By Roy Urrico
Finopotamus aims to highlight white papers, surveys and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.
Independent research published by Titania, specialists in continuous network security and compliance, studied approaches to security and Payment Card Industry Data Security Standard (PCI DSS) compliance risks within U.S. commercial critical national infrastructure (CNI) organizations including those in financial services. Titania’s latest findings propose the current approach to misconfiguration detection in networks results in “unquantifiable levels of compliance risk.”
Titania, which has headquarters in Worcester, U.K. and Arlington, Va., found that not only are CNI organizations prime targets for threat actors but complex networks, large customer bases and long supply chains make them highly susceptible to attacks.
The in-depth survey, was undertaken on behalf of Titania by London-based Coleman Parkes Research, which gathered data from 160 senior network security decision makers in the U.S., across the military, federal government, oil and gas, telecoms and financial services sectors.
The report maintained, “Threats are fundamentally only ever a risk to organizations that are vulnerable to exploitation. So cyber-leaders in telecommunications, banking and utilities are now being urged to develop capability to proactively shut down attack vectors and detect indicators of compromise.”
Said Phil Lewis, CEO, Titania, “Complex networks, large customer bases, and long supply chains make these industries highly susceptible to attacks. The study reveals that given the current organizational approaches to network security, companies cannot be continuously compliant, and as a result carry with them unquantified levels of risk to the confidentiality, integrity, and availability of systems and data.”
Levels of Risk
According to research findings, “The recent cybersecurity advisory issued by the NSA (National Security Agency), CISA (Cybersecurity and Infrastructure Security Agency) and FBI warned there has been a spate of high-profile security breaches where unsophisticated tactics have been used to target vulnerable routers and switches. These devices have provided undetected pathways to alter network configurations and scale attacks. Attacks which have compromised the confidentiality, integrity and availability of these organizations’ critical systems, services and data. And their supply chains.”
The Titania research also suggested networks can change on a daily basis. “It is why many risk management and security control frameworks/programs – such as Payment Card Industry Data Security Standard (PCI DSS) 4.0 and DHS’s Continuous Diagnostics and Mitigation (CDM) program – recommend or require continuous monitoring of all network devices.
“This is to ensure a regular cadence of assessment to detect and mitigate vulnerabilities (both software and misconfigurations), before they can be exploited,” the report noted. “As left undetected, and therefore unmitigated, vulnerabilities could compromise the confidentiality, integrity, and availability of critical data and/or applications. And such compromise can and has caused critical operational and business/mission issues for oil and gas companies, telecoms and finance and banking organizations.”
A global standard that provides a baseline of technical and operational requirements designed to protect account data, PCI DSS 4.0 is currently top of mind for many organizations. PCI DSS version 4.0 was released at the end of March 2022, although PCI DSS v3.2.1 will remain active for two years through March 2024, when version 4 kicks in officially. However, many organizations are already transitioning to the new 4.0 standard, the report stated.
Research Takeaways
The study highlighted that oil and gas, telecommunications, and banking and financial services organizations are prime targets for threat actors that exploit vulnerable network device configurations to scale their attacks.
Four major findings:
Survey responses, per the research, across all sectors suggest a disconnect between the perception of network security, and the reality in the majority of cases, where:
1. Switches and routers are not checked for misconfigurations as part of annual audits – equating to nearly ubiquitous security and compliance by sampling, which is an inherently risky approach.
2. The frequency of assessments is annual, or biannual in the vast majority of cases, meaning that exploitable configurations in firewalls may reside on networks, undetected, for up to 364 days.
3. By default, organizations cannot comply with risk management and/or security control frameworks like PCI DSS 4.0 that recommend abandoning sampling, and regularly assessing all network devices.
4. Exploitable vulnerabilities in the form of critical misconfigurations in firewalls, and particularly in switches and routers, are currently an unquantified risk for 96% of Commercial CNI organizations.
Among the other findings:
· Only 37% could ”very effectively” categorize and prioritize compliance risks that undermine the security of their networks.
· Almost all organizations (96%) reported not analyzing switches and routers when checking for misconfigurations and that checks are typically performed annually. However, most agreed that continuous (daily) risk assessment of every firewall, router, and switch is the most robust strategy to secure networks and maintain compliance.
· Over 80% agreed that their organization relies on compliance to deliver security. Specifically, all banking and financial services sector respondents are confident they meet their corporate security and external compliance requirements, compared to most oil and gas (98%) and telco respondents (96%). “This data demonstrates disconnects between the perception of network security and compliance, and the reality,” said the Titania report.
Recommendations
The Titania research also looked at the majority of risk management frameworks and security policies that now recommend a zero trust approach to continuous, proactive security, as the key to protecting critical networks from preventable attacks. Zero trust is a strategy that presumes that organizations cannot automatically trust anyone or anything attempting to access company resources.
“Security within the network boundary is as important as the security on devices forming the perimeter,” the report noted. Titania maintained networks must be “hardened from the inside-out, inhibiting lateral movement and making it as difficult as possible for intruders to gain entry and progress towards their goal.”
Added Titania’s Lewis: “A determined attacker will try a combination of approaches to access a network until they gain entry, and known vulnerabilities or misconfigurations are an easy way in. Companies must adopt both a zero trust mindset and network security best practices, to minimize the attack surface, inhibit lateral movement, and prevent intruders from meeting their goals.”