The FDIC has released a cybersecurity framework for banks that describes a long list of threats to financial institutions and includes recommendations for how they can defend against those threats.
The framework doesn’t contain any surprises or novel threats, but provides a broad outline of the problems banks and other financial institutions face, such as phishing, malware, DDoS attacks, and others.
“During the past decade, cybersecurity has become one of the most critical challenges facing the financial services sector due to the frequency and increasing sophistication of cyber attacks. In response, financial institutions and their service providers are continually challenged to assess and strengthen information security programs and refocus efforts and resources to address cybersecu – rity risks,” the introduction to the framework by Doreen Eberley, director of the division of risk management supervision at the FDIC, says.
Financial institutions have been at the top of the target list for just about every kind of attacker since the dawn of the Internet, and banks invest as much in information security as any other organization. But attackers have had more than their fair share of successes against banks in recent years, both with direct attacks and with phone fraud schemes that convince consumers or businesses to transfer money directly to the criminals.
The attack surface for a typical bank is broad and deep, comprising the internal network, the customer base, mobile apps, payment networks, and many other components. Defending that surface against increasingly professional and persistent attackers is a complicated and difficult proposition. Even institutions with mature information security programs can have weak spots that attackers can exploit for profit.
“In today’s banking environment, business functions and technologies are increasingly inter – connected, requiring financial institu – tions to secure a greater number of access points. Innovation has resulted in greater use of automated core processing, document imaging, distributed computing, automated teller machines, networking technologies, electronic payments, online banking, mobile banking, and other emerging technologies. At the same time, physical data assets have been auto – mated and a bank’s sensitive customer information stored on computers has become as valuable as currency— a different kind of asset that needs safeguarding,” the framework says.
Among the recommendations the FDIC includes in the framework are that banks take advantage of available threat intelligence assets, such as information from the FS-ISAC and US-CERT. The group also recommends that banks implement comprehensive patch-manegement programs and security awareness training for employees.
Image from Flickr stream of Pascal.