As published in the March/April 2020 edition  of InfoSecurity Professional Magazine

By Shaun Aghili, DBA, CISSP-ISSMP, CCSP, CISA and Bobby Swar, Ph.D.

In May 2018, two major banks in Canada—Bank of Montreal and Canadian Imperial Bank of Commerce—received email threats from malicious hackers claiming to have gained access to customers’ sensitive information. The attackers demanded $1 million in cryptocurrency from each bank or they would publicly release customers’ information. The successful attacks on these banks led to 90,000 customers’ account information being compromised and an undisclosed amount of money lost as the result of the security breaches.

In recent years, the global banking sector has been the main target of severe cyberattacks. This, of course, is largely due to the enormous assets and sensitive information managed by this sector—and most others globally. (See Figure 1, p XX.)

Figure 1 Title: Estimate of Global Financial Losses Attributable to Cyberattacks

Region	Region GDP    (USD, trillions)	Cybercrime Cost (USD, billions)	Cybercrime Loss (GDP%)
North America	20.2	140 to 175	0.69 to 0.87%
Europe and Central Asia	20.3	160 to 180	0.79 to 0.89%
East Asia & the Pacific	22.5	120 to 200	0.53 to 0.89%
South Asia	2.9	7 to 15	0.24 to 0.52%
Latin America and the Caribbean	5.3	15 to 30	0.28 to 0.57%
Sub-Saharan Africa	1.5	1 to 3	0.07 to 0.20%
MENA	3.1	2 to 5	0.06 to 0.16%
World	75.8	445 to 608	0.59 to 0.80%

Source: Lewis, “Economic Impact of Cybercrime—No Slowing Down,” 2018

At the Information Systems Security and Assurance Management department of Concordia University of Edmonton in Canada, we recently completed a study of 25 large-scale, North American banking security breaches over the past decade. Following a root cause analysis for each security breach, we conducted a literature review of some major information security-related frameworks and standards—including NIST 800-53 (R5), ISO 27001:2013,  ISO 27032:2012, COBIT 2019, the Office of the Superintendent of Financial Institutions’ (OSFI Canada) cybersecurity assessment-guide, and the Cloud Security Alliance’s Cloud Control Matrix (V. 3.0.1)—in order to compile a list of more than 50 cybersecurity best practices that could have mitigated these 25 banking cybersecurity breaches.

The following is a condensed version of these research-based best practices. Please note that this compilation is by no means comprehensive, but it could serve as a useful checklist and/or discussion points for information systems auditors and cybersecurity professionals in the banking industry and many (if not most) other sectors, including retail, service and manufacturing.

Governance

1. The mission, vision, core values, business strategies, and objectives of the enterprise should be well defined, prioritized and documented.
2. Both management and its board of directors should ensure that the enterprise maintains full adherence to all legal and regulatory requirements in order to avoid sanctions and to help reduce incidents of large-scale security breaches.
3. Management and the board of directors must ensure that the IT and audit functions within the enterprise receive the needed resources in order to effectively and proactively protect the enterprise from security breaches. As such, information systems’ security-related capacity management plan, which details the required resources to meet current and future cybersecurity needs, should be presented to the management and to the board of directors for review and discussion with the information security team and the audit department.

Policy Management

4. The enterprise information security policies should be defined, approved and implemented by management and communicated clearly to all stakeholders in such a way that all employees and stakeholders fully understand their roles and responsibilities to keep the enterprise secure.
5. Management should implement periodic reviews of information security policies to ensure they remain relevant.

 Training and Education

6. Management should ensure that all employees and business partners are properly trained to carry out their assigned duties and responsibilities related to cybersecurity policies, procedures, and other related agreements through the implementation of a robust and continual information security training program.
7. Customers should also be sensitized to prudent cybersecurity practices through an effective and consistent information security awareness program.

Risk Management Considerations

8. Management should invest an appropriate amount to implement a comprehensive and relevant information system security-related framework.
9. Management should also be committed to ensuring that the implemented framework and risk management procedures continue to achieve their intended outcomes and objectives.
10. Approved risk management processes should be properly documented and communicated to all stakeholders.

Access Control (Physical and Logical)

11. A defense-in-depth approach in terms of the physical security of assets should be adopted that includes effective use of controls such as CCTV cameras, motion detectors, security personnel, locks, trap doors, fences, bollards, and smoke/fire detection mechanisms, just to name a few.
12. Access to physical assets should be adequately restricted, and all access to such assets should be documented and reviewed on a regular basis.
13. Appropriate remote access configurations and connections procedures should be established, implemented, documented, and monitored continuously.
14. All remote maintenance efforts on systems should be approved and logged in order to prevent unauthorized access.
15. An appropriate access control architecture, based on the enterprises’ information access and security needs, should be implemented and continuously monitored.
16. An appropriate password policy detailing mandates for password complexity, expiration, account lock out, password reset procedures, minimum and maximum password age, as well as the use of password random generators, one-time passwords and strong authentication (such as the use of biometrics) for critical systems needs to be drafted, implemented, and reviewed at regular intervals.
17. Access control should also be based on the principle of least privilege. Auditors should also ensure that previous access privileges for employees do not result in an access control scope creep.
18. Access control logs must be properly set up and reviewed on a consistent basis.

