Cyber risk continues to be an ever-evolving and complex challenge for the financial sector. In 2017, the FCA brought together over 175 firms from across financial services to collaborate in groups on cyber security and operational resilience. These Cyber Coordination Groups (CCGs) allow firms to share knowledge of their common experiences and discuss best practices in their approach to cyber security in order to reduce potential harm to consumers and markets.
Last year, we published CCG Insights[1] which provided a broad overview of those firms’ general cyber hygiene. Here we reflect on the increased maturity of conversations held during this year, and focus on some of the topics discussed at the CCGs.
Each CCG represents a specific sub-sector. In 2019, these sub-sector groups came from: Insurance, Fund Management, Investment Management, Retail Banking, Retail Investments and Lending, Brokers and Principal Trading firms, and Trading Venues and Benchmark Administrators. Firm participation has grown from 175 in 2018, to over 185 firms in 2019.
Each quarter the CCGs discuss various topics of cyber risks, in depth. Through a mix of small group conversations and larger storytelling sessions, CCG members are learning from the experiences and challenges of others in their specific sub-sector. This includes potential ways of resolving common problems.
We aim to outline and share output from these conversations to a wider financial industry audience. The insights cover broad cyber risks that span sector priorities, in addition to 4 themes that were discussed in depth by some or all of the CCG groups.
This is not FCA Guidance. It does not set out our expectations for systems and controls that firms should have in place to comply with our regulatory requirements. Each example has been shared by one or more firms within the CCGs, and many support existing guidance from the National Cyber Security Centre (NCSC).
Themes
We summarise 4 CCG discussions under 4 themes. The first theme, Cyber Risks, shares addresses high level risks discussed each quarter using a ‘Cyber Risk Radar’ which aimed to track the threat to each sector. CCG members discussed the most concerning risks in greater depth, and how they and other firms could mitigate or manage these risks. The output from these discussions is in we have highlighted the following 3 themes of Identity and Access Management, Third Parties and Supply Chain, and Malicious Emails.
CCG insights - cyber risk
Within the UK Cyber Co-ordination Group (CCG) network, the sub-sector groups each contribute to, and maintain a ‘Cyber Risk Radar’. This tool was used to highlight numerous cyber risks that the sectors face while tracking and categorising the severity of the threat posed to firms. It captured attendees’ views and were compiled into a single view, per sub-sector. CCGs were asked to focus on the following areas:
- current threat landscape - evolving threats of interest or relevance
- emerging & future trends - new technology, developing solutions and user requirements, and other influencing factors challenging security response
This section outlines the common cyber risks that CCG attendees discussed.
Current threat landscape
Supply chain
Identifying and mitigating risks that exist in supply chain partners is a significant challenge for firms. This is particularly true for utility and infrastructure providers (such as energy and telecommunications), where choices can be are limited and using commercial and operational levers available to ensure resilience is challenging.
Sub-sector groups discussed the importance of maintaining and assessing programmes to understand risks and controls for critical elements within their supply chains, and to ensure this activity is designed in the context of the end to end service being supported.
Social engineering
Social engineering is the use of deceptive tactics to prompt individuals to disclose or grant otherwise unauthorised access to information, with the aim of using it for fraudulent or malicious purposes. Successful social engineering introduces significant risk as it may be used to breach the confidentiality, integrity, or availability (CIA) of an organisation’s systems, data and/or people.
CCG members cited the need to educate employees to better identify and report possible social engineering attacks. CCG members also commented on implementing technical controls such as effective email filtering and the secure handling of information to limit the exposure of employees to potentially harmful situations.
Ransomware
Ransomware is a malicious software that disables the victim's files or systems, with the attackers promising to release a key that decrypts the files once a ransom has been paid. The usual motivation for this type of attack is for financial gain, but other reasons include covering digital ‘footsteps’ following other malicious activity.
CCG members discussed mitigation strategies that include processes to:
- maintain hardware, software, operating system and peripheral/mobile device patching, and
- segment networks to isolate critical elements as much as possible
These steps help to prevent ransomware from spreading across a business network or affecting one or more critical systems in the first place.
Malicious insider
Insider threats can be posed by current or former employees, contractors or partners. These individuals may misuse access to networks, applications and databases to cause damage and disruption, or erase, modify or steal sensitive data. As organisations implement increasingly sophisticated physical and cyber security measures to protect their assets from external threats, recruiting insiders becomes a more attractive option for those attempting to gain access. Stronger internal controls and network monitoring, detection and response are required to deal with this threat.
