4 Cyber Defense Tips for Finance Industry CISOs
By Sean Atkinson, Chief Information Security Officer
When we think of a sector or industry most prone to cybercriminal activity, the financial sector comes to mind. With growing ransomware exploits and malware threats, financial sector organizations need to implement strict security controls to minimize risk. At the Center for Internet Security (CIS) we see the need for robust security controls both in the public sector at the state and local levels and in the private sector globally, across businesses big and small. To simplify and standardize across multiple compliance requirements, CIS provides cybersecurity best practices that help build and deploy a strong cyber defense program.
1. Trust the consensus-developed configurations
One of the best ways to strengthen a cyber defense program is to ensure it requires secure configurations. They’re important for minimizing your organization’s threat surface and limiting cyber-attacks. CIS works with a global community of developers, CISOs, subject matter experts, and other IT professionals to develop the CIS Benchmarks consensus-based configuration guidelines.
Each CIS Benchmark starts with a community on the CIS WorkBench collaboration platform. Community volunteers discuss things like data encryption standards, administrative privilege access controls, and which ports should be enabled/disabled for a particular system or application. As the team reaches a consensus, they test and validate each best practice to ensure the security recommendations will work in practice.
The Payment Card Industry Data Security Standard (PCI DSS) references the CIS Benchmarks for configuration security, making the benchmarks an essential security reference point for the finance industry. They are currently available for 140+ technologies to help secure operating systems, servers, cloud infrastructure, and more. The CIS Benchmarks are free to download in PDF format; additional, machine-readable formats are available through CIS SecureSuite Membership.
2. Utilize tools to automate compliance
A common theme among recent breaches is that organizations are not effectively ensuring appropriate configuration controls are managed. With CIS SecureSuite, organizations have access to tools and resources that can quickly implement secure configurations.
There are two main ways to speed up compliance to the CIS Benchmarks: CIS-CAT Pro and Build Kits. With CIS-CAT Pro, you can measure endpoints’ compliance to the CIS Benchmarks in just a few minutes. The tool offers remote assessment, steps for remediating noncompliant settings, and a dashboard component for reviewing compliance over time. These are just the highlights; sign up for a webinar to see CIS-CAT Pro in action.
The second option is to use a Build Kit. These kits are shell scripts and Group Policy Objects (GPOs) for Linux/*nix and Windows systems which automatically apply CIS Benchmark configurations to a target system. For each Build Kit, there are some settings such as admin/root controls which cannot be automatically set – these exceptions are noted in each kit. Want to see how they work? Have your IT team download a sample Build Kit and try it out.
3. Get the basics, then go beyond
With secure configurations, you can operate with confidence knowing your guidance is backed by a global consensus community. Your organization can get a clearer picture of its security gaps by using CIS-CAT Pro. CIS-CAT Pro provides actionable intelligence to help financial organizations implement consensus-based standards.
CIS SecureSuite is more than tools and resources, however; you get a security community. The CIS WorkBench platform features exclusive, Member-only communities as well as the CIS Controls Library. Your organization can leverage these resources to improve its cyber hygiene. Cyber hygiene includes security best practices such as those found in CIS Controls Version 7.1 Implementation Group 1. These are basic defensive controls that every financial institution should implement.
CIS WorkBench also offers CIS SecureSuite Members the ability to customize CIS Benchmarks to their specific organizational needs. For example, a CIS Benchmark for your operating system recommends setting a minimum password length of ten characters – but as CISO, you prefer a minimum of 15. Using CIS WorkBench, you can change the benchmark to match your organizational policy. You can then export that policy and measure against it using CIS-CAT Pro. Implementing a customized configuration policy is an advanced step in the development of many security programs.
4. Start secure. Stay secure.
By starting with a secure base image built on the CIS Benchmarks, you can have peace of mind knowing that your configurations are consensus-developed. Leveraging CIS SecureSuite Membership tools and resources, your organization can grow its cyber defense program. The benefits go beyond help with PCI compliance, providing real security to help protect against attacks. Your security team can operate with confidence by measuring compliance over time to improve CIS-CAT Pro scores, and you’ll have all the evidence you need for the next cybersecurity audit.