The flood of security vulnerability alerts banks receive — those warnings that a website or piece of code contains a small flaw that a hacker could exploit to break into a network — may soon become a tsunami.
President Biden's cybersecurity executive order in May emphasized
The list of software vulnerabilities with which bank security departments have to cope is already long. A CVE (Common Vulnerabilities and Exposure) list of known security threats reported by vendors and network operators included 18,358 vulnerabilities in 2020, according to a year-end review from Tenable's Security Response team. That was a 5.6% increase from a year earlier and a 183% jump from 2015. The list is sponsored by the U.S. Department of Homeland Security and maintained by Mitre, a not-for-profit firm that operates research centers for the government.
The challenge many bank security managers face today is to manage those vulnerability alerts in such a way that the most critical fixes are promptly addressed. Several government and industry-led initiatives are underway to help.
"One thing that really struck me when getting into the vulnerability management space several years ago was the sheer amount of data we received [from vendors or security networks]," said Jessica Colvin, managing director of vulnerability management and assessments at JPMorgan Chase. Banks deal with alerts from numerous sources on a regular basis, she said.
"Every day the [technology] teams were consuming vulnerabilities alerts — like drinking from a fire hose — with the number of vulnerabilities being published across industries, which was the right thing to do for vendors to describe their vulnerabilities," Colvin said during a recent webinar on vulnerability management hosted by the Washington-based Center for Cybersecurity Policy and Law.
"But the struggles we had were, how do we know which vulnerability is the one we should be focusing on today?" Colvin asked. "Which data points do we need to know in terms of which fire we have to put out, or what data do we have and what do we not have?"
Her bank has been leaning on a vulnerability scoring system run by Mitre that indicates the importance level of alerts.
The scoring system "is important in enriching that data with other intelligence, and at JPMorgan, because of our size and scale, we would have access to that other data and the budget" to monitor and analyze, Colvin said.
If a bank the size of JPMorgan encounters numerous vulnerability challenges, then banks and institutions that don't have the size and budget of JPMorgan would likely have similar challenges, Colvin added. "The question is how can we" — through CVE and other security organizations — "help them?"
The National Security Council and the National Institute of Standards and Technology contribute to the CVE list and are working on this.
"Vulnerability management is a persistent issue," Jeff Greene, senior director of the National Security Council, said during the webinar. "Whether you are talking about software, hardware or embedded software, it is frustrating to all of us that this [managing vulnerability alerts] is still a problem today."
The issue has nothing to do with a lack of effort or indifference toward the problem shown by the security or banking industries, Greene said. "It's an issue because the solutions are not easy, but not necessarily because they are complex technically.
"At times it is a matter of getting all of the ducks in a row to make a significant change," Greene said. "That is where an initiative and effort to bring many people together is a real opportunity to drive some change."
One such initiative is in the works at the Center for Cybersecurity Policy and Law, which has formed a new Vulnerability Management Coalition of cybersecurity stakeholders.
"We want to start a new conversation for the coalition," John Banghart, senior director of the center, said in explaining the impetus to bring experts together to address vulnerability management.
"We [security personnel] all have a passion for it, but we also need to get voices into the mix that are not the traditional standards organization voices," Banghart said during the webinar. "We have very smart people getting together to move things along, but maybe we need operational practitioner voices as well."
Patching the vulnerabilities
The ultimate goal is to avoid a cyberattack because a vulnerability issue was not addressed — and the problem was not patched — in time to avoid it.
The Financial Services Information Sharing and Analysis Center tries to help banks avoid overlooking an important vulnerability alert.
"Attackers often take advantage of long-known patchable issues," Teresa Walsh, global head of intelligence with the FS-ISAC, said in an interview. "One reason they are successful is that many companies are not diligent enough about patching and updating external-facing devices."
The FS-ISAC regularly publishes vulnerability alerts to its member financial firms, along with information for prioritizing patching cycles. As part of its alert process, the FS-ISAC will also work with affiliates that provide information about vulnerability incidents that could affect financial institutions.
In a recent example, "we were provided with a dataset of vulnerable Microsoft Exchange servers that HAFNIUM Group was exploiting for their ransomware campaigns," Walsh explained of the hacker group Microsoft believes is based in China but with virtual private servers in the U.S.
"FS-ISAC was able to identify numerous members with vulnerable Exchange servers and provide them with recommendations for action," she said.
A standard that could help
Common programs for banks and businesses to scan for vulnerabilities or even decipher vulnerability messages include the IBM Guardium data protection platforms, ManageEngine Vulnerability Manager Plus, Netsparker scanning and CoreSecurity for bank websites.
In its role as a standards organization, the National Institute of Standards and Technology has been working the past two years on creating a framework for characterizing vulnerabilities and looking for consistent patterns in content that can be part of the formula when so many vendors and security organizations are providing data.
Dave Waltermire, an IT specialist at the standards institute, said a key part of his role at NIST is to collect feedback from those who oversee network operations and to also work actively with the CVE list in addition to providing more education to organizations about CVE.
"After we drive all vulnerability information into the CVE list, then we can start to have consolidated formats and focus on the usability of the information going forward," Waltermire said during the webinar. "It's a unique innovation [to make CVE easier to use] that has been happening the last couple of years, one that we are starting to realize."
The work at NIST and other organizations is good news for banks and other industries, but some trap doors remain when there is an overflow of international, national, community and internal standards, said Kent Landfield, the chief standards and technology policy strategy executive at San Jose, California-based McAfee Enterprise, a security firm focusing on data protection, compliance and analytics management.
"Standards are great, but there are so many to choose from and that can cause problems," Landfield said during the webinar. "There is a need to converge on formats because organizations are spending millions of dollars interpreting data into different formats and converting it to their format."
JPMorgan's Colvin insists banks and other organizations have to cut through the data and standards coding to get to a key central point.
"There is a lot here, and we have to know what to do first," she said. "We have to understand the vulnerability, then get our hands on the keyboard to patch it."
