As hackers and fraudsters become more creative and determined, credit unions must respond with more sophisticated and exhaustive cybersecurity defensive programs to counter fraud in all of its pernicious forms.
One approach is known as Defense in Depth. The idea is to defend a system against an attack using several independent methods. This model layers multiple security controls and barriers such as firewalls, wireless and data leak protections, and identity management that provide collaborative redundancy. If one control fails, another control is there to take its place and protect the system – thus delaying cyberattackers and detecting them before they can do serious damage.
The concept of Defense in Depth comes from the military – and how appropriate. Having a solid defense to protect a financial institution’s cyber system is, to that institution, on par in many ways with our military’s mission to keep our nation secure.
Among the more widely cited expositions of Depth in Depth are the “CIS Critical Security Controls,” the Center for Internet Security’s 2016 formulation of 20 security layers ranging from governance to business continuity/disaster recovery.
The CIS-recommended “controls are a set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks,” according to CIS. The controls range from inventorying authorized and unauthorized devices and software; securing configurations for hardware and software on laptops, workstations and servers; and continuous vulnerability assessment and remediation; to secure network engineering, penetration tests and “Red Team” exercises.
CIA Triad of Information Security
The SANS recommendations is not the only roster of Defense in Depth practices. There are, indeed, many strategies with terms that truly do harken back to the military origin on the concept. For instance, “Demilitarized Zones.” No, we’re not talking about that 160-mile long, 2.5- mile wide strip of land that divides the Korean Peninsula roughly in half. Rather, a DMZ in computer networks is a physical or logical sub-network that separates an internal local area network from other untrusted networks, usually the Internet.
However, each layer in a Defense-in-Depth model should address the CIA Triad of Information Security: Confidentiality, Integrity and Availability (CIA). According to www.technopedia.com, the CIA triad provides a baseline standard for evaluating and implementing information security regardless of the underlying system and/or organization. The three core goals have distinct requirements and processes that are fully integrated.
- Confidentiality: Ensures that data and/or an information system are accessed by only an authorized person. User ID’s and passwords, access control lists (ACL) and policy based security are some of the methods through which confidentiality is achieved.
- Integrity: Integrity ensures that the data can be trusted and that it is edited by only authorized persons and remains in its original state when at rest. Data encryption and hashing algorithms are key processes in providing this type of integrity.
- Availability: Data and information systems are always available when required. Hardware maintenance, software patching/upgrading and network optimization ensures availability.
The CIA Triad is a useful model that can guide a credit union’s governance and security policies, and help it successfully protect data privacy and accuracy as well as system uptime.
Defense in Depth controls offer a means of building and maintaining a security framework with the ability to manage risk. But, it is an implementation process that is anything but a sprint. It’s a journey that will continue for as long as the business exists. The technologies involved require a staff to maintain and facilitate a consistent and repeatable approach to security controls.
The technology will change, but the processes will largely remain the same.
About the Author
Terrence Griffin is Chief Information Officer of CO-OP Financial Services, a financial technology provider to credit unions based in Rancho Cucamonga, Calif. He can be reached at firstname.lastname@example.org or (866) 812-2872.