Insights from the 2020 Cyber Coordination Groups

Ransomware

Ransomware is a malicious software that has 2 main modes of attack:
I.    Encrypting core systems and demanding a ransom from the victim to access decryption keys to restore access to the encrypted data.
II.   Exfiltrating data out of target systems, and blackmailing the target into paying a ransom to avoid publication of the data.

The usual motive for ransomware attacks is financial gain, but other reasons include covering digital ‘footsteps’ following other malicious activity.

CCG members noticed that the use of ransomware accelerated and became more malevolent in 2020. There has also been an increase in pressure for firms to pay ransoms due to the threats of publication of sensitive information.

CCG members discussed mitigation strategies that include:

• Maintaining and updating hardware, software, operating systems, Internet of Things (IoT) and peripheral/mobile device patching.
• Implementing backup and restore procedures.
• Implementing segmentation of networks to isolate critical areas and systems as much as possible.

Denial of service (DoS)

A DoS attack aims to shut down a machine or network, making it inaccessible to its intended user(s). This can be scaled by an attacker into a Distributed Denial of Service (DDoS) attack where there are attacks from multiple sources. 

CCG members noted an increase in the scale, sophistication and frequency of DoS attacks in 2020. CCG members discussed mitigation techniques which include: 

• Allowing and blocking specific IP addresses or regions.
• Limiting the amount of traffic available to specific networks or parts thereof.
• Working with internet service providers and DoS mitigation services to implement upstream filtering.

Cloud security

Cloud architectures and their use within the financial sectors has increased in recent years. Cloud Service Providers (CSPs) remain targets for both espionage and financially motivated cyber-attacks due to the amount of data stored in the cloud by many different users. In addition, successful attackers could potentially obtain access to computing resources, at someone else’s expense. 

The 3 major cloud risk areas identified by CCG members in 2020 were:

• Misconfiguration - Misconfiguration of cloud services continues to be the main cause of information security incidents and occurs when cloud assets have been incorrectly configured, introducing security flaws.  
• Lack of security awareness - When firms move to cloud services, often they are unaware of the potential threats they face and fail to take the necessary actions to safeguard their data, prioritising functionality over security. Having the correct skills to help plan, design and execute a cloud migration was found to be key to reducing the risk of mistakes. 
• Account compromise - Compromising privileged or sensitive accounts can provide attackers with complete access to a victim’s cloud environment, potentially providing them with access to data and enabling them to cause significant disruption. This continues to be another area of focus from threat actors, with controls such as multi-factor authentication still not being used as widely as they should be.

Insider threat

Insider threat remains a large challenge for firms, especially across an ever-expanding security perimeter that includes suppliers, partner organisations and other third and fourth-parties. This includes both malicious and accidental insider threats. 

CCG members identified that one of the greatest insider threats comes from employees who have privileged technical accesses (developers, system administrators and architects) and former employees who retain access privileges which could allow them to access systems remotely.

Supply chain security

Identifying and mitigating risks that exist in supply chain partners remains a significant challenge for firms. Remote working has increased the dependency that many financial sector firms have on some third-party providers and several high-profile breaches have illustrated the dangers of cyber-attacks that target suppliers and third-parties.

These breaches frequently have the aim of extending disruption to the consumers of the third-party services. We cover this in detail in Section 3.  
 

Zero Trust security

Zero Trust is a security concept based on the belief that an organisation should not automatically trust anything inside or outside its perimeters. Instead it must verify anything and everything trying to connect to its systems and networks before granting access.

In traditional network security models, it is harder to gain access from outside the network, but everyone inside the network is trusted by default once authenticated. This can provide attackers with widespread access once perimeter defences have been breached.

CCG members discussed the potential of Zero Trust models as a remedy for remote working security challenges and took part in discussions with NCSC Zero Trust experts as to how effective models could be applied to their firms. Members noted that Zero Trust models have a promising future in addressing traditional network security challenges, and are worthy of attention when considering one’s own network security.

Artificial intelligence

The attack surface of firms is often large and continues to grow and evolve rapidly. Analysing and improving cyber-security posture is no longer a human-scale problem.

CCG members identified Artificial intelligence (AI) as a prospective solution to this problem. AI-based tools have emerged to help information security teams analyse millions of events and identify many different types of threats.

These technologies can learn over time, drawing from experience to identify new types of attacks.

However, AI and machine learning techniques also have the potential to be used by malicious actors to increase the speed, sophistication and customisation of attacks. As such it was noted that AI may need to be seriously considered from both a defensive and offensive cyber-security stance.

The global pandemic has required financial sector firms to quickly transition to a remote workforce with an increased focus on serving customers through digital channels. This rapid change required information security teams to perform multiple roles of supporting business continuity and protecting the firm and its customers while adapting their own operations to a ‘new normal’.

CCG members highlighted that this has put an even greater strain on their cyber security teams.

At the beginning of the pandemic response, many companies were forced to accept new risks, including reduced control standards to keep operations going. As employees and firms became accustomed to the changes, these residual risks were re-evaluated often resulting in tightened controls.

