What financial services should learn from the SolarWinds cyber attack
The SolarWinds cyber-attack includes some important lessons for financial services institutions of all sizes, explains Neal Semikin, the Chief Information Security Officer of The 324 Consultancy.
The wide-reaching damage caused by the SolarWinds breach is an important lesson for all financial sector firms. The supply chain attack, which was discovered in December last year, saw Russia-linked nation state adversaries compromise the SolarWinds monitoring software used by thousands of companies and government agencies. The breach had gone unnoticed for months, with adversaries hiding in companies’ systems and in some cases, stealing valuable business intellectual property.
The associated fall-out from SolarWinds has been huge, affecting multiple high-profile and seemingly secure organisations. If the likes of Microsoft and security firm FireEye can be compromised via the supply chain, it shows that all companies are at risk from this type of devastating cyber-attack.
Because the financial services industry is so highly-targeted – particularly by nation state adversaries – the risk is amplified further. This was all too clear in mid-2020, when hackers halted the New Zealand Stock Exchange, bringing it to a standstill via a distributed denial of service (DDoS) attack.
So how can financial institutions avoid a SolarWinds-style attack, and limit the damage should they become a victim of this type of breach?
The financial sector challenge
The financial sector challenge spans multiple vectors. One issue putting firms at risk is a lack of investment in security, particularly among start-ups. Indeed, in a highly competitive market, new and agile financial sector organisations are usually focused on adding functionality in a bid to attract a large customer base. But all too often, security is put on the back-burner as they prioritise new features over security investment.
For larger firms, the threat isn’t so obvious. Big banks are already taking steps to secure themselves, including a strong detection approach to be able to look for unusual behaviour in networks and systems. It’s now more common to have a security operations centre (SOC), including data scientists and threat intelligence personnel able to understand what the threats are, analyse data for anomalous behaviour, and act upon it accordingly.
But big banks – especially organisations in the UK which are often borne from mergers and acquisitions – suffer from another security challenge. Many have accumulated vast amounts of IT infrastructure seeing multiple legacy systems cobbled together. How can they ensure they understand those systems, make sure they are fully procured and obtain the information required to keep the organisation safe?
It’s a perfect storm of complexity, and the Covid-19 pandemic adds even more cyber-risk for all financial firms. Cyber-criminals are increasingly targeting employees working from home, who can be susceptible to attacks such as business email compromise – where an adversary impersonates someone from the business via email to extort cash or steal credentials.
The risk of a successful cyber-attack is made worse by gaps in remote working infrastructure, which can result in weak points through which hackers can infiltrate systems. Configuration issues add further problems for financial firms. In many cases, systems are deployed seemingly with protection in place, but they aren’t configured properly.
It’s clear the sector is at increasing risk of attack, yet some financial institutions aren’t getting the basics right. Patching isn’t always a priority, and as the 2017 WannaCry ransomware attack shows, it only takes one unpatched laptop to breach multiple systems.
Operational resilience
A key factor in avoiding a SolarWinds-style breach is operational resilience, which itself depends on having the right strategy. It’s crucial to validate the security controls in place and test how effective they are. Part of this is about having access to the right people and skills. Of course, financial firms need a SOC that understands the system and monitors the threats, including what type of cyber-attack would be a disaster for the business.
Yet at the same time, the value of Red Teaming shouldn’t be under-estimated. As well as penetration testing and looking for outdated software, Red Teams should be attempting to perform activities that would, in reality, cause serious business impact.
To ascertain what that damaging activity might be, financial services organisations can speak to business colleagues, asking them which outcomes would be especially detrimental to the organisation. It could be stealing data, money, or accessing systems.
Red Teams should attack from the outside as well as from inside an organisation to take into account the insider threat. And it’s a good idea to use an external penetration testing team, asking them to partner with the company’s staff, sticking to objectives set out in advance.
Supply chain threats
As SolarWinds has shown, the supply chain threat is increasing as the cyber security landscape diversifies. Taking this into account, financial institutions need to be more aware of their supplier security posture and make sure stringent checks are in place. Tools can also help. Ideally, use just two or three vendors to avoid unnecessary complexity, and ensure detection capabilities are in place.
Most businesses now accept they will be breached at some stage, but dealing with it properly is key to limiting the damage. The optimum response includes business continuity plans and back-ups, as well as performing desktop testing with colleagues based on cyber-scenarios. This must be underpinned by a world-class basics approach, ensuring all systems are patched 100%.
Also be aware that cyber-attacks can build on each other: If an organisation is being hit by three or four attacks, it needs to have the infrastructure in place to deal with it properly. Meanwhile, as cyber-threats increase in number and sophistication, investment is a constant requirement. All financial institutions need a rolling cyber-strategy, which should be updated every 12 months as threats evolve.
Another area to focus on is reporting. Often, security reports to the business are simply a list of vulnerabilities. But it makes more sense to go back and report whether objectives have been reached: For example, did the penetration tests allow access to data?
Financial services players also need to ensure they have the skills required to minimise cyber-risk. When recruiting and outsourcing, organisations must hire the right people who understand IT, considering both expertise and experience. At the same time, security teams should include good business people who are able to articulate to others in the organisation, including the board, why security is important.
When speaking to the board, cyber teams need to be honest about the risk, and report this in a clear and granular manner. If the board is investing in cyber security, it wants to see its risk profile going down in line with increased spend. If the firm’s risk is always “high” despite constant investment, it will simply breed cyber-lethargy.
Threat intelligence is also absolutely key. In combination with a strong strategy, tools and skills including internal and external expertise, financial institutions will be able to limit the damage should a similar attack to SolarWinds impact the organisation.
Neal Semikin is the Chief Information Security Officer of The 324 Consultancy. Previously, he was the CISO of the Bank of England, responsible for the bank’s cyber security risk operations.
