NIST did in its Cybersecurity Framework.
“Because if you get the foundation right, then all the other stuff in the stack can come on and take care of itself in the fullness of time,” he says.