Cyberattacks are a constant threat to authorities as they handle a great deal of sensitive information. For banks, this is also an important threat as they manage many vital assets and sensitive information.
Network segmentation improves security for banks and in situations where one-way communication is imperative, the network segmentation can be solved effectively with data diodes.
Digital communication – quick, easy and risky
With digitalisation, more devices are connected to the Internet – convenient, but it also increases possible attack routes into the IT structure. At the same time, the methods used by the attackers of today are more and more refined, and attacks are usually targeted and well-planned.
Attacks targeting banks
It can become very expensive not to protect information properly. The Development Bank of Seychelles experienced a ransomware attack on their network in September 2020. During a ransomware attack, the attacker encrypts the victim’s files and demands a ransom to make them accessible again. This means that gaining access to the files again after an attack can become far more expensive than to pay for secure protection and thereby avoid such risks.
Hungarian banking services were also affected by a critical cyberattack during 2020 – a so called distributed-denial-of service (DDoS) attack. This was considered to be one of the biggest DDoS attacks in Hungary. During a DDoS attack, the system is flooded with data traffic by the attackers with the aim to paralyse the system. During the incident mentioned some banks’ services were interrupted. This kind of attack can mean great costs in terms of the organisation not being able to run in its normal speed, meaning that employees and potential customers cannot access the system.
New EU Guidelines for banks
Since so much is at stake, banks cannot take the risk of not having secure protection against threats. On June 30th 2020, the new EU guidelines regarding cybersecurity for banks came into force. The guidelines address financial institutions, referred to as payment service providers, credit institutions and securities companies.
The new guidelines from the European Banking Authority, EBA, are the European standard for managing security and IT risks. It describes how banks, fund managers and providers of payment services operating within the EU are to manage internal and external risks linked to IT and security. These guidelines aim to reduce the likelihood of attacks that can lead to data leaks and disruptions.
Amongst other things, the guidelines point out which security measures that must be developed and implemented to mitigate IT and security risks that financial institutions are exposed to. It is essential to understand that the guidelines have legal status and that the operators covered are therefore obliged to justify any deviations from its application.
What information security requirements do the new guidelines set?
The guidelines contain a lot of information, but a central requirement regards classification. This requirement states that financial institutions must make a classification of business functions, support processes and information assets, judged on how critical these are.
Another vital requirement is information security measures; the guidelines state that security measures have to be developed and implemented to mitigate IT and security risks that financial institutions face.
How do we know what information to protect?
It is vital to classify all kinds of information in order for the organisation to be able to handle it correctly. To do the classification, you must evaluate aspects such as the value and sensitivity of the information, the legal requirements and the importance of the information for the business. A good way to determine how the classification should be done is to use a risk and security analysis. It helps you to map your current information security as well as your future needs.
Banks cannot take the risk of not having secure protection against threats
You need more than a firewall
In order to protect what is most sensitive and critical to operations, a technology other than firewalls should be considered. With a firewall, it is difficult to know exactly what information is being exported or imported into the system. A firewall configuration often becomes complex, which increases the risk of misconfiguration. Firewalls also do not separate administration and data flow in a way that protects the information from insiders. Also, when firewalls are managed through cloud services, the outsourcing itself involves additional risk exposure. Firewalls work great in environments with large data flows where traffic is versatile and changeable, e.g. as external protection for the Internet and for division into DMZ and office environment. It is important to establish a deep defence with several security barriers between what is considered to be most sensitive and the threatening actors. Security products from different suppliers should be used to reduce the risk that the same vulnerability exists in all products. Configuration changes of security products should be controlled so that changes are reviewed by more than one person who understands and can approve the change.
Network segmentation improves security for banks
An excellent method for mitigating security risks and protecting critical information and critical systems is network segmentation through a combination of physical and logical separation. Physical separation means that safety zones are defined and distributed on different physical hardware. Logical separation means that different zones or network traffic are allowed to coexist on the same hardware or in the same network cable, which makes it less apparent – and thus leads to lower confidence in the strength of the separation mechanism than that of physical separation.
Network segmentation in situations where one-way communication is imperative, i.e. where information must only go in one direction, can be solved effectively with data diodes. The most important thing about a data diode is that information only can pass in one direction. In Advenica’s SecuriCDS Data Diode, the separation and diode function is based on an optical transmitter and receiver. The design guarantees that no data whatsoever passes in the opposite direction. With certified solutions such as Advenica’s SecuriCDS Data Diode, which meets military standards, achieves both function and security. We also have solutions for network segmentation for situations where a two-way information flow is necessary. Here, data is effectively filtered, and in every transfer it is ensured that the organisation’s information policy is followed. Advenica’s ZoneGuard offers a custom-fitted yet simple solution based on allowlisting of information in an information policy. The solution ensures that organisations can exchange information between security domains at different levels in a secure and correct way.
Advenica’s Data Diode achieves both function and security