Chris Sienko: Hello, and welcome to another episode of CyberSpeak with Infosec Institute. Today’s guest is Todd Weller, the Chief Strategy Officer at Bandura. That’s bandurasystems.com, and a cybersecurity expert in the financial services field. Todd is gonna tell us about security issues specific to finance, and if there’s time, we will also discuss strategies for starting a security awareness department in a small company with minimal financial or personnel resources.
At Bandura, Todd Weller is responsible for driving corporate product and go-to market strategy and execution. Todd brings to the team over 20 years of cybersecurity industry experience with a unique blend of operational and Wall Street experience. During his 17-year career as Wall Street research analyst, Todd analyzed technology, industry trends, and provided fundamental financial evaluation research on over 60 publicly traded companies across leading edge technology areas including cybersecurity, data center hosting, health IT, network and systems management. Todd, thank you for your time today.
Todd Weller: Thanks. It’s great to be here.
Chris: How is the field of cybersecurity in the realm of finance changed over the past 20 years you’ve been looking at it? Have the threat vectors changed, or just the technology?
Todd: Yeah, it’s interesting because I started my career as a Wall Street research analyst in 1996. I think the internet was relatively new at the time. I think we just started to use email. I can remember we actually, when we developed our financial models, we didn’t email them, we had to fax them.
Chris: Yeah. Yeah. Taking us back.
Todd: It does. And a lots changed, right, with the internet, the emergence to Blackberry, so I think it’s just more with the internet and everything being connected that threat vectors are always people. But now it’s easier to get to people, different devices, different applications. Social engineering wasn’t around as much. I mean, in the early days of being an analyst, we were not allowed to use social. We were not allowed to go on LinkedIn or Facebook because from a regulatory compliance perspective, they were worried about us disclosing research recommendations, or communicating ahead of any ratings changes. But that changed over time. Once you’re on LinkedIn, that’s another vector.
I think it’s more of just the vectors have grown in number. When I first started it was a brochureware website, now you can get infected by just clicking on a video ad that’s on a website.
Chris: You said the sort of regulatory compliances previously prevented you from basically using any sort of social function. What happened that relaxed that? Was it just the inevitability of things had to get done on certain sites?
Todd: Yeah. Well, it was inevitability that a good source of information to research and talk to potential customers, and to talk to security channel partners, and private companies, was social media. So, to not be on LinkedIn, to not be able to interact with LinkedIn groups, inhibited the ability to provide research. Just the need started to overwhelm it.
Honestly it wasn’t very too different than we were … pretty much every Wall Street firm used Blackberry’s in the early days, and we had to walk around with two devices because Blackberry was secure, it could be controlled, but the whole … I can say AOL, and really age myself, but I will say BYOD. The whole iPhone, BYOD trend pushed us there. You can only keep things locked down so far before it impacts productivity and the ability to add value in your business. And I think that’s what happened. And it wasn’t so much regulators there, it was more the internal compliance departments of the Wall Street firms.
Chris: For younger people amongst us, what was the appeal of the Blackberry, specifically in the financial sector like that? Is the idea just that it was just much more secure?
Todd: Yeah. It was secure. And that was their big shtick. It was all about security. You controlled it. You controlled the device, the encrypted communications between it. It was great for a while. Actually it was cool for a while. I got really used to the double thumbs and the keyboard.
Chris: Your little keyboard.
Todd: So having to go to an iPod. Did I call it an iPod? iPhone was quite an adjustment.
Chris: Right. With them disappearing over times, people were using other devices and stuff. What were you doing to make up the security gap?
Todd: Companies at that point would put in MobileIron or an AirWatch. A mobile device management solution that would control … We had to have an agent on our phone. So we had to give the firm the ability to wipe our phone. That was kind of interesting, because it was a work phone that we owned, but at the same time it was a personal device.
Companies had different policies. In my case, I actually owned my phone, but the firm owned my number. So when I left, I actually couldn’t get my number, but I’ve moved beyond that.
Chris: You’ve worked in several different fields with regards to financial issues. You mentioned healthcare, and other things. How is the concept of security awareness different in the financial sector compared with say government sector or healthcare sector?
