Banks Plan National Cyber-Attack Drill
Simulation Designed to Help Test Defenses
Banking institutions often stumble when it comes to communicating about cyber-attacks says Dennis Simmons, president and CEO of SWACHA, a regional payments association. But a simulated cyber-attack drill set for October aims to address those challenges, he says
More than 1,000 banks and credit unions through the U.S. will test their incident response strategies as part of this cyber-attack exercise.
"[It's] about having a vehicle set up to be able to communicate quickly and efficiently about what's happening in these kinds of attacks and then doing the postmortem, the debriefings afterwards, to find out what could have worked better," Simmons says during this interview with Information Security Media Group [transcript below].
In the wake of high-profile incidents, such as the wave of distributed-denial-of-service attacks against U.S. banks over the last year, Simmons says too many institutions falter when it comes to communicating with peers and customers at the time of attack.
"[The simulation] helps an institution understand its own internal communication and internal response to these types of incidents," Simmons says.
The simulated attacks also should help institutions identify gaps in their security and risk management programs, Simmons says. "One of the major weaknesses that we've identified is making sure that not only do the financial institutions understand these exposures and risks, but also making sure that their customers are aware of what's happening in these kinds of attacks," he says.
During this interview, Simmons discusses:
- Why payments breaches and network vulnerabilities are getting more attention;
- How law enforcement is working with SWACHA, the Financial Services Information Sharing and Analysis Center and others to encourage more cyber-attack simulations; and
- How more simulated attacks can improve cyber-attack response and intra-departmental information sharing.
As head of SWACHA, Simmons is a nationally recognized payments expert. He serves on the board of directors for NACHA. He's chairman of NACHA's Government Relations Committee, past chairman of NACHA's Electronic Check Council and past co-chairman of NACHA's Risk Management Advisory Group. He also is the immediate past chairman of the Payments Executives Leadership Forum. He is a founding member of the board of directors of the Secure Remote Payment Council and a member of the advisory council and faculty of the Bank Operations Institute at Southern Methodist University.
TRACY KITTEN: What's SWACHA's interest in ensuring that banking institutions are adequately protecting their networks from emerging cyberthreats and attacks?
DENNIS SIMMONS: There has certainly been a lot of interest focused on what's happening to banking institutions of all sizes, the vulnerabilities they might have to cyber-attacks, whether it's from a political perspective or from someone just trying to do corporate account takeover or business account hijacking. A lot of emphasis has been placed on understanding and identifying those risks.
KITTEN: How did SWACHA link up with the FS-ISAC for this cyber-attack exercise?
SIMMONS: SWACHA has been a member of FS-ISAC for a number of years and we've always been very proactive in assisting FS-ISAC with these exercises. We partnered not only with FS-ISAC but also with the other regional payments associations of NACHA. NACHA itself and several other major national banking associations and credit union associations have also participated in this. It's an industrywide effort.
Focus of Simulations
KITTEN: Are these simulated attacks focused solely on payments, or are other cyberthreats, such as distributed-denial-of-service attacks, also being simulated and tested?
SIMMONS: There's a two-pronged approach to it. One of the things to look at is if an institution's infrastructure is sound. Can they handle a DDoS attack? What we've found when we've seen some of these instances in the past is that the DDoS attack is really a diversionary tactic. The bad guys may launch a DDoS attack to divert the attention of IT folks in an institution while they're coming in around the back door or some other way into the institution to hijack an account or initiate wire transfers that are inappropriate. That's really why we have focused on DDoS as well as these other security measures that financial institutions can take.
KITTEN: What would you say are some of the weaknesses that SWACHA has identified?
SIMMONS: One of the major weaknesses that we've identified in education is making sure that not only do the financial institutions understand these exposures and risks, but also making sure that their customers are aware of what's happening in these kinds of attacks. But there's also the issue about communication, about having a vehicle set up to be able to communicate quickly and efficiently about what's happening in these kinds of attacks and then doing the postmortem, the debriefings afterwards, to find out what could have worked better. Education and communication are two things that will always be with us, but that doesn't mean we just give up and don't continue to focus on them.
Threats to Payments
KITTEN: Wouldn't you say that most of the cybervulnerability that's linked to payments is often on the side of the retailer or the processor, not the banking institution?
SIMMONS: I think that's a fair statement. Think about the motivation of the bad guys and the vectors that they're using to attack these various vulnerabilities. The retail space and payments processor space - they're going after credit card information. They're going after debit card information. Sometimes they're going after banking information. There are certainly groups that are focused on obtaining that kind of information.
The other part of it, though, is the vulnerabilities that are exploited for the banking industry really are focused on looking for vulnerabilities for making the one big score, if you will, hijacking or stealing a thousand credit cards or five thousand credit cards. They're looking to make one or two big hits. That really reduces their exposure. It's unfortunate to put it in this term, but it also reduces their cost of doing business. They don't have to worry about maintaining an inventory of a thousand credit cards. They've got one or two accounts that they have hijacked and they've got a big payday out of it. I think it's fair to say that no industry is exempt from these guys trying to get a hold of information about customers and sensitive information about account numbers.
KITTEN: What can you tell us about the simulated attacks themselves?
SIMMONS: We've had such success with this process that we've actually had to divide it into two different groups. We're doing it on two different days in October. I believe the last time I saw some numbers, we had over 1,000 financial institutions signed up across the country. This is a nationwide effort. This is not just SWACHA, but it's also the FS-ISAC working with NACHA, the national banking trades, and all the regional bank associations that are affiliated with NACHA. We're all promoting this, marketing it and making our members aware that it's available and it's something that they can take advantage of.
KITTEN: Do you have any idea about the number of employees within each banking institution who will be participating in these attacks?
SIMMONS: It varies. As you might imagine, we've got relatively small institutions and we've got some that are very large. Depending on the scale of the institution and how they manage their IT security, you might see anywhere from a couple of folks from a smaller institution to maybe an entire team of five, six or seven people at a large organization. That's one of the nice things about the way this thing is structured. Each institution can participate. It's a tabletop exercise so they can participate at their own pace and scale it to their own operations.
KITTEN: How will these simulated attacks be waged?
SIMMONS: It's a tabletop exercise. The only thing that's really required to be able to participate is an e-mail address and telephone number. The individuals who have signed up to participate in the exercise will get an e-mail that lays out the scenario: This is what has happened; this is what's happening now; and these are the attacks that are taking place. You take that information, get with your team and say, "What would we do as an individual institution to respond to this scenario that has been given to us?" They work through that and then, afterward do a debriefing. There's a Q&A that's provided. It's a guided discussion about: What could you have done better? What worked well? What needs to be improved? It helps the institution understand its own internal communication and its own internal response to these kinds of incidents.
KITTEN: How can banking institutions learn more?
SIMMONS: Go to the FS-ISAC website: www.fsisac.com/capp.