Project 4: Threat Analysis and Exploitation

Transcript (background):  

You are part of a collaborative team that was created to address cyber threats and exploitation of US financial systems critical infrastructure. Your team has been assembled by the White House Cyber National security staff to provide situational awareness about a current network breach and cyber attack against several financial service institutions.    Your team consists of four roles, a representative from the financial services sector who has discovered the network breach and the cyber attacks. These attacks include distributed denial of service attacks, DDOS, web defacements, sensitive data exfiltration, and other attack vectors typical of this nation state actor. A representative from law enforcement who has provided additional evidence of network attacks found using network defense tools.    A representative from the intelligence agency who has identified the nation state actor from numerous public and government provided threat intelligence reports. This representative will provide threat intelligence on the tools, techniques, and procedures of this nation state actor. A representative from the Department of Homeland Security who will provide the risk, response, and recovery actions taken as a result of this cyber threat.    Your team will have to provide education and security awareness to the financial services sector about the threats, vulnerabilities, risks, and risk mitigation and remediation procedures to be implemented to maintain a robust security posture. Finally, your team will take the lessons learned from this cyber incident and share that knowledge with the rest of the cyber threat analysis community. At the end of the response to this cyber incident, your team will provide two deliverables, a situational analysis report, or SAR, to the White House Cyber National security staff and an After Action Report and lesson learned to the cyber threat analyst community.

Step 2: Assessing Suspicious Activity

Your team is assembled and you have a plan. It's time to get to work. You have a suite of tools at your disposal from your work in Project 1, Project 2, and Project 3, which can be used together to create a full common operating picture of the cyber threats and vulnerabilities that are facing the US critical infrastructure.

To be completed by all team members: Leverage the network security skills of using port scans, network scanning tools, and analyzing Wireshark files, to assess any suspicious network activity and network vulnerabilities.

Step 3: The Financial Sector

To be completed by the Financial Services Representative: Provide a description of the impact the threat would have on the financial services sector. These impact statements can include the loss of control of the systems, the loss of data integrity or confidentiality, exfiltration of data, or something else. Also provide impact assessments as a result of this security incident to the financial services sector.

To be completed by all team members: Provide submissions from the Information Sharing Analysis Councils related to the financial sector. You can also propose fictitious submissions. Also, review the resources for Industrial Control Systems, and advise the importance of them to the financial services sector. Explain the risks associated with the Industrial Controls Systems. (1-2 page)

3

Project #4: Team Bravo

Security Assessment Report (SAR)

U.S. Critical Infrastructure Cyber Attack & Breach:

Financial Services Sector

CYB 610: Cyberspace and Cybersecurity Foundations

Table 1. Nation-State Advanced Persistent Threat Stages, Attacks, Defenses, & Recovery. Adapted with information from (FireEye, Inc., 2019), (SWIFT, 2019), (SWIFT & BAE Systems, 2017), (Carnegie Endowment for International Peace, 2019), (Ashford, 2019), (Jaganathan, 2019), (Osborne, 2015), (UMGC, n.d.), (Stonefly, 2017), (Stadnik, 2019), (Saraydayran, et al., 2011), (Micrhandani, 2018), (Carr, 2016), (Healey, et al., 2018), (Souppaya, et al., 2012, 2013), (The Web Application Security Consortium, n.d.), (Archer, et al., 2013), (Pavate, et al., 2014), & (Saraydayran, et al., 2011).

Since nation-state threats may impact the FSS of any country, organizations like FS-ISAC provide leadership and information sharing with FSS companies worldwide; for example, the central bank of Singapore, the Monetary Authority of Singapore, has entered into an information sharing agreement with the FS-ISAC to create an Asia Pacific Regional Intelligence and Analysis Center to combat cyberattacks (Nandikokur, G., 2019). According to the Monetary Authority of Singapore, “The objective behind partnering with FSISAC is to bolster the quality and timeliness of cyber threat intelligence received by financial institutions, strengthen cybersecurity risk management and response as well as champion cybersecurity programs and initiatives in the APAC region." (Nandikokur, 2019). Information from the FS-ISAC has allowed the central bank to establish mandatory guidelines for all financial institutions in Singapore, including requiring patch updates, using security devices, and improving authentication and access controls (Nandikokur, 2019). The potential financial impact of each successful cyberattack on the FSS cannot go unchecked.