Todd: I mean, I don’t know if the concept is really different. I think generally speaking, security awareness is more important. I think people get that people are the weakest link. That’s where most of the exploits happen. So there’s a need to train people. I think generally speaking, financial services because of the regulation and the resources they have tends to be a little bit more sophisticated, and they’re always leaning forward with cyber adoption. Their security awareness programs I think are ahead.
One of the things I learned in covering health IT, and this was not security, but more around electronic medical records, is that for hospitals, they have very low operating margins profitability. And for them, they’re looking at building a new wing of a hospital, or adding a new machine that’s gonna drive revenue for the healthcare they provide versus IT. So while they have a lot of data, they don’t have the same level of resources.
I think for financial it’s just more important. Not more important, but they’re more ahead as far as adopting this. And because there’s also been more compliance … I had to sit through weeks of online compliance training to go through money laundering, and all that. So, it was huge. I think it’s important for everybody. It’s just who’s doing it more.
And look, the government’s very active. We have cybersecurity awareness month, and they’re doing more. I think most people get that people need to be trained, because we are the weakest link unfortunately.
Chris: Speaking of all the compliance training and stuff, what is the most common entry point that cybercriminals try to breach when attempting to hack a financial company? Is there an emphasis on software breaches or social engineering?
Todd: Yeah. Generally speaking you’re targeting the people. I know that there’s a lot of vulnerabilities that get discussed out there. But, it’s really how can I get privileged credentials? How can I do a phishing campaign? We’re a cyber tech company, and we’re exposed to this. I got an email recently, looked like it was from our CEO, just asking, “Hey, could you just verify that you got my email.” Looked totally non-malicious. I’ll tell you, I did reply, “Yes.” But then it progressed to, the next one was, “Hey, I need you to help transfer these fund requests.” And then it was apparent. I actually played along just to see how far I could take the person.
Chris: Yeah. At times you have to. Yeah.
Todd: The interesting thing with financials it’s are you targeting the institutions? In which case you try to go after the people. I think we’re gonna talk about SWIFT, and the issues that were there. A lot of cases they got credentials to the people at the SWIFT terminals, and once you had those credentials, you were able to initiate transactions.
Then there’s also this whole financial aspect of targeting the consumers. So banks are increasingly worried about account takeover. Being able to through malware or other mechanisms to get my online banking password to commit fraud. To credit card skimming, which has happened to me a couple times, to now bitcoin wallets.
Generally speaking, they’re going after the users, but there also can be deficiencies or exposures at the institutional level. For example, some of the bitcoin exchanges, those are being targeted there.
An interesting non-financial one actually happened in Baltimore, where a hacker shut down the city’s 9-1-1 system. The reason they got in there, was because there was some firewall work done, and the firewall person left a port open. It wasn’t even targeted, it was just automated scans that happen. So sometimes it is a misconfiguration like that that lets the attackers in.
It’s definitely phishing, and targeting the humans via email and spear phishing, is the biggest vector.
Chris: How about in-person fraud, and in-person deception, and stuff like that? Like actually calling someone on the phone, and asking for the numbers and things like that. I mean, it seems like it’s a lot safer to do it via phishing because you can craft it in advance and things like that, but.
Todd: Yeah. I mean, the phone calls still happen. I still get student loan calls. I have a great video, I won’t disclose where it is, but I had a great interaction with an IRS scammer that I recorded the episode for entertainment purposes so you could … If you wanna email me on the side, I can send you to where that lives.
Chris: Yeah. One of them hit one of our sales lines. Worst day of his life. Our salesperson was more than happy to keep calling back.
Todd: We get that. But I think people are generally … I don’t think you’re seeing as much of that. There’s a lot of robocalls now, where I think people are just annoyed with answering their phones in general.
Chris: Yeah. Yeah. That’s certainly … since the days of the Blackberry phone, in-person is not necessarily the most common way to get in touch with somebody. What are some of the weak points of security that most financial companies aren’t covering well enough, do you think?
