DTCC Connection

Sep 20, 2017 • DTCC Connection

When it Comes to Cyber Defense…Don’t Forget the Basics

By F.A. McMorris

When it Comes to Cyber Defense…Don’t Forget the BasicsAs cyber risks continue to evolve, many organizations look for the latest innovations to thwart these attacks.

However, more conventional and routine approaches to detect and prevent cyber-attacks may actually be the more effective answer that so many enterprises – including those in the financial industry – are not fully prioritizing.

“Innovation is great and should be a component of a strong cyber security plan but not at the expense of traditional practices,” said Stephen Scharf, DTCC Managing Director and Chief Security Officer. “When you look at incidents happening to all sorts of firms and you ask what the root causes of those incidents were, you realize that often it could have been prevented if some of the traditional practices were in place.”

DTCC uses a combination of defenses, such as patch management, vulnerability management, separation of duties, identity management and access management, Scharf said, creating a “layered defense.”

Organizations that practice ongoing cyber hygiene will be in the best position to guard against the latest intrusions. Long-established approaches are proven methods to avoid becoming the victim of a cyber-attack.

Neglect Can Be Costly

Those that are lax in practicing the most basic of cyber protections will discover just how expensive online attacks can be. The average total cost of data breach was $3.62 million, according to the Ponemon Institute’s 2017 Cost of Data Breach Study, which examined 419 companies in 11 countries and two regions. A recent data breach at a credit bureau exposed the sensitive personal information of 143 million Americans is the latest cyber-attack to unfold.

Not only can cyber-attacks result in expensive litigation and regulatory fines, the negative publicity surrounding the incident can also damage an organization’s reputation leading to a loss of customers, good will and competitive advantage. Massive business disruptions can also ensue.

Consider the recent WannaCry ransomware attack earlier this year. WannaCry affected organizations in more than 100 countries by infecting and locking up tens of thousands of computers as hackers demanded a ransom be paid to regain access to those files.

The Center for Internet Security, (CIS) noting that the WannaCry ransomware relied on a known Microsoft vulnerability, emphasized the need for basic cyber hygiene with a focus on secure configuration and automated patching.

Taking the five steps below can vastly decrease an organization’s cyber vulnerabilities, CIS said.


1. Do an inventory of authorized and unauthorized devices.
2. Do an inventory of authorized and unauthorized software.
3. Secure configurations for hardware and software, including laptops, servers and workstations.
4. Continuously assess vulnerabilities and apply remediation with information from software updates, patches, advisories and threat bulletins.
5. Control use of administrative privileges such as preventing the opening of malicious email.


“One of the approaches attackers take is to exploit known vulnerabilities,” Scharf said. “If that vulnerability was appropriately patched and remediated, it’s impossible for them to use that avenue of attack.”

Challenges to Keeping Up

In an August 2017 alert, the Office of Compliance Inspections and Examinations National Examination Program staff said it had examined 75 SEC registered firms and found several areas of concern. Customer protection reviews that were required to be done annually were conducted less frequently. The staff also found that reviews about the appropriateness of supplemental security protocols that were required to be ongoing, were performed only annually or not at all.

In addition, the staff found that there were confusing instructions for employees as to certain polices and that cybersecurity awareness training for employees was not always completed. In some cases, system maintenance wasn’t properly performed to ensure the installation of software patches to address vulnerabilities. Some firms used outdated operating systems that were no longer supported by security patches. Finally, the staff said that some firms that saw high-risk results from penetration tests or vulnerability scans did not fully remediate those conditions in a timely manner.

“There are business reasons why patching may take longer than expected,” Scharf said. “You have to test the impact of the patch to make sure any business functions are not adversely affected.”

The other challenge, Scharf added, is that new patches are coming out all the time. This presents a challenge for firms who tend to be smaller organizations with less resources to implement all the new and changing cyber defense tactics.

“All the more reason why basic cyber hygiene is so critical,” Scharf said.

When it comes to identity and access management, organizations need to know who their employees and contractors are. “Grant or remove rights in a controlled and audit-able way,” Scharf advised. “When people leave the firm, they should not continue to retain rights.”

Third-party risk management practices also need to be in place for vendors, Scharf said. “You can outsource operational components but you cannot outsource responsibility,” he said. “In extreme cases, you may have to end your relationships with some third parties if they don’t have the appropriate controls in place.”

The Financial Industry Responds

Phishing attacks like WannaCry have grown more sophisticated and harder to detect, Scharf said. The Multi-State Information Sharing and Analysis Center (MS-ISAC) identified 81 data breaches in the second quarter of 2017, surpassing the total number of breaches in 2016. So far, this year, phishing accounted for approximately 60% of all identified data breaches.

That’s why more employee education is needed, Scharf said. Firms need to make sure they have systems in place to report suspicious activity and block the phishing.

The financial services industry is also taking greater steps to safeguard customer information through the Sheltered Harbor concept. This private sector approach is designed to provide protection against a highly damaging attack.

“Imagine if something happens to a mid-sized bank and all the data was destroyed,” Scharf said. “A financial institution may not be able to identify account holders or determine how much each account held.”

Sheltered Harbor would take data that is validated, formatted, encrypted and transmitted via industry-established standardized file formats and place it in a data vault. The data can be retained in the aftermath of an extremely harmful cyber-attack. The intent is that the stored data won’t be infected with the malware from a cyber-attack, Scharf said.

“Ensuring that you have immutable copies of your data is becoming much more important because cyber-attacks were previously focused on data theft, but now also target data destruction” Scharf said.

dtccdotcom