Hot Topics in Community Bank Cyber Security

08/25/2015

The issue of cyber security is not just a hot topic in the banking industry but also one of the highest priority concerns of the regulatory agencies.  High profile data breaches in banks and major corporations including Sony, Target, Anthem Health and JP Morgan Chase have proven the importance of securing  corporate network infrastructures.  Just this year, an attack targeting over 100 banks simultaneously resulted in $900 million of lost money.  The toll taken on a company's reputation and bottom line if a weak link is found and exploited is significant. 

With that in mind, Ardmore Banking Advisors recently hosted a webinar on some of the hottest topics in cyber security for community banks.  ABA was joined by Orrstown Bank’s Executive Vice President of Operations & Technology, Ben Wallace, and Chief Information Security Officer, Andrew Linn for a discussion on Orrstown’s recent IT infrastructure overhaul, and how they are attempting to stay ahead of the latest cyber threats.  

Some of the most pertinent questions and answers for a community bank were discussed as follows:
 
Where are the Most Significant Threats Coming From? Concept of Least Privilege and Anomaly Detection
 
One important question for the panel focused on whether the most significant threats to a bank’s network infrastructure come from external hackers or internal employees, acting with or without malicious intent.  
 
Mr. Linn cited a survey performed by CSO Magazine that stated that most respondents felt that an insider breach was more costly than an external one, since an internal employee could possess far more access to sensitive data than a random hacker could.  
 
“That’s why, at Orrstown, we apply the concept of least privilege,” Mr. Linn said.  “We only provide access to things that our employees need on a daily basis, and if they change jobs or leave the company, we have ways of identifying what they had access to and what to do about it.”
 
Mr. Wallace and Mr. Linn also have systems of anomaly detection in place that allow them to track some red flags that might affect their employees’ current state of mind. For instance:“Life changes such as the death of a spouse, a divorce, a spouse’s job loss, where someone gets into financial distress can make some employees take advantage of the fact that they work at a financial institution for their own gain,” said Mr. Linn. “Having the ability to monitor behaviors like that becomes important.”
Anomalous Detection
 
Another technique that Orrstown has established in their infrastructure is anomalous detection, or automated tools that will red flag any erratic behavior on the bank’s network, such as spikes in web traffic at abnormal times, etc.  
 
“Generally you’ll see things quiet in the morning, ramp up over the morning , bubble in the mid-day and then ramp back down in the evening hours,” said Mr. Linn of web traffic on an average business day.  “That’s the regular pattern, the bell curve that you see.  If you start to see patterns that are different from that bell curve, like traffic that pops up at 2 in the morning; it won’t tell you what’s going on, but it’s certainly a red flag that something is worth investigating. “
 
“Not If, But When” and Chat Rooms for Hackers
 
A large portion of the webinar focused on the mindset that some IT professionals believe that the question is not if a security breach will happen to their bank, but when.  Mr. Linn shared a harrowing story from an IBM security professional speaking at a recent conference about hackers that communicate in an online chat room to swap information about potential targets.  
 
“One individual writes, ‘I’m thinking about attacking X Bank - what are their daily withdrawal limits, what are their controls, what can you tell me,’ and other people who have done reconnaissance will respond and they are exchanging information on and collaborating attacks on these banks,” said Mr. Linn.   “At some point, you have to expect to be targeted and you need to have the building blocks in place in case it happens so that the bank can mitigate the fallout.”
 
To test their readiness, the security professionals at Orrstown regularly conduct exercises that simulate breaches of various security measures and loss of data to calculate their recovery procedures and see where there are areas that need improvement.  
 
“We are able to run these exercises to evaluate whether we have a process in place to determine what data is taken and where it came from,” said Mr. Wallace.  “This allows us to see what is working, and the potential areas that we can reinforce.”
 
Just as hackers are able to communicate and coordinate a plan for their attacks, more and more bankers are able to coordinate efforts in order to formulate a response.  Mr. Linn and Mr. Wallace suggested banks look into organizations including Financial Services – Information Sharing & Analysis Center (FS-ISAC), which present large conferences for banks focusing on Cybersecurity and potential responses to online threats. 
 
Entire Cyber Security Webinar Available Online
 
To view the entire webinar presented by Orrstown Bank and Ardmore Banking Advisors, please click here.