December 17, 2012

Preparedness, vigilance keys to addressing mounting cyber threats

Contributed Photos
Contributed Photos
Agnes Chan, director of Northeastern’s College of Computer and Information Science, says an interdisciplinary approach is needed to fight cyberterrorism.
Christopher Afre, vice president and information security officer at Farmington Bank, says ‘operational resilience’ is the best defense against cybercriminals.

Cybersecurity breaches continue to plague the information technology community in and outside Connecticut.

Last year, the Department of Homeland Security's U.S. Computer Emergency Readiness Team received more than 100,000 incident reports and released more than 5,000 actionable cyber security alerts and publications.

Anti-virus software maker Symantec 2011 State of the Enterprise report identified cyber-risk as the top concern of IT staffs, and reported that an average enterprise incurs more than $2 million per year in service loss due to security issues.

This fall, six of the largest banks in the U.S., including JPMorgan Chase, Bank of America and Wells Fargo — all of which have Connecticut branches — simultaneously fell prey to an unprecedented cyber attack.

While the massive breach left customers and bank staff seeing red for several hours, the incident also returned to the forefront the issue of the safety of the nation's financial institutions.

While many experts say these types of cyber attacks are just a preamble to a wave of potentially more crippling incursions, others believe the security measures in place will prevent such disasters.

Regionally, banks big and small face these issues daily. But, in many cases, trying to remain a step ahead of the hackers is proving difficult as manpower, technology and financial roadblocks often stand in the way of progress.

"We, like all other banks, deal with threats to our electronic infrastructure," said Christopher Afre, vice president, information security officer at Farmington Bank. "There is already evidence that the world's electronic infrastructure is under attack. The attackers are attempting to identify what they can infiltrate and whether those actions will be successful."

Financial markets are not the only industries being targeted, said Afre, adding transportation systems, industry and the energy sectors, too, are the focus of hackers.

Cybercriminals are certainly becoming more and more sophisticated, not only having access to the same regulations that the banking industry must follow, but also being armed with the understanding that many organizations will only implement their information security programs to address these regulations.

Ultimately, for Afre, information security is paramount in business operations and the cost involved with implementing such security is a primary tool in combating cybercriminals.

As with all financial institutions, Farmington Bank must comply with all applicable regulations. But the bank goes a step further.

"We add the element of operational resilience to create a secure and safe banking environment for our customers," Afre said. "Operational resilience at Farmington Bank means a holistic approach combining information security, business continuity and IT operations. We achieve this through our people, procedures and methods, and tools and equipment. Our goal is to create a best-practice model that ensures our resiliency at all times."

With that as a shield, Afre says would-be criminals cannot easily identify deficiencies in an organization's security architecture and exploit them.

One of the biggest challenges is that banks must manage the protection of their customers and their respective businesses concurrently. A critical component of this balancing act, Afre said, is educating the end user.

"Remember, technology does what we tell it to do," he said. "It is the end user that downloads attachments and clicks on links in emails. It is the end user that browses to unsafe sites. Therefore, educating end users — both employees and customers — on how to operate technology safely is paramount to the cyber security issues facing banks today."

Afre likened it to being licensed to drive, own a handgun, or operate heavy machinery, saying one purpose is to ensure the public understands the risks associated with performing these activities and how to minimize or eliminate those risks.

"Though a license to operate technology is not necessary," Afre said, "all users need to develop a basic understanding of how computers operate and the risks associated with certain activities that they can perform."

Massachusetts cyber security authority James Gordon knows a thing or two about being innovative and staying ahead of the curve.

As information technology officer at Needham Bank, Gordon says he is committed to implementing technology initiatives that positively impact lines of business, the customer experience and the bottom line. He is also a firm believer in thinking outside the box. Recognizing their functionality, Gordon introduced iPhones at the bank back in 2008 before they became trendy.

For Gordon, the race to access information is a driving force behind the rash of attacks.

"Information is power, and in today's world information is electronic," Gordon said. "Look no further than the 'rumors' of state sponsored attacks to gain the upper hand, either in business or defense. A small investment in an elite group of hackers can pay tremendously given the target or information exfiltrated. Hackers only need to look for one hole, where IT managers have to defend and patch everything."

Gordon believes protection can't be calculated, but should be deeply embedded in every transaction — with customers and vendors alike.

"Any bank today must have a strong vendor management program that continually looks at the security aspect of the relationship," Gordon said. "It's incumbent on the financial institutions to assess their security requirements, both digital and physical, and then make the vendor adhere to that standard. Security isn't one person's job; it's everyone's responsibility."

Cyber attack preparedness has carried over into the classroom environment as well.

Last May, the National Security Agency unveiled four universities as national centers of academic excellence in cyber operations, including Boston's Northeastern University, the University of Tulsa, Dakota State University and the Naval Postgraduate School.

The program enables students to pursue undergraduate and postgraduate degrees while receiving real-world training that will arm them with the advanced technical training and skills necessary to tackle emerging cyber threats.

"It is critical for the country to have enough well trained cyber security professionals to be prepared to defend the country," said Agnes Chan, director of graduate education in Northeastern's College of Computer and Information Science. "Technology alone cannot solve security problems, people have to be aware of the social contexts related to cyber security. It is critical that interdisciplinary programs such as ours are created with the goal of producing well prepared cyber-corps."

Chan said "hands-on" experience has to be part of the training in cybersecurity.

Lab exercises are associated with almost every cyber security-related course at Northeastern. Students are also provided with the opportunity to participate in competitive cyber exercises, such as the National Collegiate Cyber Defense Competition (NCCDC) and Capture the Flag events.

The NCCDC is a nationwide competition among participating universities that puts students in a situation where a simulated enterprise is under cyberattack and the students have to maintain the operations of their enterprise. Capture the Flag events provide a more attack-oriented exercise where students are asked to penetrate other network infrastructures.

"Students who are interested in the activities have regular meetings with their faculty coaches to be trained and prepared for the competition," Chan said. "Many of our students participate in co-op and/or internship programs with DoD agencies where they can further their education through practices."

Most Popular on Facebook
Copyright 2017 New England Business Media