The surge in remote working due to Covid-19 has expanded the security perimeters of firms, with attackers seeking to exploit the vulnerabilities in employees’ home networks. CCG members expressed concern over the security of employees’ home devices including routers and IoT devices.

Some CCG members also noted the challenges in achieving the same level of monitoring capabilities they had on premises with most having to upgrade capabilities to achieve some level of effective monitoring. With additional layers such as virtual private networks (VPNs), multiple networks and various cloud applications and platforms such as Office 365 being used, effective monitoring became an even greater challenge.

CCG members discussed the increased monitoring of employees performing high-risk functions from home in order to reduce risks of harm.

These additional challenges have highlighted that traditional systems and controls are often put under strain when transitioned to remote working. CCG members noted the need re-evaluate their cyber threats given the changes to ways of working caused by the pandemic.

Malicious actors ranging from opportunistic attackers to nation-state actors have looked to exploit the pandemic for their benefit. Indicators of threat activity began to emerge almost at the same time as the growing societal awareness of the scope of the pandemic.

This highlights the speed at which attackers can move to take advantage of major news developments.

CCG members observed that the most evident example of this increase in opportunistic attacks was an increase in phishing and vishing attempts, many of which used pandemic-related lures to gain access to personal, financial and business data.

With the financial sector worldwide seeing an increase in ransomware attacks, many CCGs noted the importance of ensuring timely patching of systems, applications and control updates. Firms also discussed the need to counter the increased threat with greater monitoring capabilities and staff information security and cyber awareness training, including phishing control tests.

CCG members noted that the increased threat level from ransomware had led to board awareness of the problem and its potential brand impact. This has helped cyber risk become a higher priority across firms.

CCG members also recognised that in response to enabling homeworking, insider threats have become harder to monitor. This is true of both malicious and accidental insider threats. Procedures, policies and other (digital and physical) control measures may not fully cater for this change.

CCG members acknowledged that malicious or accidental breaches can happen when staff may be more vulnerable because of anxieties increasing due to Covid-19 while juggling home-schooling, home working or other stresses. This can be exacerbated by longer working hours resulting in fatigue and potentially poor decision making.

Finally, CCG members noted that we may never see a permanent solution to mitigating insider threat, due to its unpredictable nature. For the most part, firms mentioned monitoring of users and system activities as the main way to mitigate against insider threat, alongside an increase in awareness training and monitoring of staff wellbeing.

CCG members discussed a variety of good practices to handling third-party risk management and assurance. Common opinions across the CCG meetings included:

• Members agreed that some of the better strategies to carry out third-party risk due diligence include independent audits of third-party systems, assurance that a third-party has strong security certifications and concise security questionnaires.
• CCG members considered security questionnaires a somewhat flawed approach, but currently serve a purpose in providing a reasonable standard of risk oversight while being simple to implement. Security questionnaires are prone to over optimistic responses from third-party suppliers, which needs to be accounted for in the evaluation of risk. Members also agreed that, when questionnaires are used, a short question set that probes meaningful areas of risk is much more beneficial than long and complex questionnaires.
• Members acknowledged that responses to document requests or questionnaires do not always answer all risk management questions, and that instead fostering a good relationship between a third-party supplier’s security team and a firm’s risk management team is an excellent way to gain more bespoke, targeted risk assurance. This approach is not always possible, however, especially with large suppliers.
• Members agreed on the need to follow a standard approach if a third-party supplier is compromised, based on the degree and extent of impact. To best implement this, a robust risk management framework should be in place, coupled with a strong accountability chain within a firm. To help ensure an accountability chain is robust, education of third-party cyber risks across senior management teams is essential. Members highlighted that if business decisions are being made based on third-party risk due diligence, then a good understanding of third-party cyber risk must be in place at a senior level.
• In a similar vein, some members noted that often third-party risk management teams can be either too business-focused or too technology-focused, and that a balance needs to be struck to account for both areas.
• Members agreed that when a third-party service changes, fresh due diligence is required to re-evaluate the risks.
• CCG members also discussed how best to vary risk management approaches depending on the size and nature of the third-party supplier, agreeing that there are positives and negatives to dealing with both large and smaller providers. The consensus in the groups was that large suppliers cannot be deprioritised in relation to risk, and thorough due diligence is required for all suppliers regardless of reputation and size. They also noted that legacy and incumbent third-party suppliers tend to be less flexible and harder to manage, so greater attention is often required.
• Despite all good practice, members noted that risks will inevitably materialise into real consumer harm on some occasions, and that it is crucial this is understood across the business and that contingency is put in place to mitigate the harm caused.

There were in-depth discussions from CCG members around the additional cyber risks posed when suppliers outsource some of their own operations (fourth-parties, fifth-parties, etc). Members noted that fourth-parties often pose an even greater risk than a firm’s third-parties, due to them often being critical in the supply chain but there being very low visibility of these risks from a firm’s perspective.

