[ad_1]

network security detection gap

Phil Lewis, CEO, Titania

Banking and finance organizations, with complex networks, large customer bases and highly desirable data, are prime targets for threat actors. But being a mark is one thing; being susceptible is another. The security of their network infrastructure depends on the ability to categorize, prioritize and mitigate their compliance risks effectively.

Attackers traditionally try many ways to access a network until they gain entry. Vulnerabilities or misconfigurations are a common way in and can provide all too easy an opportunity to scale their attacks. As a result, businesses need to be vigilant in shutting down known network risks. But are they? 

According to a recent report investigating organizational approaches to quantifying levels of security and Payment Card Industry (PCI) Security Standards DSS compliance risk in the US Commercial CNI sector, the answer is broadly no. 

compliance reality gap

Compliance reality gap

Companies report that they rely on compliance for security and feel confident that their current practices meet corporate security and external compliance requirements. However, the data doesn’t always reflect this and illustrates a disconnect between the perception of compliance and reality.

Notably, only 37% could ‘very effectively’ categorize and prioritize compliance risks that undermine the security of their networks, and more than half (67%) listed an inability to prioritize remediation based on risk. In addition, less than half (45%) reported that critical network configuration security risks are responded to and resolved within 1-3 days.

Network detection practices gap

As for detecting networking misconfigurations in the first place, while most agreed that the continuous (daily) risk assessment of every firewall, router and switch is the most robust strategy to secure networks and maintain compliance, the reality is that:

network security detection gaps
  1.  Router and switch checks are not prioritized. Almost all organizations (96%) reported focusing solely on firewalls and not assessing and quantifying the risk that misconfigured switches and routers pose to network security. Failing to secure the configurations of switches and routers carries the risk of enabling unauthorized lateral movement and threat proliferation.
  2. Networks are not checked frequently. Despite Banking and Financial Services reporting the most frequent checks of all Commercial Critical National Infrastructure respondents in the study – with 62% falling in the bi-weekly to once every six months category – the sector is still far from continuous network infrastructure monitoring.
  3. ‘Inaccurate automation’ compounds the problem. Nearly half of all organizations cite ‘inaccurate automation’ and an ‘inability to prioritize remediation based on risk’ as the main challenges when detecting misconfigurations, remediating the most critical risks first, and demonstrating compliance.
  4. Budgets are increasing, but it’s not reducing the number of critical misconfigurations. Just 3.4% of IT budgets are allocated to identifying and remediating misconfigurations. Even though budgets are increasing yearly, it has little to no impact on the volume of critical misconfigurations detected on their networks – likely due to infrequent checks on too few devices and inaccurate automation challenges.

The PCI Security Standards Council recently released the most significant changes to its standard since 2004 – assuring effective network segmentation, security as a continuous process, and enhanced validation of compliance to address the increases in risks that commercial enterprises need to mitigate. However, the report suggests that organizations will fall short of the 4.0 standard without significantly changing their approach.

How can organizations get past the hurdles? 

zero-trust network

To that end, effective network segmentation is widely regarded as a key mitigating control in security strategies, as re-emphasized in PCI DSS version 4.0. VentureBeat reported that organizations that adopt zero-trust segmentation as part of their zero-trust strategy save an average of $20.1 million in application downtime and deflect five cyber disasters annually. Given the vitally important role that routers, switches – as well as firewalls – play in network segmentation, it’s increasingly important that organizations focus on securing all these devices to prevent unauthorized access and privilege escalation.

Adopting a zero-trust mindset is a must. It will help organizations shift their thinking and approach to configuration security and vulnerability management. Network owners should no longer assume device configurations pose no risk to the network between annual audits. Instead, they must proactively verify that every device remains compliant and secure daily – even if only for critical network segments…

With the sensitivity and value of information these businesses carry, they can’t afford to hold such unquantified levels of risk to the confidentiality, integrity, and availability of systems and data. While investing in accurate automation to deliver assessment and risk and remediation prioritization across all devices is a start, a shift in mindset is required to protect their networks from preventable attacks.

Exploiting known vulnerabilities are an easy way in. The banking industry can’t afford more hard hits, so they must help themselves before it’s too late. Otherwise, we’ll soon read about a future significant data breach at a nearby financial institution. And then watch the loss of reputation and revenue that follows.

About the Author

Phil Lewis, CEO, Titania

Phil Lewis is the CEO of Titania, a global security and network services provider. Phil has a proven track record in Strategic Risk Management, starting with Deloitte, then with market-leading telecoms, law enforcement and cyber security firms before leading Titania’s global expansion as specialists in accurate, automated network configuration assessments. He is passionate about enabling organizations to deliver network security from compliance automation by helping them prioritize the remediation of the most critical risks to their business first. 

Recent PaymentsNEXT news:

4 Criteria Critical to Choosing an Embedded Instant Payments Partner



[ad_2]

Leave a Reply

Your email address will not be published. Required fields are marked *