FSS firms endure at at a minimum, roughly 1 billion cyber attacks annually, resulting in $16.8 billion in damages in 2017, with a 98% success rate for nation-state actors (Mirchandani, 2018). 8.5% of all data breaches in 2017 were against FSS firms, such as consumer banks, credit cards issuers, credit unions, investment banks, mortgage and loan companies, pension funds, and trust administrations; the average cost of a breached FSS record is $336 compared with $225 for other types of business records (Schaffer, 2018). Damages and recovery from FSS data breaches may include revamping network security, fines, consumer lawsuits, identity theft monitoring, harm to business reputation, lost customers, and scathing media coverage (Mirchandani, 2018).

It has been reported that 71% of bank executives prioritize spending on cybersecurity (Melton, 2018); “Even if an attack is not widespread throughout the industry, a cyberattack against one or more financial institutions can prevent customers from accessing their accounts or their funds, thereby causing reputational damage and lack of confidence in the system as a whole…” (Cotney, 2018). FSS data vulnerability may be due to unpatched network vulnerabilities, malware, exploited credentials, spear-phishing to change account IDs or passwords, business corporate account takeovers, and third party vendors (Cotney, 2018). Vigilance, enterprise risk approaches, security agreements with third parties, and customer / employee training are all necessary steps to combat potential nation-state cyberattacks on the FSS (Cotney, 2018). The Industrial Control Systems used by the FSS, such as financial messaging systems, may be prime disruption targets for nation-state cyberattacks.

Nation-states have been targeting the interbank communications and messaging software known as the Society for Worldwide Interbank Financial Telecommunications (“SWIFT”); according to SWIFT, “… a mix of malicious files will often be used, whether that be to acquire credentials or to bypass authentication requirements; to learn how internal operations or messages work; to create distractions and delay local security teams’ responses; or to securely delete log files and other traces of the attacks” (SWIFT, 2019) (See Figure 1). The SWIFT network interconnects over 11,000 institutions globally and annually transmits 7.8 billion financial messages between banks in over 200 countries (SWIFT, 2019). According to the 2017 U.S. Department of the Treasury Annual Report to Congress, “Disruptions to the operations of a key institution in the financial system could be transmitted through these networks and lead to a systemic crisis” (U.S. Department of the Treasury, Office of Financial Research, 2017).

Figure 1. The Cyber Kill Chain. (Lockheed Martin Corporation, 2019).

Problematically, nation-state and non-nation-state actors will often encrypt their malware making it difficult to both detect the inception of an Advanced Persistent Threat (“APT”) on FSS industrial control systems, and to reverse-engineer malware (SWIFT & BAE Systems, 2017). The SWIFT banking network losses billions of dollars per year to cyber criminals (Mirchandani, 2018). An attacker may only need to exploit a single vulnerability to successfully breach the FSS, whereas a defender must seal off as many vulnerabilities as possible (SWIFT & BAE Systems, 2017). Once a cyberattack alert is sent, it is critical to inform law enforcement as soon as possible; unfortunately, law enforcement has also experienced increased cyberattacks.

Law Enforcement

Impact of Network Breach and Cyber Attacks on Law Enforcement

Network breach and cybersecurity attacks collectively refer to the attempt to expose, alter, disable, destroy, steal, or gain unauthorized access to, or make unauthorized use of, confidential or private data or any other assets (Jensen, 2009). The attacks come in various forms, and they are intended to exploit unauthorized access to data, resources, and information. From the case scenario, the Financial Services Representative (FSR) has identified several network breach and cyber-attacks, including DDoS attacks, web defacements, sensitive data exfiltration, and others. Notably, these attacks have an effect on the victim, as well as other related agencies, such as the law enforcement agency. They cause loss in system controls, data integrity or confidentiality as well as exfiltration of data or something else.