Disaster Recovery (D/R) Considerations

19. Detailed and appropriate disaster recovery and business continuity policies, procedures and processes should be developed, properly communicated, and reviewed on a regular basis (ex: yearly) based on lessons learned, test results, and/or environmental changes.
20. D/R plans should be regularly tested and updated on an annual basis.
21. D/R related documents, such as call trees, should be updated on a regular basis.
22. Critical systems need to be clearly identified and should be given top priority in terms of expedient approach to get them back up and running as quickly as possible.

HR Considerations

23. The human resources department is the first line of defense for information systems security’s weakest link, namely employees. As such, the HR hiring and performance evaluation procedures, such as thorough background checks, should be established and followed consistently.
24. The HR department should also ensure that the enterprise’s non-disclosure requirements and information security policies are read and understood by all employees.

Audit Considerations

25. Management should ensure that the internal/information systems audit activity is properly structured and implemented. These include the creation of an audit charter and appropriate reporting mechanisms to management and the board of directors.
26. Audit policies and procedures should be documented and reviewed on a regular basis based on lessons learned from data security breaches and previous audit results and experiences.
27. Audit activities should be risk-based and continual in nature throughout the enterprise in order to ensure that appropriate controls, based on a defense-in-depth approach, are implemented and that such controls continue to remain effective as the business environment continues to change and evolve.
28. The audit activities should also entail regular scanning of the enterprise’s website(s), applications, and third-party plugins. Regular penetration testing in high-risk enterprises, such as banks, should be considered as a proactive approach to prevent future data breaches. Such penetration tests should only be conducted by highly qualified penetration testing teams, not by the enterprises’ audit team unless its members are qualified to conduct penetration testing activities.
29. Disaster recovery plans should be continually reviewed, along with its periodic testing results, to ensure that the enterprise maintains the capabilities to resume full operations as quickly as possible when needed.
30. Secure input data validation processes to prevent common attacks, such as SQL injection and parameter tampering on websites, should be tested regularly.

Continuous Monitoring

31. Continuous monitoring should be effectively incorporated as an effective and integral part of the control process in order to help both auditors and information security specialists within the enterprise to detect security-related anomalies.
32. Audit trails and exception reports should be reviewed consistently by not only the audit team, but also by experienced information systems personnel as appropriate.
33. Audit logs and exception reports should be secured in order to prevent unauthorized access to them.

System and Data Lifecycle Management

34. Management should ensure that an accurate and comprehensive inventory of information system-related assets (hardware, software, applications, data, intellectual properties, etc.) is created and kept up to date.
35. All inventories assets should be classified based on risk and criticality.
36. Appropriate procedures for handling and managing all assets throughout their lifecycles are identified, documented, properly communicated, and consistently enforced.
37. Change management policies, procedures, and processes should be developed, implemented, and strictly enforced.
38. All changes/modifications/major updates to servers, software, and applications should be reviewed and approved by an appropriate committee prior to implementation with proper contingency plans in place, in case an intended change does not proceed as planned.

Removable Media and BYOD Devices

39. A comprehensive removable disks and BYOD devices policy and procedures should be established, documented, and strictly enforced through a continual monitoring approach.
40. In high risk departments, employees should require appropriate written approvals to use removable media or BYOD devices based on their job functions.
41. Sensitive information on removable media or BYOD devices should be encrypted, and whenever possible such devices should also be equipped with a remote data deletion mechanism.

Network Security

42. An appropriate and framework-based information systems’ security architectural approach should be devised and implemented. This includes system and network segmentation, physically, and logically.
43. Network performance and protocols baselines must be well defined and reviewed regularly in order for the cybersecurity team and/or intrusion detection systems to detect system anomalies quickly and effectively.
44. An effective and appropriate network defense-in-depth using appropriate technologies approach should be devised and implemented. These include the effective use of anti-malware software, firewalls, and intrusion detection or prevention systems as appropriate.
45. All sensitive data should be encrypted while at rest, in transit, or at end points.
46. An effective cryptographic key management approach must be established and followed.
47. All systems should be properly hardened by disabling unneeded services, closing unused ports, and updating default passwords.
48. Effective mechanisms should be in place to ensure that all systems are updated effectively and expediently with the latest patches and security updates.

49. Procedures and processes involved in the configuration of servers, websites, routers, firewalls, networks, and switches should be documented and reviewed by the cybersecurity and/or the audit team to help prevent errors that could lead to unauthorized access.
50. An important and sometimes neglected area is the related network security risks associated with third-party information systems and cybersecurity practices. As such, all third-party information systems should also be subjected to appropriate security standards, requirements, and controls assessed at the beginning of a business relationship and ensuing regular audits.

SHAUN AGHILI, DBA, CISSP-ISSMP, CCSP, CISA and BOBBY SWAR, Ph.D., both work at the Information Systems Security and Assurance Management department of Concordia University of Edmonton in Canada. This is their first article for the magazine.