Credential stuffing
Credential stuffing is a type of attack where credentials obtained from the data breach of one service are used to attempt to log in to another, unrelated service. Statistically speaking, credential stuffing attacks have a very low rate of success.
However, advances in automation and botnet technology also make credential stuffing a more viable attack. Security features built into web application logins often include deliberate time delays and IP address blocking for users who have repeatedly failed login attempts. Modern credential stuffing strategies attempt to avoid these defences by simultaneously attempting logins that appear to come from different device types and IP addresses.
Traditional prevention techniques are largely unsuccessful in mitigating credential stuffing attacks, as they are not designed to defend against attacks coming from a wide range of sources. CCG members found that this can be mitigated to some degree by implementing multifactor authentication and ensuring services and devices remain securely configured.
Emerging and future trends
DevSecOps
DevSecOps – or Development and Security in Operations - integrates security by design into DevOps processes. It does this by ensuring that security is an integrated consideration at each stage of the development process. Failure to incorporate consider security or implement appropriate security controls during DevOps risks releasing code, software or hardware into production that potentially contain vulnerabilities.
CCG members discussed the importance of ensuring that robust security practices are embedded into an organisation’s development approach by incorporating security into all stages of the software development workflow. Members suggested a desirable outcome is that privacy, security, and compliance practices are incorporated into software development processes, enabling firms to continue to develop at high speed but with enhanced levels of information and operational security.
Cloud security
Cloud security risk refers to the threats and vulnerabilities that arise from increasing reliance on IT infrastructure, platforms, software services and systems, including hardware that is provided by external managed service suppliers. These threats and vulnerabilities may include, but not be limited to:
- reduced visibility and control of risks
- insecure or misconfigured cloud instances/interfaces
- concentration risk
- insider risk (eg abuse of trust or of privileged access) to manipulate and or gain access to sensitive data and services
CCG members concluded that data held in cloud environments should be encrypted and protected by appropriate intrusion detection/prevention controls. Change management controls should ensure multiple levels of approval, from relevant owners. For some cloud environments, inclusion of ‘kill switch’ technology, allowing for immediate disconnection to manage contagion risk, may be considered as part of a response solution.
Payment systems security
Attackers are increasingly building advanced capabilities and toolsets to target core banking systems, particularly payment messaging and transaction authorisation. Once built, attackers will use the components of toolsets for as long as they remain useful, and update those that become detectable to maintain effectiveness.
Recent publicised examples of payment systems attacks include targeting of interbank payment messaging channels and ATM ‘cash-out’ attacks. This type of malicious act are recent examples of payment systems attacks which can result in significant losses for the firms affected. The size of the potential reward guarantees that the threat of attacks will be advanced and persistent, requiring defensive actions that are at least equal in measure.
CCG members recognise that there needs to be closer industry collaboration to help financial institutions identify threats to payments systems as early as possible. Sub-sector groups discussed how their defensive measures are more effective when they include a mix of both increased information sharing about emerging threats and greater adherence to robust cyber security standards.
CCG insights - identity and access management
Inappropriate or ineffective identity and access management (IDAM) policies, processes and controls can give attackers access to critical systems that support important business services. Although some users may appear to be authorised and legitimate, this isn’t always the case. CCG sub-sector groups shared the following practices and insights for IDAM:
IDAM governance
The need to review and challenge existing password policies. Questions that CCG members suggested included:
- Does the policy support and reflect the ways the business functions and operate?
- Do they clearly set out how the firm will govern who is authorised to approve access and subsequently who gains access to relevant systems and data?
The importance of ensuring information about controls, their objectives and testing their effectiveness was discussed. CCG members stated that working with, or establishing business champions to submit test requests and monitor to see if these are declined or an incident ticket raised was a helpful exercise.
Business service or system owners need to maintain ownership and understand the drivers for effective identity management. It was suggested that asking those responsible how identity and access management services appropriately address and secure important business services was a good way of reminding them of the need for robust IDAM to be in place.
Identify and prioritise
Where possible, use automated tools to continuously monitor administrative and important accounts. These include local, domain, non-domain and service accounts that have privileged access to important business services and systems. It was considered helpful to ensure that these tools were extended to include cloud services, third parties, outsourcing and intra-group arrangements.
