Last fall, the Federal Reserve, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) proposed new rules for enhanced cyber risk management standards. These latest standards follow existing federal legislation and regulation dating back to 1978 for risk assessment and management in the banking sector.
At the same time, the Department of Financial Services in New York is developing new rules to provide minimum requirements and deadlines for financial institutions doing business in the state. Ongoing reports of hacks ensure that there will be pressure to continue to strengthen cybersecurity guidelines and protect consumers from fraud, identity theft, ransomware and other cybercrimes.
The incoming administration, despite its deregulatory instincts, cannot ignore the facts. According to Forbes, there are approximately 500,000 cyberattacks every day, which are projected to cost more than $2 trillion by 2019. Among the companies that reported attacks or breaches in 2016 are LinkedIn, Hyatt, Wendy’s, Oracle, Verizon, Citibank, Dropbox, Yahoo and Dyn. The average company in the financial services industry alone experienced 83 million events in 2015, according to IBM.
Considering that there are so many cybersecurity policies and regulations in place, why does this keep happening? What are we missing?
The answer is that the existing policies are vague. They don’t consider the way fraudsters behave and instead focus primarily on fortification and prevention as opposed to resilience and real-time response. Today’s cybercriminals are sophisticated and patient. They are familiar with our prevention solutions and they have figured out how to bypass them.
Organizations should focus on how to detect and respond to malicious behaviors and incidents instead of trying to prevent every threat, Gartner, an information technology research company, said last year.
Threats comes in three main forms—credential theft, remote access malware and social engineering—where oftentimes it is the human element that causes the breakdown. All the passwords, tokens and other forms of strong authentication are meaningless if a person is tricked into handing over their credentials, inadvertently installs rogue software on their device that performs certain actions, or unwittingly gives a criminal access to their machine or account.
The report issued by the FBI and Department of Homeland Security last week, is a case in point. The agencies explained the methods used by hackers to penetrate the U.S. government and political party system, and described in detail how a spearphishing campaign distributed emails containing malware. Through that the hackers were able to compromise the political party. At least one person activated the malware, which was able to establish further privileges, access email and active directory accounts and circumvent encrypted transmissions.
The report goes further to explain a second successful attack, also conducted through targeted spearphishing. The second time the email fooled users into resetting their passwords through a “mirror” website that was setup on the hacker domain. The hackers then had all the credentials that they needed to gain access and steal content, which was then distributed externally.
What this report tells us is what so many of us already know. Our policies are failing us. Today’s criminals are fighting a 21st century war, attacking our critical infrastructure and financial systems using unconventional techniques, while we defend ourselves with antiquated methods. Pins, tokens, passwords, IP verification, device authentication, physical biometrics and even multi-factor authentication can all be bypassed.
We know this because today’s fraud comes from authenticated sessions that are taken over post-login. Instead of being a step ahead of the fraudsters, we are a step behind. The good news is that there are technologies such as behavioral biometrics that provide continuous authentication to validate who is behind a session and not just what device or passcode was used to authenticate the login.
Our policies need to take these capabilities into account, to combat the techniques that fraudsters are using, and to adapt to the current fraud landscape and to protect against future attacks. They must be pointed, relevant and timely. The risk is too great.
Frances Zelazny is vice president of BioCatch, a cybersecurity company that delivers behavioral biometrics to protect users and data. She provided testimony last year to the New York State Assembly's banking committee on cybersecurity threats facing the U.S. financial industry.
The views of Contributors are their own and are not the views of The Hill.