How treasurers can stay safe in the face of sophisticated cyber-crime.
The most popular mechanisms for cyber-attacks consist of phishing, whaling and CEO fraud. Treasurers have many systems in place to combat these and their IT departments will provide basic technological protection measures to combat known threats, but it is worth considering these attacks and their impact in more detail.
Zero day is the term used when a unique cyber attack first manifests itself and has no known defence. It is vital in the event of a zero day attack that the information around the attack is shared as fast as possible.
Believing that treasury departments are vulnerable to cyber-attacks due to the amount of money transferred through the treasury department, Global Cyber Alliance (GCA) foresees that treasury departments will be subject to more zero day attacks than other areas of the business.
In their opinion, the average attack will be more sophisticated for those who work in treasury and the solution is to share data about attacks as fast as possible. This approach will not protect the first member to be attacked, but, it will protect the remainder. Furthermore, attackers will soon learn that treasury teams have a higher level of protection and so may choose other targets.
Working together to share knowledge on attacks
The Cyber Defence Alliance (CDA) is a “co-located federation of banks and law enforcement agencies working together to advance sector security”. The London-based CDA was created as a legal entity in 2015, to facilitate sharing of information following cyber security incidents. Banks joining it pay to help fund it and thereby gain access to the group’s pooled knowledge on the latest attack methods. The CDA model demonstrates how sharing and transparency is the best option even between competitors.
The CDA is a small core team that relies on the support of its members in terms of subject matter expert secondments, who have direct access back into their respective bank or organisation, remote teams, strategic partners and law enforcement. They share real-time information on anomalous attacks on networks, platform and systems across the member banks using a newly developed CDA Trust Platform for secure communication.
This has worked very effectively to date and has saved seven figure sums of potential cyber loss. Subject matter experts across member’s NOC’s, SOC’s and attack monitoring teams can share information in real time, enabling member banks to accelerate knowledge, innovation and preparedness against emerging and new attacks.
There are other well-known mechanisms, which allow intelligence sharing such as STIX & TAXI. You can find further information about this here.
These share indicators of compromise and so allow the community to know of a compromise and its detail. In many cases traffic light protocol (TLP) is used by organisations. This allows information to be quickly shared at RED level between members. At lower levels (Yellow/Green/White) information can be de-classified and shared to the wider group.
A key principal is that all members share a MOU, work to information sharing agreements and confidentiality agreements so that they agree to only release data at TLP RED between individuals in the organisations.
Some of the Global Cyber Alliance team helped to initiate CDA. If you would be interested in finding out more please do contact me on the details provided below.
GDPR has a “catch22” scenario which results in fines should there be insufficient cyber-attack planning. The act states that fines will be imposed if “reasonable steps have not been taken”. It is GCA’s view that if free technology and freely available advice has not been taken then there is a higher chance of prosecution.
Andy Bates, Executive Director – United Kingdom, Europe, Middle East & Africa, Global Cyber Alliance spoke at the ACT Cyber Security Evening on 14 January 2019.
GCA have derived some information from many sources but maintained their independence in this blog. They have peer-reviewed concepts with CDA & NCSC.
GCA recommend DMARC deployment which prevents email spoofing and therefore mandates fraud preventing reputational damage. They also recommend that all ACT members enable DMARC to reduce inbound email spoofing.
GCA also recommend DNS filtering. Many services are available however, on 16 November 2018 GCA launched a free to use DNS filtering service. They took 20 threat feeds and processed them to produce a comprehensive white and black list.
GCA is driven by members and builds solutions to internet crime based on suggestions and requests. If you would like to talk to Andy about how you could be involved please visit www.globalcyberalliance.org or contact him directly at firstname.lastname@example.org