One of the potential effects on the agency is the loss of system controls. Law enforcement agencies have a critical position in the consequences of cyber-attacks and threats - they are often on the forefront of investigations, interdiction, or enforcement. Consequently, they become the target of network threats and attacks. The series “Hawaii Five-O” demonstrates the impact of a cyberattack on the Five-O, a law enforcement agency in Hawaii. In one episode, a hacker accessed the Five-O information system and closed it down, denying the Five-O members the access to the security information, financial data, and other essential information for law enforcement. The team lost control of their systems entirely. Consequently, it blocked the opportunity to trace the hacker, who had accessed other financial service infrastructure for malicious reasons. This is but one example of the effects of a network breach and cyber-attack on a law enforcement agency.

Losing control of systems can impact computer-aided dispatching, emergency alert systems, event tracking, the ability to monitor transportation and traffic infrastructure, intelligence dissemination, and operational plans set in motion (Quinn, 2018). APTs against law enforcement may take the form of malware, ransomware (e.g., locking law enforcement out of video evidence), phishing, hacktivism, and “doxing” police officers by releasing home addresses, social security numbers, and sensitive family information (Quinn, 2018). A police chief association describes the situation as “near-constant attack” and recommends training programs, security patches, decommissioning obsolete devices, anti-virus software, least privilege, data back up, and encryption (Quinn, 2018).

Another effect of a data security break, as demonstrated in the “Hawaii Five-O” episode, is exfiltration of data. The hacker acquires physical access to computers, transfers data, and often destroys the system. For instance, an attacker sneaked into the Five-O headquarters, transferred confidential data, and destroyed their information system while the Five-O task force was away pursuing a criminal investigation. The stolen data is used to accomplish malicious and criminal activities for the benefit of the malicious actor.

Moreover, computer network attacks result in the loss of data integrity or confidentiality. When hackers access information systems of any institutions, whether law enforcement or financial services agencies, they often alter data to fit their purpose. For example, the Pikachu virus and the love bug of the 2000s propagated through infected users by sending themselves to all the users’ contacts in the Outlook address book. The viruses, mainly, the love bug, caused damage to the mailing systems of large corporations around the world, causing agencies such as the Pentagon, CIA, the British Parliament, and most large corporations to completely shut down their mail systems (Jensen, 2009). As the law enforcement agency, it would be challenging to trust any incoming data for investigation and enforcement of the law.

DDOS attacks, web defacements, sensitive data exfiltration, and other attack vectors typical of a nation-state actor can strain the financial resources of the law enforcement sector. It can cost the sector billions to restore the systems to normal function; in other words, network breach and cyber-attacks have a significant impact on the law enforcement sector. Cyberattacks reduce the efficiency of this sector in enforcing laws, conducting criminal investigations, and monitoring malicious actors. When a cyberattack is conducted by a nation-state, it will be essential for local law enforcement to cooperate with regional and national law enforcement, and potentially the military, in order to stop the cyberattack, recover data and system functionality, restore security, and possibly retaliate when there is definitive attribution.

The Intelligence Community

Nation-State Actors, Motivation, Tactics, Techniques, and Procedures

The FSS is often cyberattacked by powerful nation-states, or proxies, that defy attribution and have unlimited resources. Nation-states may use cyberwarfare as a show of power and sovereignty; “… victories are fought with bits instead of bullets, malware instead of militias, and botnets instead of bombs…” (Geers, et al., 2014). Nation-states with demonstrable capabilities in this arena include China, North Korea, India, Pakistan, Russia, Iran, Syria, Israel, South Korea, and the United States; of note, there have been no known cyberattacks emanating from the European Union (EU) or the North Atlantic Treaty Organization (NATO) (Geers, et al., 2014). Nation-states have various economic, military, and political cyberwarfare motives (Geers, et al., 2014); to date, nation-state attacks on the FSS are believed to be from China, Iran, Russia, and North Korea (Moon, 2019), though FSS insiders also pose a considerable threat (Randazzo, et al., 2005). Some U.S. lawmakers advocate hacking-back via law enforcement / military (e.g., cybersecurity reservist system) (Mirchandani, 2018), public-private partnerships (Carr, 2016), and coordinating international finance regulations (Healey et al., 2018).