Todd: Yeah. Look, I think, when you look at financial services companies, they’re generally again sophisticated, well resourced, and even the smaller orgs, it’s important. I think financial companies do a great job. But, as you go down, if you’re a community bank, or a credit union, or you’re a smaller hedge fund, you don’t have the same resource levels. And there it’s not only money, but it’s people, and you need both of those to work.
I think threat intelligence is an area where historically it’s been the domain of larger organizations, because there’s a lot of resources. Using external threat intelligence, sharing it with your peers, seeing what’s going on, being a member of your ISAC. For financials there’s FS-ISAC.
I think threat intelligence has been a weak spot, but I think you’re seeing more banks embrace that because there’s some technologies that are helping there, there’s organizations like FS-ISAC. Then I think the other weak spot has been everybody’s open 24/7 these days. And so 24 by 7 monitoring is critical. But if you’re a small, midsize business, you don’t have the resources to staff a 24 by 7 operation center. You need eight to 12 people to do that when you run the numbers. The good news there is there’s a lot of ways to outsource that to a managed security service provider or managed detect and respond. Those are two areas I think folks could improve on.
Chris: You mentioned threat intelligence, but also the importance of collaborative and sharing of threat intelligence and information. Has there been any friction towards the idea of banks sharing their intelligence with each other for a greater good?
Todd: Yeah. I think there’s always been a degree of friction on the sharing side, whether it’s private to public sector, or whether it’s entities within a given industry. The FS-ISAC has over 7,000 members globally. Ranges from large Wall Street banks, to regional banks, to hedge funds, to insurance companies. More is happening. It’s tough to get visibility into whose just taking versus giving, and sharing. And I suspect you still have some of the bigger banks that may be keeping things more close to the vest.
I think there’s always an element of friction, but I think relative to a few years ago, it’s dying down because these threats do target industries. And so it’s for the good of everybody to see what’s going on and to share.
Chris: Yeah. It’s bigger than all of us. You mentioned before, SWIFT related fraud issues, are those still on the rise, or have there been mechanisms that have been put in place that have reduced this method of theft at all?
Todd: Yeah. That seems to have died down. It doesn’t seem like there’s as much high profile news flow about a SWIFT breach. I mean, it seemed like every other day in 2016 and 2017. I know there was an issue earlier this year. I think again there the issue was not so much infiltrating the SWIFT network itself, but more getting the access to privileged credentials to someone at the bank to get access to the terminal. Look, there could be a perception that SWIFT is a secured network, so I’m secure. This SWIFT terminal is sitting in this room, and only John or Lisa has access to it. And so you don’t have proper access control. You’re not monitoring privileged credentials. You’re not doing two-factor. You don’t have it segmented from a network.
It’s interesting, still today with everybody knowing how big of security issues there are, a lot of times it does fall back to basic cyber hygiene. Basics, patching, vulnerability scanning, access control, that kind of stuff. But the SWIFT seems to have died down. It seems like right now bitcoin wallets and current crypto is a hot topic.
Again, account takeover with online banking is interesting. But I haven’t seen it. I don’t know if you have, but a big, major issue where somebody’s bank account has been drained. Which is actually good because banks have been very progressive about the use of technology and online banking. I think one thing that’s helped there too is two-factor auth via the phone. Because I remember five years ago through Bank of America, I did a VeriSign token. They sent me a credit card, and you press it, six-digit number would change. But it was annoying. I always had to have it. Now they can deliver that over my phone. So I think it’s made it more convenient. So you’re seeing a lot more use of two-factor auth, which is helping there.
Chris: If SWIFT is going down, but you mentioned that things like bitcoin wallet and cyber mining are going up. What are some of the strategies in place of these rising threats?
Todd: Yeah. Again, I think prevention is important. Making sure things are locked down. From the bitcoin perspective, it’s your malware is hitting your PC, your laptop, and it’s taking your credentials. So I think inferring that’s kept in a safe place that’s encrypted. I think again it’s the basics from that perspective.
