The Bank of England(BoE) has set objectives for Financial Institutions to future-proof their operations (a.k.a. Operational Resilience) but what does that mean and how can this be demonstrated?
The BoE define Operational Resilience as:"
“The ability of firms and the financial system as a whole to absorb and adapt to shocks, rather than contribute to them”.
However, the reality is that their are far more things to take into consideration and a better definition would be the one provided in NIST's SP800-160 Vol.2(Draft):
“The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resources.”
Okay, so this does not mean that all of a sudden businesses need to be proficient in fortune telling. No, businesses need to be able to demonstrate that they are more pro-active in the Cyber Defensive efforts and need to be able to react quickly and efficiently to all incidents and be able to analyse how other incidents may potentially impact their organisation (remediating against these threats before a cyber criminal has the opportunity of using the same Tactics, Techniques & Protocols (TTPs) against their environment).
This is an approach I know all too well, from my previous career employed on the RAF Police's Counter Intelligence Field Team (CIFT) - proactively seeking intelligence to identify potential threats to the military establishment (Equipment & Personnel), allowing analysis and risk assessments relating to internal incidents or information obtained from external sources.
One such example of such an incident that provided Operational Resilience happened during a routine off-base patrol to interact with the local nationals. During this particular patrol, the CIFT stopped to have a chat with some local civilian security teams, living in a tented village approximately 2km from the military base. At this time, we noticed a prohibited, and unlicenced, RPK (long barrelled AK47) rifle on the rear seat of one of their motor cars. On further questioning, their answers raised further suspicions, leading to a further search of the area. This revealed an arsenal of unlicensed and dangerous weapons, which were known to have been used against the Coalition Forces, or to commit crimes.
An extreme example of the benefits of Operational Resilience, but this certainly shows how proactive actions helped to reduce risks and protect an organisation from attack. As business how well do you analyse the TTPs used in cyber attacks against other organisations and do you carry out risk assessments for the potential impact of these TTPs being used against your infrastructures. For example:
If you have an eCommerce operation, have you checked your browser updates for the protection against the 'Ticketmaster' or 'British Airways'(BA) type of incidents?
Following the Equifax breach, have you applied the updates to your 'Tinware'?
Do you allow remote access to 3rd parties? Are you vulnerable to the same type of attack, as suffered by 'Target'?
The objectives of effective Operational Resilience should incorporate the following concepts:
In order to achieve this and protect your organisation in the 'here and now', as well as for the future the your most critical operations and assets need to be proactively protected:
Do your actively restrict the use of Privileged Accounts, ensuring that such accounts are only permitted on a strict, timebound, basis and such accounts and data repositories are actively monitored, and analysed?
Do you have a robust and proactive audit programme?
Security Assessment and Authorization
Have you established a formal programme of independent penetration testing and remediation objectives?
Are all critical systems securely configured, using industrial configuration benchmarking (e.g. CIS Benchmarks)?
Are the configurations periodically audited?
Think WHEN, not IF. How effective is your Contingency Plan and how quickly can you recover from an incident?
Identification and Authentication
Do you restrict access to your network to only authorised devices?
In addition to the use of a passphrase/password, do you apply any other defences (e.g. VPN, MFA, etc.)?
How coordinated is your incident response?
How quickly would a malicious act be identified and contained?
This is as important as maintaining your motor vehicle, if you don't maintain the 'moving parts' you can't complain when you breakdown or get fined for having an un-roadworthy vehicle. Much like checking the depth of your tyres or changing the brake pads, do you know when your supporting systems are coming towards their 'End Of Life'?
Physical and Environmental Protection
How well do you manage the non-traditional risks (e.g. Changing flood risks, Additional strain on Air-conditioning caused by longer hot summers, etc.)?
How well do you plan for a change of supporting systems? Are they changed before becoming unsupported and do you plan for the worse?
What are the associated risks? What could be the potential impact (think TSB)?
Do you consider alternative options/approaches?
Is there a security plan to coordinate with other organisational entities?
Do you include risk assessments into your vulnerability management procedures?
System and Services Acquisition
Are security considerations included into your system procurement procedures?
System and Communications Protection
Are your most critical assets isolated, creating secure citadels, restricted network traffic to only authorised (clean) traffic?
Are internal and external boundaries actively monitored and suspicious activities investigated?
System and Information Integrity
Do you proactively monitor for malicious code (Think Ticketmaster/BA)?
Do you employ real time monitoring for system integrity, traffic flows, trusted devices, etc?
The cyber threat is ever-present and financial organisations have always been an extremely attractive target to criminals, who will go to great lengths to gain un-authorised access to their customers sensitive data.
In response to criminals carrying out bank robberies, to profit from un-authorised access to their vault contents (cash, jewellery, bonds, etc.), the response was to spend a great deal of time, effort and resources to fortify these assets and protect them from such criminal activities.
Today's opportunist criminals have evolved and have identified the relative ease to break into the cyber vaults of financial organisations. As a result, the financial needs to mirror the lessons from the physical environment and invest in sufficient defensive layers, maintenance and monitoring to deliver the 5 Ds of Defence, making them a less attractive or easy target.