North Korea, in particular, has been suspected of attacking the FSS and cryptocurrency exchanges of many countries to fund WMD programs; North Korea has already amassed approximately $2 billion from FSS attacks (Schwartz, 2019). Nation-states may hide behind attribution smokescreens to make retaliation politically infeasible, though some behaviors, such as the timing of a cyberattack, may bear the motivational fingerprints of a particular nation-state (See Table 2) (See Figure 1). For example, APTs are likely to emerge during international negotiations (Geers, et al., 2014). Proposed “cyber-arms treaties” are thought to be of limited worth since there may not be an effective way of inspecting for prohibited activity in cyberspace (Geers, et al., 2014). Positive attribution depends upon recognizing nation-state tactics, techniques, and procedures (“TTP”) in order to successfully direct potential retaliation; for example, Asia-Pacific attacks are frequently brute-force, while U.S. attacks are more “surgical” (Geers, et al., 2014) (See Table 3).

Table 2. Nation-State Cyber Attack Patterns & Cyber Kill Chain. Adapted with information from (Geers, et al., 2014), (SpeedTest, 2019), & (Lockheed Martin Corporation, 2019).

Table 3. Nation-State Cyber Offense & Defense. Adapted with information from (Geers, et al., 2014) & (Carnegie Endowment for International Peace, 2019).

Cyber warfare attack techniques include USB infected physical media, malware that surreptitiously records all computer activity, Bluetooth data exfiltration, encrypted code that decrypts only on a unique target device, zombies, botnets, denial-of-service attacks, services-for-hire, and “false flags” in which a nation-state disguises nefarious activity to look like the pattern of another entity (Geers, et al., 2014). Digital forensics techniques may be used to establish the TTP used by various nation-states that may later be used for potential attribution; “The best chance to pierce this veil comes with the skillful blending of forensic back-hacking techniques with deep knowledge of others’ strategic cultures and their geopolitical aims…” (Geers, et al., 2014). For example, North Korea has been suspected of repeatedly targeting the SWIFT messaging system, automated teller machines, and interbank payment switch applications (Ashford, 2019) (See Figure 2). Nation-state cyberwarfare against critical infrastructure may negatively impact national security and resiliency (U.S. Department of Homeland Security, 2013).

Figure 2. Cyber-attack on financial services critical infrastructure sector (Swift & BAE Systems, 2017).

Critical Infrastructure & Policy

U.S. critical infrastructure is defined as “… systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” (U.S. Department of Homeland Security, 2013) (See Table 4). The FSS of any country is an attractive target since financial infrastructure supports other critical infrastructure areas, including emergency services and defense (Geers, et al., 2014). The U.S. Department of the Treasury is the Sector-Specific Agency governing the U.S. FSS (U.S. Department of Homeland Security, n.d.); in anticipation of a cyberattack on the FSS, a plan has been prepared that addresses risk management, partners, strategy, and sector goals, including information sharing, best practices, incident response and recovery, and policy support, as well as methods to measure effectiveness (U.S. Department of the Treasury, et al., 2015). It is important to build a secure and resilient FSS with appropriate risk management to mitigate the impact of an impending nation-state cyberattack that exploits FSS vulnerabilities; quantitative risk assessment may help to allocate limited resources and share information.

Table 4. U.S. Critical Infrastructure Risk Management & Policies. Adapted with information from (U.S. Department of Homeland Security, 2013) & (Financial Services Information Sharing and Analysis Center, 2019).