CCG members noted that fully managing fourth-party risk is extremely challenging due to this lack of visibility. However, it should be an ambition to make fourth-party risk management as robust as third-party risk management.

Members noted it is common practice to question a third-party supplier’s own supply chain as part of the due diligence process. However, it was acknowledged that this is often not done to great enough detail to effectively mitigate against fourth-party risks.

Members agreed that due to the lack of visibility and contact with fourth-party providers, greater due diligence should be undertaken at the contractual stage with a third-party supplier. This could include gaining full oversight of a third-party’s supply chain before starting a relationship with them, with contractual obligations for the third-party to update the firm if this supply chain changes.

CCG members discussed cloud service providers (CSPs) as a very different category of third-party, with different risk mitigation approaches needed. CCG members noted that CSPs tend to offer more resilience than other third-party providers, but their risk should still not be deprioritised due to the high level of reliance upon CSP systems by firms.

A major way in which CSPs differ from traditional third-party suppliers is their engagement style. CSPs tend not to entertain bespoke risk assurance approaches, and traditional good practices such as issuing security questionnaires are relatively ineffective.

Members agreed that the best way to gain assurance from CSPs is to foster a strong relationship with them. However, this is unrealistic for all but the largest firms. As a result, there is some level of reliance upon reviewing CSPs’ shared due diligence and audit reports and comparing these to a firm’s current risk appetite.

Financial sector cloud contract addendums can be useful to provide extra assurance from CSPs for firms to fulfil financial sector regulatory obligations.

Another angle to CSP risk is that of suppliers who operate on Software as a Service (SaaS) or Platform as a Service (PaaS) infrastructures. These suppliers use CSP infrastructure to provide their service.

This often leads to a juxtaposition of risk. On one hand, the added resilience of CSP infrastructure can lead to more robust cyber posture. However, the lack of full system visibility, paired with security risks associated with poor cloud platform configuration, adds additional risk.

CCG members agreed that this trade-off needs to be considered when engaging with suppliers who operate via SaaS or PaaS.

CCG members also discussed the concentration risk associated with using CSPs to house multiple important systems, in addition to potentially having additional third-party suppliers using the same CSP. The consensus of the groups was that in general this concentration risk is acceptable due to the high level of resilience of CSPs, and the high number of different regional server centres that CSPs operate across.

Some members raised the prospect of using multiple CSPs to mitigate concentration risk. Multi-cloud approaches involve the simultaneous hosting of services across multiple CSPs, which can increase resilience if one CSP has outages.

The feasibility of this approach was questioned by some members due to the resource cost and differences in infrastructure between different CSPs. This was countered by some members, with the suggestions that container technology can be used to allow for easier implementation across multiple CSP infrastructures, or for rapid redeployment in the case of a certain CSP becoming compromised.

There was much discussion and optimism within the CCGs around the prospect of using shared risk assurance models for third-party suppliers across the industry. Shared risk assurance models would allow multiple firms to input into the risk assessment of a given supplier, sharing the resource demand in carrying out thorough due diligence.

In theory, this would allow for less resource being dedicated to third-party risk assessments per firm, while delivering a greater overall assessment of a supplier’s risk.

The optimism from the CCGs was balanced by an acceptance that this is a hard system to implement, and that great care and attention should be given to ensure that this is implemented correctly. Frameworks should be designed to a high enough standard to ensure that the system provides an adequate level of risk assurance for all third-parties to all firms involved.

They also noted that both privacy and legal liability concerns would need to be carefully considered if any framework was developed with potential adoption in mind.

Third-party risk management products can be used to evaluate the risk posed by certain third-party suppliers, and to gain risk oversight of a supply chain. The CCG members were generally disapproving of such products for several reasons.

Primarily, members felt that third-party risk management products provide little detail or context in their reports, resulting in potentially ill-advised advice. This is compounded by the fact that the cyber position of an organisation can change faster than the reporting of such a product, resulting in inaccurate reports.

Despite this, some CCG members saw benefit to using such products, acknowledging that they can be of some use at a very high level to gain oversight but should not be used for detailed analysis or final decisions.

In addition, CCG members noted that although the benefit of such products is questionable, the availability and visibility of their reports helps drive cyber improvements across industry.

Several aspects of third-party risk management and assurance have been affected by the Covid-19 pandemic and the subsequent change in working requirements. CCG members identified the following 3 changes:

1. Third-party supplier auditing has changed in nature. On-site audits have not been possible which has added complications in gaining assurance. Nonetheless, some CCG members considered the replacement of on-site audits with virtual audits as an adequate replacement.
2. Firms were forced to adapt quickly to new working environments, which often required the adoption of additional third-party suppliers such as video conferencing technology suppliers. CCG members acknowledged that due diligence was unlikely to have been fully completed due to the speed at which these changes were required, and reassessing due diligence in these circumstances is beneficial.
3. Higher levels of remote working have led to an increase in cyber risk tolerance amongst CCG members who advised that a key aspect in managing this has been to increase education around remote working practices to staff and management.