SAS: Security a ‘Workable Problem’

Monday, February 16, 2015 @ 10:02 PM gHale

By Gregory Hale
The Banking industry is under a constant state of attack. It only makes sense, if successful, the bad guys can walk away with a boatload of cash.

While security is very strong within banking organizations, attackers are getting better and protections need to remain dynamic.

“It used to be easy,” said Stephen Adegbite, senior vice president, head of oversight and strategy – enterprise information security at Wells Fargo & Co. during his session Monday at Kaspersky’s Security Analyst Summit 2015 in Cancun, Mexico. “They would come in through the front door. Then we built up strong front doors and built castle walls. Then when mobile apps, the cloud and other applications became available that brought in a new era and the walls were not working.”

SAS: Intricate Attacks on Banks
DDoS Attack Costs on Rise
Security a Differentiator for Users
Security: A Presidential Mandate

Banks, much like the manufacturing automation sector, need to keep systems up and running. With money transactions going on and even people using ATMs at all hours of the day, systems need to remain available, Adegbite said.

With technology changes over the years, Adegbite said it became abundantly clear the business side started to really drive IT. They needed the latest technologies so they can capture any and all business opportunities.

With that, he said, the security perimeter, once closely held and defined, started to push out further and further. They had to ensure third parties were able to withstand any attack. Yes, there were agreements in place to ensure a level of security, but that only goes so far.

“It used to be about breaking the system, now it is about impersonation,” he said. “Now it is learning about a person and using that information to your advantage.”

Potential transports of silent exits of sensitive data:
• Cloud
• Email/messaging
• End users
• Data transmission
• Third party service providers

Working in a world constantly under attack, it would be easy to throw up your hands and just give up, but “it is a workable problem,” Adegbite said. You just have to be smart.

It can take months to discover any kind of cyber espionage. It should be quicker, but there are challenges and like dealing with Zero Days, and with targets shifting to common components in the IT stack. Immediate discovery of vulnerable targets and patching is time sensitive. Two cases of how discovery and attacks can appear quickly are with Heartbleed and Bashbug. With Heartbleed researchers were scanning the issue within 12-24 hours, but exploit code was out within 48 hours. With bashbug it was even quicker, he said.

It is a cliché, but it is true, you have to assume attackers are in your system. You can’t necessarily keep them out, “but you have to protect data going out,” he said.

Some of the things you have to do, Adegbite said, is to work the old adage in the security: Don’t trust anyone. That mentality and vigilance will stop unauthorized data from going out. He also mentioned things like having layered security defenses that everyone understands, understand your attackers and promote an optimistic culture by sharing threat intelligence.

It all comes down to people and processes, Adegbite said.

“Technological security problems are few and far between, but on the people and process side, there are chasms of problems.”

Leave a Reply

You must be logged in to post a comment.