Quantitative Risk Assessment

One of the best known methods to quantitively assess risk may be the Common Vulnerability Scoring System (Jaganathan, et al., 2015) and the latest malware in the National Vulnerability Database (“NVD”) (NIST, 2019). The NVD currently contains 127,741 CVE Vulnerabilities and 249 US-CERT Alerts, with thousands of new CVEs reported annually (NIST, 2019). The CVSS “… base group highlights the qualities of vulnerability that are unchanged over time and user. The temporal group covers the characteristics of vulnerability over time and the environmental group highlights the specific user environment…” (Jaganathan, et al., 2015); CVSS score severity includes low, medium, high, and critical (NIST, 2019). Vulnerabilities are also broken down into categories including configuration, credentials management, cryptographic issues, and improper authentication / authorization (NIST, 2019).

Another quantitative metric that may be used to gauge risk is “time to compromise” a network (Hughes, et al., 2013). “Time to compromise” may be impacted by the extent of vulnerabilities present in a network; various vulnerabilities will surface depending upon system susceptibility, threat accessibility, and threat capability (Hughes, et al., 2013). Unfortunately, it is not enough to merely quantify risk - identified vulnerabilities must be promptly remedied.

In the “2015 State of Vulnerability Risk Management”, 65,000 known security vulnerabilities were studied over 20 years and it was discovered that it takes an average of 176 days to patch discovered FSS security vulnerabilities, which gives a nation-state plenty of time to exploit FSS targets and destabilize critical infrastructure (Osborne, 2015). Many of the top vendors, including Adobe, Java, Microsoft, Oracle, and Sun have vulnerable platforms that are used throughout the FSS (Osborne, 2015). Effective disaster plans may protect data and preserve business operations with minimal downtime, regardless of timely vulnerability patching.

Disaster Recovery and Business Continuity

Disaster planning and business continuity planning generally requires threat analysis (e.g., nation-state attack, natural disaster), determining the appropriate hardware / software requirements, having a security policy governing access, repeatedly testing the plan, and creating a resilient failover system (BizTech Staff, 2018). The recovery time objective must be understood, factoring in the application recovery time from the beginning of a disaster until user uptime, while the recovery point objective considers time until data restoration counting backwards from disaster onset (Stonefly, 2017). Disaster recovery and business continuity plans may meet the demand for “always-on operations”, but also must comply with regulations, including Sarbanes-Oxley and Gramm-Leach-Bliley (Stadnik, 2019). Disaster planning may include upgrading traditional network security to the latest effective hardware and software.

In addition to next generation firewalls, IDS / IPS, and biometrics, a non-negotiable defense is encryption for data at-rest and in-transit. Encryption may be symmetric (e.g., same key to encrypt / decrypt), or asymmetric (e.g., public key and private key related by a mathematical algorithm, public key infrastructure, digital certificates) (UMGC, n.d.). Examples of symmetric encryption include Advanced Encryption Standard (AES) and Triple DES; an example of asymmetric encryption is Pretty Good Privacy (UMGC, n.d.). In the event of a data breach, Homeland Security may advise on potential risk management and incident response.

Homeland Security

The Department of Homeland Security was first created after the terrorist attacks of 9/11, “to oversee and coordinate a comprehensive national strategy to safeguard the United States against terrorism and to respond to any future attacks” (Kemp, 2012). Today, the mission of DHS has broadened and modified, to include a better vision of the agency’s ultimate goal: the safeguarding of American citizens and the country.

The Financial Sector and National Security

         Financial institutions are part of Section 9 entities, which are defined by the DHS as “companies that provide services so vital to the functioning of the economy that a successful cyberattack could reasonably result in catastrophic regional or national effects on public health, safety, economic security, or national security.” These institutions are susceptible to cyberattacks carried out by foreign adversaries. The main reason why financial institutions are targeted is that this sector is considered the motor of a nation and a successful attack could affect the entire United States and even have global, catastrophic consequences. As Homeland Security Representatives, it’s our mission to ensure that financial institutions have the necessary cybersecurity controls to ensure the nation’s safety.

