Incident Response the Boy Scout Way

 Author: Debi Randol, drandol@profitstars.com

As a Compliance Analyst for ProfitStars Gladiator Technology group, I have the opportunity to assist financial institutions with questions regarding actions to address actual or attempted information security breaches. The tactics fraudsters can think up never cease to amaze me. It appears that cyber-attacks are increasingly sophisticated, malicious and effective. While these conversations provide the opportunity for the IT Regulatory Department to glean more insight into ways criminals are trying to compromise banks, the rate in which I am receiving these calls is definitely alarming. With all the different types of technology available these days fraudsters have more “doors” through which they steal non-public information for financial gain.  Fortunately, FIs now have more types of technology and multiple layers of security controls protecting assets, so I am pleased to report that in most of my conversations, fraud has been stopped before significant loss has occurred.

Assisting FIs in regulatory compliance has taught me that you have to have a plan for everything! Thus I have adopted the Boy Scout motto: “Always be prepared.” Obviously I’m not a former Boy Scout; but I know well the necessity of preparedness. The question I am always asked after these incidents is “What are we supposed to do or required to do?” No one wants to have to ask these questions when you are frantic from just having an incident; you just want to know the answer, already! If you want to avoid this panic yourself, you have to be proactive and here are just a few of the questions you should be asking:

• Has your Incident Response Plan (IRP) been updated to incorporate DDoS attacks?
• What about Corporate Account Takeover?
• Do you know what to do if these are just attempted incidents and not successful incidents?

This should all be spelled out clearly in your IRP. Remember to review and update your plan for current scenarios frequently as new cyber-attacks are hitting the news.

Case in point, I had a call last week from a bank getting multiple calls from various “insurance companies” no one was familiar with, attempting to verify funds. These calls were always from an unknown number and most of the time the caller was trying to verify funds on an individual who was not an account holder at this particular bank. It was certainly suspicious and raised a red flag amongst the staff.  Was this possibly a new scam trying to take advantage of people with all the health care changes? So, what is this bank supposed to do in this situation?  

The best place to start is testing of your IRP. Call your Incident Response Team together with a list of the “hot” security threats going on today and step through current IRP procedures. If you recognize gaps, you will want to update your IRP to incorporate measures to address these gaps. Always go back to guidance and best practices. For an incident of Corporate Account Takeover, check out the helpful Texas Department of Banking Supervisory Memorandum 1029.  And, for general guidance on Incident Response Plans look at FDIC FIL-27-2005. It is important to keep in mind that IT regulatory compliance directives for addressing security incidents are risk based and not prescriptive. Each scenario will be different, but having a game plan in place will go a long way to mitigating the negative results of a breach. Testing your IRP will help your management team to “Always be prepared”.