Chris: Okay. What are some laws and regulations, maybe recent or in general, that have been put into place that you think are helping to curb fraud and cybercrime in the area? And what are some laws or regulations that you personally would put into place, if you could, that you think would curb cybercrime even more so?
Todd: Yeah. It’s interesting. I mean, as a solutions provider, I would love for regulations and laws to mandate the use of our technology. We’d certainly sell a lot more. Personally, laws and regs can only go so far. The last 20 years in security, we’ve seen evolution here. I would say though, you are seeing some of the regulations get more prescriptive, targeted, aggressive. I mean, if you looked at GDPR, it wasn’t just an impact to European companies, it was everybody that does business in Europe. We don’t have a huge European business at Bandura, but we have some exposure there. It took a lot of effort for us to make sure we’re doing what we need to to comply with that.
I think from a financial perspective, what comes to mind is the New York Department of Financial Services. That cybersecurity regulation. Again, much more prescriptive, it’s mandatory, has teeth, not just about the banks in New York. If you’re an international bank doing business in New York, you’re exposed. If you’re a regional bank that’s doing some business, it’s exposed.
Chris: I’m sorry, can you give us a little sort of capsule version of what the New York bank regulation is?
Todd: It’s a real prescriptive set of regulations that banks have to follow. Put proper controls in place, vulnerability management, you have to actually have Accesso. The organizations have to have that. And then proper controls. There’s a blog we wrote on this a few months back. I think I wrote it, ‘I’m in a New York Cyber State of Mind’, or something like that. Billy Joel. I like music.
It’s interesting, because this just wasn’t banks. It was insurance companies who were exposed, healthcare maintenance organizations, continuing care retirement communities, it was interesting. So I think that’s one that again it’s getting more prescriptive, more direct in what you have to do to comply, it’s mandatory, and there’s penalties. I’m not sure what the penalties are. There was some uncertainty over what the exact penalties were for that. But there is teeth in that. The trend is, it’s getting more prescriptive.
I would also tell you that recently we had a chance to do a meeting at a regional federal reserve bank, and it was with IT bank examiners. And the focus was on threat intelligence, and how the use of threat intelligence and information sharing was becoming more critical as they do their FFIEC guidelines for bank exams. So cyber with respect to bank examinations and audits is becoming more critical too, across the board.
Chris: In general, do you think a general lack of security awareness posture is an issue of determination at the leadership level? Like, the feeling that your company is somehow immune from attack, or some other factor. And if so, is there any way that you can change minds at the C-Suite level to strengthen the organization’s security program?
Todd: Yeah. I mean generally speaking, it’s smaller companies that haven’t been as impacted, seem to have less concern, seem to be more of a check-the-box crowd. I call them, the persona, the minimalists. I know it’s important because of certain regulatory compliance around personal data, or PCI, I need a firewall, I need a Next Gen firewall, I need a web application firewall. And they’ll check the box, but that’s what they’re looking to do.
I think the good thing about financial is again, it’s a more security conscious vertical. So even smaller financial orgs tend to be more security conscious. But that’s the way we look at it. I mean, I had a conversation a few months back with a MSP, Managed Service Provider, they target all sorts of industries. Most of their customers are 50 and below, and they’re like, customers just don’t care. They don’t think it’s gonna happen. If you haven’t been hit by a tornado or a hurricane, you’re not really-
Chris: You’re not looking to spend that extra money for the insurance.
Todd: Yeah. Right. I do think awareness is increasing, but I think it’s … For the bigger companies, it’s viewed now as not IT, it’s a business risk, and it’s a board level conversation. Look, as you read more of the industry resources like American Bankers Association, all that. You’re seeing a lot more focus on cyber. So that tends to trickle down as well.
Chris: Let’s talk a little bit about small companies. You have mentioned that sometimes small companies are the issue just because they don’t feel like they could afford it, or they wanna do the bare minimum, or don’t have the budget, or the personnel. You advise small companies across the board on how to start security awareness programs when resources are tight. What are some of your cost-cutting methods that you could establish today with your company to improve your company security shortcomings?