         Securing cyberspace is a national critical infrastructure priority. According to Barney et al. (2018), it was found that financial services firms are more susceptible to cybersecurity attacks, with victims 300 times more frequently than other businesses, and being attacked an average of 1 billion times per year. The main cyberattacks targeting financial institutions are ransomware, Denial of Service, phishing, social engineering, and malware.

Vulnerability and Risk Management

         Homeland Security Representatives have proposed conducting a risk assessment with the goal of capturing vulnerabilities discovered during the control implementation, security assessment, and patching or assessment activities throughout the lifecycle of the systems. The findings are then assessed for applicability, mitigations, impact, and residual risk.

         It was found that the financial institutions lacked a proper Information Assurance (IA) program. The IA team is the one who oversees the management of vulnerabilities, as well as ensures the confidentiality, integrity, and availability of the information systems. Risk is when a vulnerability is found, the likelihood of it being exploited. The organization’s IA program identifies vulnerabilities in the information systems as Very Low, Low, Moderate, High, or Very High, depending on the risk it represents. The IA team should have had guidelines in place to follow when a vulnerability is discovered, and what to do next.  There’s a decision to be made: accept, mitigate, transfer, or eliminate the risk. If the vulnerability is going to be accepted, there has to be substantiating information on why it needs to be accepted.

         The IA program is in place, but a lack of training and follow-up has caused it to fail. As part of the assessment conducted, it was concluded that the vulnerability used by the attackers was, indeed, a Very High vulnerability previously identified by an IA team. There were multiple vulnerabilities, including High and Very High ones, found that had been in the information systems for a period of a year. The team failed to address these vulnerabilities in the standard days established; it was simply dismissed and forgotten. A Very High vulnerability should never be accepted, especially one that has the power to affect the financial sector. If it cannot be eliminated, the team should move to mitigate the impact of the vulnerability, and this can change it from a Very High to Moderate or Low risk, one that the company could accept. If the risk had been accepted, the system owner should have created the proper documentation for risk acceptance and had it approved by the appropriate authority (See Table 5).

Table 5. Risk matrix: likelihood of threat event resulting in event initiation (adversarial) (NIST, 2012).

         Furthermore, it is essential that rigorous monthly vulnerability scans are conducted and for them to be correctly configured. The scans should have a range that has all assets, including all the IP space. Once the results are generated, provide them to the owner of the system to address the different vulnerabilities found. The system owner needs to apply the patches needed or act to eliminate the vulnerability through group policies, change of configurations, replacement of software, or others. If a vulnerability cannot be fixed at the moment, a feasible Plan of Action and Milestones (POA&M) needs to be created. It needs to include the mitigation factors that have been implemented, the actions that will take place, a completion date for when the vulnerability will be remediated, as well as supporting documentation. This was found to be a broken process, not being followed and even less, monitored.

Incident Response

         As stated by Mansfield-Devine (2017), “organizations need to adopt a cyber-security posture that embraces both strong preventative measures along with the ability to respond effectively if the worst happens.” When the measurements taken to avoid risks fail, and a successful cyberattack takes place, addressing the situation in a timely and organized manner is crucial. Financial institutions need to have an up-to-date incident response plan, and personnel needs to be trained and capable to implement it when necessary. According to Cichonski, et al. (2012), the incident response process has four cycles: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity (See Figure 3).

Figure 3. Incident response lifecycle (NIST, 2012).

         The first step for a successful incident response plan is preparation. For this, appointed team members will work in the incident response plan management, to include the assignment of roles and responsibilities. This will be followed by table topics, where experts from different IT areas and leadership within the company are present. The table topics would include different scenarios, affecting the different networks. The goal of table topics is to gain a clear vision of what is the status of the different systems, how the communication would be handled if a system fails, and how prepared the team is to handle the different situations. At the end of each meeting, it is decided whether or not the company is conveniently prepared and what actions are needed to get it to where it should. These actions are to include personnel training, creation of SOPs, technical implementations, equipment replacement, and simulations.

