OFFICIAL PUBLICATION OF THE COMMUNITY BANKERS ASSOCIATION OF KANSAS

Pub. 3 2022 Issue 6

What Banks Need to Know About CIS Controls

This story appears in the
In Touch Magazine Pub 3 2022 Issue 6

“Banks are increasingly targeted by cybercriminals, and the stakes are high. These controls are put in place to manage identified risks. They can be physical barriers (e.g., locks and walls, electronic barriers like firewalls, and software like antivirus), as well as policies, procedures, and training.”

In just the first half of 2021, the banking industry experienced a 1,318% increase in ransomware attacks. Banks have become prime targets for cybercriminals due to the large amounts of sensitive customer data they hold.

To protect this data, as well as maintain compliance with strict regulations, banks must have a strong cybersecurity strategy. This strategy should consider the unique needs of financial services cybersecurity.

There need to be stronger controls, better knowledge of banking networks, better reaction time to threats, and a better ability to recover from incidents. A great way to achieve these goals is by implementing the CIS Critical Security Controls (CSC).

What Is CIS?
The Center for Internet Security (CIS) is a nonprofit organization providing guidance and best practices for improving cybersecurity for financial services. CIS is a parent of MS-ISAC, which serves as the information sharing and analysis center for state, local, tribal, and territorial governments. They offer a framework of critical security controls that effectively protect against the most common attacks.

Why Should Banks Use CIS Controls?
Banks are increasingly targeted by cybercriminals, and the stakes are high. These controls are put in place to manage identified risks. They can be physical barriers (e.g., locks and walls, electronic barriers like firewalls, and software like antivirus), as well as policies, procedures, and training. Abiding by these controls helps examiners know you’ve identified your risk for IT incidents and placed appropriate controls in place to
manage them.

For a better financial services cybersecurity strategy, you need to know how your network works and be aware of any changes that might invalidate the controls you have put in place.

The Top 7 CIS Controls
Here are the top seven controls adopted by the FFIEC for InTREx Exams:

1. Inventory & Control of Enterprise Assets
Your bank needs to keep track of your assets and where they are located. This is important because it helps you to know what needs to be protected and how best to protect it. It’s important to regularly review or use tools to generate alerts to any asset changes.

Be especially aware of the “internet of things” (IoT). This is the growing trend of interconnected devices, such as security cameras, thermostats, IP phones, HVAC systems, and even coffee makers. These devices are often unsecured and can provide a way for attackers to gain access to your network. It’s so easy to plug devices into your network that can act as an entry point.

2. Inventory & Control of Software Assets
This control helps your bank ensure that your assets are properly configured and secure. This includes ensuring that only authorized users have access to sensitive data and that all data is properly backed up.

In many cases, software vulnerabilities are the root cause of attacks. Attackers will exploit these vulnerabilities to gain access to your network. You can help mitigate these risks by keeping your software up to date, regularly reviewing and removing unauthorized software, and preventing the installation of unauthorized software (i.e., limiting local permission, blocking internet download capabilities, etc.).

3. Data Protection
This control helps you protect your data from unauthorized access and loss. It includes ensuring that sensitive data is encrypted at rest and in transit. It is also understanding where data is stored and how it travels.

Data breaches are becoming more common and more costly. One way to help mitigate the risk of a data breach is by using Data Leak Protection. This makes it hard to copy and move sensitive data and will make it much more difficult for attackers to access your data if they are able to breach your network.

4. Secure Configuration of Enterprise Assets & Software
It is crucial to implement a solid program for software, and operating system patching, establish written policies for “hardening” new servers, workstations, and network devices, and regularly review policies to ensure they are enabled on all devices. This control boosts your financial services cybersecurity and keeps your assets and software secure.

The first step in this process is to create a secure baseline configuration for all enterprise assets, including hardware, software, and firmware. Once the baseline has been established, it is important to deploy security hardening techniques to further secure systems and reduce their attack surface. This can be accomplished by disabling unnecessary features and services, using strong passwords, and reducing privileges where possible.

It is also important to regularly patch software and operating systems to mitigate known vulnerabilities. Patches should be deployed as soon as they are released or on a schedule
appropriate for the organization’s risk tolerance. Be sure to test patches before deploying them to production systems.

5. Account Management
For added cybersecurity, ensure that only authorized users can access your data and systems. This is not just for Windows login – it includes logins to core systems, email, and any hosted or internet-based accounts that potentially house confidential data.

One of the most important things you can do to protect your data is to control who has access to it. This can be accomplished by requiring strong passwords, using two-factor authentication, and regularly reviewing permissions to ensure that only authorized users have access to sensitive data and systems. It’s also good to establish separate admin accounts for admin tasks. This way, if an attacker does gain access to an admin account, they will not have direct access to data.

6. Access Control Management
This control helps your bank manage and monitor user access to data and systems. This includes ensuring that only authorized users have access to sensitive data, that all access is logged, and that privileged users are properly supervised.

One way to help ensure that only authorized users have access to sensitive data is to implement least privilege principles. This means that users should only have the permissions they need to do their job, and no more. It is also important to log all access to data and systems. This can help you track down unauthorized access and identify potential insider threats.

7. Continuous Vulnerability Management
This control helps you identify and remediate vulnerabilities in your systems and software. This includes patching software and operating systems, using security scanning tools, and conducting regular penetration tests.

One way to help identify vulnerabilities in your systems is to use security scanning tools at least quarterly. These tools can be used to scan for known vulnerabilities, as well as to look for general weaknesses that could be exploited. Be sure to scan all systems, including web servers, application servers, and database servers.

How to Incorporate CIS Controls
To help your bank incorporate these Controls, look for an IT company that specializes in IT security and compliance for banks and who is also able to manage and automate many of the tasks associated with each of the CIS controls. More information about the Center for Internet Security can be found at https://www.cisecurity.org/controls

About the Author: Mike Gilmore is the Chief Compliance Officer at RESULTS Technology and a Certified Information Systems Auditor (CISA) with more than 30 years experience in the banking industry. In his role as CCO, Mike provides compliance and risk assessments, audit and exam support and policy documentation. He can be reached at mgilmore@resultstechnology.com.