Todd: Yeah. There’s a couple things. One, from a security awareness perspective, I mean, there’s a lot of offerings out there that are … Software is a service-based, it don’t cost that much. I think doing some basic security awareness isn’t outlandishly expensive. There’s a lot of actually open source and free training that can be done. There’s a great company out of Maryland called Cybrary that has a lot of online cyber training. That’s not only for employee stuff, but also for cyber practitioners.
Then from an improving security posture perspective, there’s actually a lot of free tools out there. DHS, Department of Homeland Security, through what they call the National Cyber Assessments and Technical Services, NCATS, offers several. I think some folks just think because it’s government, it’s only for government agencies, or critical industry. They offer vulnerability scanning through a cyber hygiene service. They do a phishing campaign assessment that you can get access to, and other risk and vulnerability assessments. I think those are ways.
Then another avenue we’re seeing more companies look at is, you can do all the prevention you want, and detection and response, but inevitably we see things happen, and you wanna be prepared for that. Cyber insurance is being adopted more. There was an article in the Wall Street Journal few weeks ago that talked about cities. More cities are being attacked and looking at cyber insurance.
Chris: What are some strong security upgrades you can make that cost a lot less than people think? What are some additions you can make that will give your company the most bang for its limited buck?
Todd: Yeah. I think the first thing is there’s integrated … many of the security solutions today are integrated, meaning from a network security perspective, it used to be: you bought a firewall, behind the firewall you deployed an intrusion detection or prevention system, a separate web filter. Now it’s looking for integrated capabilities. Making sure you’re using what you can on an integrated solution, because often times adding a license for a malware detection, like a sandboxing solution, is pretty reasonably priced on those solutions.
I think there’s more cloud offerings you could look at that are reasonably priced and easy to manage from that perspective. I think again, using threat intelligence is more accessible today. There’s threat intelligence gateway technologies that are out there. Joining the ISACS. If you’re in financial services, you should be a member of FS-ISAC. It’s not a huge cost to get involved there, and you get access to lots of stuff. Sometimes it’s premium priced as far as things you can get access to, but there’s a lot of value you get.
The other thing I would say, cost conscious is, if you’re using cyber insurance, look at what benefits you get. For example, we partner with AIG, and I will tell you, as part of AIG’s Cyber Edge, they provide a lot of complimentary tools and services, and discount on services from name brand vendors. I would look to make sure you’re getting the most out of a cyber insurance policy because there’s access to more than you think with those policies.
Chris: Okay, let’s wrap it up here. When it’s finally time to ask leadership for these funds, what are some strategies that you should engage in to ensure that they understand that no matter how tight the budget, that security awareness money is always money well spent?
Todd: Yeah. I think honing in on the security awareness side of it is, it’s hard to argue that people aren’t the weakest link. There’s enough data to show it’s phishing. And we know that an ounce of prevention, is worth more than a pound of cure. And so the things we can do to make our employees more aware of phishing, pale in comparison to the cost we see when something happens. So I don’t think those solutions are that outlandish, or that expensive. I mean to me there’s an interesting business case there.
I don’t know if ROI studies have been done there or not, but I will tell you, paying $17 million like Atlanta had to do for ransomware. The cost to remediate from a breach, pales in comparison to doing some prevention. And again, there’s low cost ways to do some security awareness, and there’s some free ways to do it too.
Chris: On that note, I think we will wrap up now. Thank you very much Todd Weller for your insights.
Todd: Thank you.
Chris: And thank you all for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to You Tube and type in Infosec Institute, I-N-F-O-S-E-C, and check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your work day, all of our videos are also available as audio podcasts. Please visit infosecinstitute.com/cyberspeak for the full list of episodes. If you’d like to qualify for a free pair of headphones with a class sign-up, podcast listeners and go to infosecinstitute.com/podcasts to learn more. And if you would like to try our free security IQ package, which includes free phishing simulators that you can use to fake phish, and then educate your colleagues and friends in the ways of security awareness, please visit infosecinstitute.com/securityIQ.
Thanks once again to Todd Weller and thank you all for watching and listening. We’ll speak to you next week.