Record keeping
Retain records of privileged and business services access. Consider capturing user identification; who approved the authorisation, when the access was granted, when the access was last reviewed and when access was or will be withdrawn.
Importance of privileges
Users who require administrative or privileged access should use a dedicated system for elevated tasks. CCG members agreed that preferably the device accessing the administrative interfaces or performing privileged tasks should be separate from the standard work desktop/laptop environment.
It was also considered that best practice for accessing email and browsing the internet is to use a non-privileged account or identity. Users who are assigned privileged accounts should also be given a standard user account which has different password policies. This reduces the exposure to associated methods of attack.
Check that additional controls, such as 2-factor authentication and privileged access management procedures, are operating effectively throughout the identity lifecycle.
Separate and segmented (Virtual Local Area Networks, firewalls, network access controls and IP security) controls should be considered to enhance secure access.
CCG members discussed where systems and equipment cannot be updated, consideration should be given to segmenting and separating them so that any compromise to these systems is contained until an appropriate solution can be identified.
Ensure that there are robust processes on requests and revalidation of privileged access. Consider how a risk-based approach can be used to prioritise the revalidation. Automatic account revocation can be used, but CCG members also noted that this could impact the availability of business services if applied incorrectly.
It is likely that some users may require access to business services and systems on a temporary basis. In these circumstances, a risk assessment should be undertaken to ensure that access is only granted to information required to complete specific duties.
Challenge, inspect and trust (preferably using certificates) devices before allowing them to connect to networks. Consider applying this to remote access users, third parties or intra-group access. If devices do not meet requirements, consider that it could trigger quarantine and investigations.
CCG members suggested combining network access control and vulnerability management tools to identify new assets connecting. Mature environments may use metrics to monitor control capabilities to measure effectiveness.
Higher risk interfaces, such as externally-facing portals or privileged accounts, should consider having an extra factor of authentication. Prioritising accounts and applying two-factor authentication increases the difficulty for an attacker to gain access. Second factors may be physical or logical, but should be business-informed and risk assessed.
Importance of passwords
All default passwords should be changed before deploying a system. Validate that the changes to default passwords meet set password standards and consider password blacklisting or other effective password hygiene policies.
While the simplest form of authentication type is ‘something known’, CCG members agreed that a password is only as strong as its composition and confidentiality. Password managers or vaults were discussed and it was suggested that they can help employees in generating and storing unique multiple passwords securely, rather than in a document. If used, ensure that the configuration of an organisational password manager is appropriate, and that it effectively mitigates identified risks.
Password managers should be included in vulnerability and patching cycles. In addition, ensure that policies provide clear guidance on the use of password managers and there are appropriate and effective recovery capabilities, should a master password be forgotten or access otherwise lost. To help avoid this issue, CCG members suggested use of password managers that offer multiple factors of authentication to gain access.
Published lists of common passwords and permutations are widely available and can be used to support security policies. ‘Password blacklisting’ prevents common passwords from being used, reducing the risk of guessing credentials. Using these lists with software solutions to identify common passwords within the network can also be used to inform training and awareness requirements.
CCG members recommended validating that global security policies or centralised capabilities for defining strong passwords be applied consistently across systems. Password complexity enforcement software might be considered to enhance effectiveness.
Reducing the burden on employees to remember multiple passwords may also help them to avoid using common words or recording them where they may be compromised. Implementing a single sign-on solution is one example that CCG members discussed to support employees with multiple logins.
CCG members also noted that in environments where password reuse is in operation for less important business services or systems, this can create additional risks of password being used on a more important system. Attackers often use this to their advantage and harvest passwords from lower priority systems to access more important business services or systems.
Security monitoring and testing
Configure systems to send the appropriate logs and alerts when an account is added, modified, disabled or removed from any groups that contain administrative privileges. Check that the alerts and playbooks are working effectively through ad-hoc testing.
CCG members suggested alert examples including:
- attempted logins from unexpected geographical regions or locations;
- Multi-Factor Authentication (MFA) being disabled;
- logins that fail MFA;
- account lockouts;
- multiple login attempts from a single host or IP address;
- brute force password attacks on accounts; and
- unexpected time of day login attempts.