         A question to ask is not if an incident would occur but if the company is prepared to react. Once a cyber incident occurs, the next step is detection and analysis. In this phase, a cybersecurity team uses tools like IDPs, SIEMs, file integrity check software, and security logs for detection. Once the threat is successfully detected and validated, the scope of the incident is then determined, including an initial assessment of affected systems, data, origin, and methods.

         The containment, eradication, and recovery steps follow. Acting in a timely manner is crucial in this phase. The affected information systems may need to disconnect from the network to contain the damage. Afterward, when the cause is determined, the threat needs to be completely removed from the information systems and the network. Once it is removed, it is essential to validate that the systems are free of corruption or any indication of damage. Actions like account management and patches application may happen in this phase.

         The last step of the cycle before repeating is post-incident activity. This is mainly recognizing lessons learned from the incident. The team gathers all the information available, including the challenges encountered. The information compiled during this phase will be essential for the preparation phase to be better equipped to respond to future incidents. Research conducted by Grispos, et al., (2017) determined that many organizations that had security incidents failed to use the information as learning experiences; information obtained after an incident is unique and may benefit the organization.

Recommendations

         Barney et al. (2018) concluded that "with the threat landscape constantly evolving in this industry, financial institutions can never be too prepared to address new emerging cyber risks." After summarizing the information gathered from the security incident, Homeland Security Representatives have recommendations for the FSS in order to mitigate future cyberattacks (See Tables 6,7).

Table 6. US-CERT Best Practices to Mitigate Breach Risk (Wayne, 2018)

Table 7. Homeland Security Representative Security Recommendations for FSS.

Conclusion

National critical infrastructure sectors are interdependent upon one another; the FSS underpins the functioning of all critical infrastructure sectors. Unfortunately, the FSS is increasingly the target of sophisticated cyberattacks from various threats, including nation-states, in order to destabilize enemies and advance the interests of the attacker. It may be possible to determine the source of a cyberattack using nation-state TTP, possibly discouraging potential attacks via retaliation. It is vital to establish and continuously monitor secure networks in order to mitigate the risk of critical infrastructure breach. The efforts of many interested sectors, including financial services, law enforcement, intelligence agencies, and Homeland Security, are necessary to protect critical infrastructure, mitigate risk, and effectively respond to inevitable cyberattacks.

References

Archer, D. W. & Wick, A. (2013, July). Peer-to-peer enclaves for improving network defense

[sic]. Retrieved from https://timreview.ca/article/701

Ashford, W. (2019, July 31). Financial services top cyber attack target. Retrieved from

https://www.computerweekly.com/news/252467639/Financial-services-top-cyber-attack

-target

BizTech Staff. (2018, October 11). 5 ways banks can bulk up disaster recovery. Retrieved from

https://biztechmagazine.com/article/2018/10/5-ways-banks-can-bulk-disaster-recovery

Carnegie Endowment for International Peace. (2019). Timeline of cyber incidents involving

financial institutions. Retrieved from https://carnegieendowment.org/specialprojects

/protectingfinancialstability/timeline

Carr, M. (2016). Public–private partnerships in national cyber-security strategies. International

Affairs, 92(1), 43-62. Retrieved from https://www.chathamhouse.org/sites/default/files

/publications/ia/INTA92_1_03_Carr.pdf

Cotney, D. (2018, November 20). Perspective: financial sector at risk as cyber foes target

critical infrastructure. Retrieved from https://www.hstoday.us/subject-matter

-areas/infrastructure-security/perspective-financial-sector-at-risk-as-cyber-foes-

target-critical-infrastructure/

Financial Services Information Sharing and Analysis Center. (2019). Who we are. Retrieved

from https://www.fsisac.com/who-we-are

FireEye, Inc. (2019). Anatomy of Advanced Persistent Threats. Retrieved from

https://www.fireeye.com/current-threats/anatomy-of-a-cyber-attack.html

Geers, K., Kindlund, D., Moran, N., & Rachwald, R. (2014). World war c: understanding

