There has been much media coverage of ransomware over the past several months. The healthcare industry has been in this spotlight most recently, but financial services is certainly not immune to this threat. Back in mid-2014, a U.S. brokerage house fell victim to CryptoWall, which both encrypted and exfiltrated data from that institution. Although there have not been many public disclosures of ransomware incidents at financial institutions as of late, CryptoWall ransomware was one of the top 3 threats to the industry in both 2014 and 2015 based on research by Unit 42, the Palo Alto Networks threat intelligence team. In late 2015, the U.S. Federal Financial Institutions Examination Council (FFIEC) and the Financial Services Sector Coordinating Council (FSSCC) issued separate alerts on cyber extortion and destructive malware, respectively. So it’s clear that the financial services industry needs to be prepared to address such malicious attacks.

Ransomware is essentially malware that encrypts data on personal computers and network drives until a payment made to the perpetrator. The ransom demanded is usually a small monetary amount to increase the likelihood of payment. Ultimately, this may boil down to a business decision over the time and effort required to restore files from back-ups versus the cost of the ransom to obtain the decryption key from the attacker. For more details about the evolution of ransomware, please see the new report on ransomware trends from Unit 42.

To protect themselves from the impact of ransomware, financial institutions should conduct regular back-ups of data on PCs, shared drives, and any other storage systems. Moreover, the data on the back-up system needs to be verified to ensure there are no surprises when restorations are warranted. This should already be a recurring practice as part of business continuity plans, but it’s worthwhile to validate this since viable back-ups are integral to any ransomware remediation actions.

Preventing infection by ransomware is an even better course of action. It eliminates lost productivity and impact to business operations, as well as the overhead associated with removing the malware and restoring the encrypted data files. By establishing defenses at multiple layers of the network, the following steps will significantly improve an institution’s ability to prevent ransomware attacks from being widely successful.

• Scan and block suspicious files (e.g., portable executables) in all inbound e-mail or web-browsing sessions
• Prevent the ingress of malware by using intrusion prevention systems (IPS) for known threats and sandbox analysis for zero-day threats
• Block outbound traffic to malicious URLs or sites, which may be part of the attack lifecycle for ransomware
• Prevent exploits and malware execution on PCs and servers with endpoint protection capabilities above and beyond anti-virus and host IPS
• Contain any threats by segmenting the internal network to limit lateral movement and to minimize the fault domain

The Palo Alto Networks Next-Generation Security Platform offers a multi-layered approach to prevent ransomware from infecting financial services institutions. These capabilities can be part of an overall defense plan against ransomware. To learn more about how this works, visit our Financial Services resource page.

Lawrence Chin

[Palo Alto Networks Research Center]

In the first blog of this series we reviewed perceptions and current states of preparation for the EU legislative changes and how they impact your cyber security strategies, drawing on information that was collected during the registration process for a webinar run for practitioners with ISACA.

News Flash: On May 4, 2016, the European Union (EU)’s General Data Protection Regulation (GDPR) was published in the Official Journal of the EU.  The regulation will enter into force 20 days after its publication, on May 25, 2016.  Its provisions will be directly applicable in all member states two years after this date, so companies will need to comply with the GDPR as of May 25, 2018.

The GDPR will replace the 1996 Data Protection Directive.  The GDPR is a complex piece of legislation, with many different requirements, and coming into compliance with them all by the May 25, 2018 deadline will take extensive work for companies around the world that handle the personal data of EU residents. 

In this second blog, we will examine three further questions that we asked live. You should note that many listen to such sessions in the post-recording, so the sample set in the live polls was 300+, but I would suggest this still gives us a very valuable sample of perceptions.

Obviously any new legislation being implemented is done with noble intent. In these instances, the way in which we use and depend on the Internet has evolved: there is a desire to drive confidence in society as our digital world grows. It was therefore good to see that 74 percent of respondents saw the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NIS Directive) as raising the bar for cybersecurity, compared to their current capabilities. Nine percent felt that existing security regulations in their industry were already higher, which I would suggest is most likely organizations in the financial services space. But what we should consider is that the bigger the gap between where organizations are today and the needed requirements, the more time and budget will be required to achieve compliance. As such, one of the first tasks for any organization should be to complete the gap analysis to validate the scope of work ahead and, importantly, to get the right executive sponsorship behind the project.

The second poll looked at just what the gap analysis was. Nearly half (44 percent) suggested they have significant work ahead. There are both positives and negatives here. There is an indication that analysis has been done, but only 14 percent suggested they had a managed project already underway. A concerning 36 percent suggested they had no idea of the effort required or were not planning to start focusing on becoming compliant until the legislation goes live.

This highlights some very differing perceptions on legislation across the EU and different industry groups. But with harmonization being a key driver for the EU, I would anticipate that, in years to come, the diversity of answers would reduce.

As a security leader, it is critical to ensure that the decision to achieve compliance should be made collaboratively, which means engaging the legal team, business leaders and the cybersecurity team to make an informed decision on what the right next steps are for the business to take. It’s easy to simply state that this is a “must”, but for each business there must be a review in terms of gap analysis, costs of compliance, ownership and investment strategy. For some, the timescales and investment required may already be too constrictive.

The final poll validated as much, with only 35 percent of respondents confident in their company’s ability to adhere to the 2018 deadline. Thirty-six percent already considered the timescales to be tight, and 14 percent suggested they didn’t expect to make the go-live date. Of note was the 15 percent that are still waiting on timelines to be finalized, to which I would suggest that these are now sufficiently well-defined. We should not be waiting to act, but for many legislation can be a complex quagmire. That is why organizations must engage with their legal teams and ensure they either get educated or remain informed about these legislations and how they impact cyber strategies.

Hopefully the insight from your peers gives you confidence that you are in line with others on your journey in adhering to the upcoming requirements. If you are not, may that insight help you gain the business support you need to validate the importance of catching up with your peers.

So what next? I would suggest you consider the following key steps in your action plan:

1. If you haven’t already, start preparing now!

2. Stay informed. Palo Alto Networks will continue to provide you with updates on what this means for you and your cyber strategies on our microsite:http://go.paloaltonetworks.com/regulation.

3. Assign executive ownership.

4. Complete a gap assessment: Can you qualify your risk today and do you have the relevant regard for ”State of the Art”?
– Work with your auditor/advisors to have a clearly defined risk assessment.

5. Ensure you have legal and privacy guidance (internal/eternal) to validate that you have the right understanding of the legislation for your business.

6. Define a plan to get adopt and maintain relevant regard for “State of the Art”.

7. Make a clear plan on how you will deal with incidents, as they will happen.

8. Ensure you have a made conscious decisions on how you balance your investments, between prevention and detection (“State of the Art”) and responsive capabilities.

Greg Day

[Palo Alto Networks Research Center]