Members emphasised that control requirements of audit and log data should not be overlooked. They suggested that it was prudent to validate that the integrity of the data cannot be altered and protect the information within as would be done for any other confidential information.
Use frameworks to inform the controls. CCG sub-sector groups referred to the Mitre Att&ck framework as a method to understand what tools, techniques and procedures could be used to target the organisation. Other trusted sources of information (NCSC) could also help.
Review controls in line with risks to provide an organisational view. User and system access with associated system permissions should be defined and built-in system features used to extract lists of accounts and permissions. CCG members discussed various commercial tools that may be considered to provide holistic scanning and reporting across all environments including the cloud.
CCG insights – malicious emails
Cyber-attacks continue to evolve as technology adapts to threats, and more sophisticated attacks target humans. The primary avenue for these attacks is often email. CCG members concluded that the ability to monitor and adapt to what they are experiencing is a fundamental part of reducing the impact of malicious emails.
The CCG sub-sector groups shared the following practices and insights for dealing with malicious emails:
Identify, monitor and adapt
Know and understand what normal email traffic looks like. CCG members noted that the use of log monitoring systems can deliver significant insight into what ‘normal’ email traffic looks like. Both emails that are allowed and blocked should be included in monitoring to give better insight into the potential threat and how it is evolving.
Stop malicious attachments and links at the perimeter. Configure email servers to only allow ‘trusted’ attachments and URLs in emails from external sources. If there is no business justification for receiving certain types of file (eg JavaScript); they should be blocked.
Awareness of potentially malicious email sources can be improved by using open intelligence to increase the effectiveness of controls. CCG members mentioned Composite Blocking List[2] and Spamhaus Technology[3] as two examples of freely available intelligence, but there are many others.
Measure the effectiveness of relevant controls by collecting information on whether malicious emails are being stopped. Set clear thresholds and targets to meet, and include trending information as part of the monitoring process.
CCG members stated that it was important to understand malicious emails in detail, for example by using message header analysis tools. Understanding what the motive and capability of the threat may be, can enable controls to be adapted and make them more effective.
Set up dummy email addresses that do not belong to a user, with enhanced monitoring so that attacks can be detected and identified.
CCG members considered use of an email ‘kill switch’ to be helpful. This allows a single email to be removed from multiple mailboxes. So that when a malicious email is identified that has been targeted at multiple users, it can swiftly be removed from the entire organisation with minimal disruption.
Configure and understand how email domain(s) are used outside of the organisation. Using email authentication tools will aid in reducing the ability of attackers to make emails appear to be sent from the inside and alert the firm when this is attempted.
Maintain a secure culture
Technical controls alone will not reduce the likelihood of a successful attack via email. Attackers have demonstrated that they know that the easiest way to compromise an organisation, is to target humans. This has increased the need to maintain a secure email culture. CCG members shared the following insights and practices:
Create an internal mailbox/mechanism or button that makes it easy for users to report suspicious emails. The information collected should be used to help improve controls and awareness training.
Provide basic cyber training and measure its effectiveness. Our previous insights document[2] highlighted the importance of investing in training. Understand and measure the level of awareness within the organisation and its effectiveness so that additional training and support can be provided where it is needed.
CCG members recommended aligning additional training to the way that an attacker may target specific users or departments, such as those with access to critical systems or with the ability to transfer money. Align risk-based training with users’ roles, access and responsibilities. It was suggested that if real-life malicious examples are available, use these to educate all users.
React to potential compromise. Attackers will continue to adapt to new controls and the increased awareness of users. So, it is still important to have plans in place to react when a user opens a malicious attachment or link.
Treat email addresses as assets
Tackling malicious emails requires a comprehensive understanding and management of email addresses. This allows further management of the threat to reduce the likelihood that malicious emails will lead to compromise. CCG members shared the following insights and practices:
Treat email addresses as public information. CCG members agreed that the format of email addresses can be easily guessed and some email addresses can be easily found online. Email addresses should be treated as if they are publicly available information. It is important to account for this in risk assessments and when developing or adapting controls.
Make usernames for other IT systems unique. Avoid using email addresses as usernames. Create unique usernames that are not easily guessable, especially for externally facing systems (that connect to the internet).
Threat actors will often send multiple empty emails to understand which email addresses are actively used and those that are not. Where possible, switch off the standard email response message for non-active/existent email addresses.
