Boston Fed official: the financial industry is not bulletproof from threats

The financial industry has better cybersecurity than most others. But the audience at the Boston Fed’s 2016 Cybersecurity Conference Monday heard that better is not enough, since cyber criminals are getting better all the time too

Most security experts would agree with Kenneth Montgomery, first vice president and COO of the Federal Reserve Bank of Boston, that the financial industry is, “the most regulated and the most prepared” of any to deal with constantly increasing and evolving cyber attacks.

But Montgomery, speaking at the Boston Fed’s 2016 Cybersecurity Conference on Monday, agreed that the scale and sophistication of the attacks means that no industry is bulletproof. As evidence, he cited the Symantec 2014 threat report that 1 million new pieces of malware were being created daily.

Getting a bit closer to the bulletproof ideal was the focus of the annual conference, and Montgomery said one of the Fed’s efforts to do that is a threat-sharing group that meets once a month.

As he and several other speakers noted, the stakes are high, because although the financial sector’s security is better than other industries (particularly retail and health care), a major breach could have a catastrophic impact.

Anjan Mukherjee, counselor to the secretary and deputy assistant secretary for financial institutions policy at the U.S. Treasury department, noted that the financial sector is considered critical infrastructure, for good reason.

[ MORE FROM THE CONFERENCE: Blindsided by the IoT? ]

The Lehman Brothers collapse in 2008 demonstrated that, “when a global bank fails, it produces shock waves across the world, and creates uncertainty and volatility,” he said, but added that a “significant software problem” at the Bank of New York more than 30 years ago, in November 1985, also disrupted security trades.

“In one case it was insolvency, in the other a technical glitch,” he said. “But they both highlight the inherent connectivity of the financial markets.”

So a major cyber attack that brought down a major institution even temporarily would create, “the very real risk of transmitting one institution’s stress to the rest of the market,” he said.

Peter Kuper, a partner at the high-tech venture capital firm In-Q-Tel

Peter Kuper, a partner at the high-tech venture capital firm In-Q-Tel, agreed. In a talk on the “unintended consequences” of a connected, global online economy, he noted that, “everything of value is already online in one form or another. So cybercrime is only going to increase – that’s where the money is.”

Don Anderson, senior vice president and CIO at the Boston Fed, confirmed that. He said populations that have been traditionally “underbanked” are now gaining access to it through mobile technology. “Fifty-seven percent have access to a smartphone, compared to 44% of of the general population,” he said.

Mukherjee said the goal for banks and other financial institutions should be, “to reduce the probability of an event happening, and if it does, minimize the cost,” through best practices.” Those include:

  • Use the NIST (National Institute of Standards and Technology) framework. “It is not a technical document,” he said. “It is a powerful tool that provides a common lexicon to facilitate communication within organizations and with outside third parties.”
  • Know and catalog all vendors that have access to your systems and data.
  • Make sure those third parties have appropriate cyber security practices, and conduct ongoing monitoring to make sure of it.
  • Join FS-ISAC (Financial Services Information Sharing and Analysis Center). “Be mindful of privacy, but this is a group with 7,000 members, and it leverages knowledge of threat indicators,” he said.
  • Practice response and recovery, to contain and mitigate. “Have an internal team and coordinate with external teams. Have a playbook and exercise it regularly,” he said.
  • Have backup plans and work-arounds, to make critical payments and deliveries manually if necessary.

Kuper warned, however, that technology and systems will not be enough, since the human element remains the weakest link in the security chain. “It’s about stopping stupid,” he said, “since 77% of intrusions are through email. That’s the attack surface.”

Kuper said situations like an employee being offered $20,000 to put a malicious USB thumb drive into a system, “happen all the time. We have to deal with insider abuse.”

Anderson acknowledged that email attacks have gotten much better. He said in one case, the Fed’s IT team sent out “test” emails to see if employees, including executives, would be fooled by it. “It looked legitimate,” he said, “and if I hadn’t been in a hurry, I might have clicked on it.”

Anderson said the bottom line is that, “the bad guys have technology too. Now is the time to disrupt ourselves.”

Join the CSO newsletter!

Error: Please check your email address.

More about In-Q-TelQSymantecTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place