CCG members agreed on the provision of additional security for high risk user groups. Create more complex email addresses for key decision makers and high-risk user groups to reduce the chance of them being successfully targeted. Consider whether high risk users require the ability to receive emails from outside the organisation, or indeed send to external mailboxes.
Distribution lists are an easy route for a threat actor to target multiple users within an organisation. Consider whether distribution lists can be used from outside of the organisation and whether use of them can be restricted internally.
CCG insights – third parties and supply chain
Organisations are increasingly seeing the need to understand the cyber risk that their suppliers present. CCG members agreed that it is important to ensure that suppliers’ approach to cyber risk fits with an organisation’s approach before engaging with them, as this is difficult to fix once onboarded. The profile of each third party should be measured and continually assessed to ensure they remain within risk appetite.
CCG sub-sector groups shared the following practices and insights for managing third parties:
Understanding third party suppliers
CCG members discussed how pre-contract workshops helped to understand suppliers’ operations and capabilities. Beside operational capabilities, it is important to understand their security capability and their risk exposure. This will enable firms to make an informed business risk decision regarding the supplier. Use these workshops to understand the suppliers’ key dependencies, the third parties that they will in turn rely upon to deliver the service(s) and what additional controls may be needed to mitigate the risks that they may also introduce.
Supply chains can quickly become complex relationships. Organisations need to identify those critical dependencies that third party suppliers rely upon to provide the service(s) they require. Maintaining a real-time view of dependencies underpinning important business services is vital to understanding the associated cyber risks.
Suggested questions for third party suppliers include asking what international industry standards and certifications the supplier has, the scope of the certifications they hold, and whether they can share their latest audit reports. CCG members agreed that certifications are one of the fastest ways to assess a supplier’s capability and their ‘fit’ with one’s existing business strategy. If the firm is already certified in ISO27001 for example, it would be sensible for suppliers to have the same, or to be working towards their certification.
CCG members discussed how contracts with suppliers should include elements such as clearly defined consequences for performance and SLA breaches. There should be frequent review points that include all operational elements and security responsibilities should be clearly defined. Rights to audit should be included and exercised, where relevant.
Establish and maintain control
Security standards should be clearly defined and communicated to suppliers. These must reflect the firm’s own risk appetite and more importantly be conveyed with consideration to the supplier maturity. Less mature suppliers may not be able to accept complex or costly requirements.
Reports and management information (MI) should be gathered from the supplier and be ‘fit for purpose’. Key performance indicators may be passed back mutually to inform the supplier, which again should be tailored so that MI is appropriate and effective.
CCG members agreed that the risks of each supplier must remain visible and be incorporated into the firm’s own risk management processes. Larger organisations may work collaboratively to create mutual taxonomies, such as those used for risk ratings.
In some cases, a supplier may have done a recent audit that covers some of the requirements of the organisation. Firms might review the output of that work before commissioning their own audit. Similarly, if the supplier works with several similar firms, they may be able to collate common information and provide this information so that a more focused audit is achieved.
People, process, technology
CCG members discussed how they currently screen employees and how they ask their critical suppliers do the same. Ideally, supplier’s employees should be vetted to the same standard as the firm using them, and in line with risk appetite.
CCG members considered it extremely important that third party access control to buildings, systems and data is closely managed and monitored. Where this access is performed remotely, key systems and controls need to be tested to make sure that no new vulnerabilities are introduced. Enforce good security practices such as Virtual Private Networks (VPNs), email authentication and secure Application Programming Interface (API) technology.
Firms should maintain a view of their suppliers’ software security capabilities. Suppliers should provide information such as the use of open-source code, support agreements with other suppliers, and vulnerability management processes.
Contractual arrangements should be clearly defined and support security and incident management. Security Operations Centres should be established with well-defined roles, responsibilities and protocols to handle day to day security operations and incidents, whenever they occur. A clear articulation of incident responsibilities is important.
Work together to improve
CCG members emphasised the importance of undertaking cyber exercises and learning with suppliers. Critical suppliers are a part of business and operations, and should be involved in the firm’s Business Continuity Plan (BCP) and cyber incident exercises.
Promote the sharing of information from the supply chain, especially in areas like cyber security and operational incidents. Understand where contagion may occur or where a failure may cascade through organisations and affect important services.