nation-state motives behind today’s advanced cyber attacks. Retrieved from

https://www.fireeye.com/content/dam/fireeye-www/global/en/currentthreats/pdfs

/fireeye-wwc-report.pdf

Healey, J., Mosser, P., Rosen, K., & Tache, A. (2018). The Future of Financial Stability and Cyber Risk. The Brookings Institution Cybersecurity Project, October. Retrieved from https://www.brookings.edu/wp-content/uploads/2018/10/Healey-et-al_Financial-Stability-and-Cyber-Risk.pdf

Hughes, J., & Cybenko, G. (2013). Quantitative metrics and risk assessment: The three tenets model of cybersecurity. Technology Innovation Management Review, 3(8). Retrieved from https://timreview.ca/sites/default/files/article_PDF/HughesCybenko_TIM

Review_August2013.pdf

Jaganathan, V., Cherurveettil, P., & Muthu Sivashanmugam, P. (2015). Using a prediction model to manage cyber security threats. The Scientific World Journal, 2015. Retrieved from https://www.hindawi.com/journals/tswj/2015/703713/

Jensen, E. T. (2009). Cyberwarfare and precautions against the effects of attacks. Tex. L., Rev., 88, 1533. Retrieved from https://digitalcommons.law.byu.edu/cgi/viewcontent.cgi?

article=1224&context=faculty_scholarship

Lockheed Martin Corporation. (2019). The cyber kill chain. Retrieved from https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

Melton, M. (2018, May 21). Cybersecurity still keeps bank execs up at night. Retrieved from https://bankinnovation.net/allposts/biz-lines/payments/cybersecurity-still-keeps-bank-execs-up-at-night/

Mirchandani, B. (2018, August 28). Laughing all the way to the bank: cybercriminals targeting U.S. financial institutions. Retrieved from https://www.forbes.com/sites/bhaktimir

chandani/2018/08/28/laughing-all-the-way-to-the-bank-cybercriminals-targeting-us-financial-institutions/#434798c06e90

Moon, A. (2019, March 27). Report finds rise in state-sponsored cyber attacks on financial firms. Retrieved from https://www.insurancejournal.com/news/international/

2019/03/27/521824.htm

Nandikokur, G. (2019, August 8). Singapore sets cybersecurity requirements for banks. Retrieved from https://www.bankinfosecurity.asia/singapore-sets-cybersecurity-requirements-for-banks-a-12891

National Institute of Standards and Technology, U.S. Department of Commerce. (2019). National Vulnerability Database NVD Dashboard. Retrieved from https://nvd.nist.

gov/general/nvd-dashboard

National Institute of Standards and Technology, U.S. Department of Commerce. (2019). NVD CWE Slice. Retrieved from https://nvd.nist.gov/vuln/categories

Osborne, C. (2015, June 2). Financial sector takes up to 176 days to patch security flaws. Retrieved from https://www.zdnet.com/article/financial-sector-takes-176-days-on-average-to-patch-security-vulnerabilities/

Pavate, A. & Nerurkar, P. (2014, February). Performance analysis of cloud based penetration testing tools. International Journal of Engineering Research & Technology, 3(2). Retrieved from https://content.umuc.edu/file/6aa8bfb8-7053-4fed-94f6-2547e454c501/1/web/viewer.html?file=https://content.umuc.edu/file/78786842-34dd-4b71-adf9-c874d276102e/1/PerformanceAnalysisofCloudBasedPenetrationTesting

Tools.pdf

Quinn, C. (2018). The Emerging Cyberthreat: Cybersecurity for Law Enforcement. Police Chief online. Retrieved from https://www.policechiefmagazine.org/the-emerging-cyberthreat-cybersecurity/

Randazzo, M. R., Keeney, M., Kowalski, E., Cappelli, D. M., & Moore, A. P. (2005). Insider threat study: Illicit cyber activity in the banking and finance sector. Retrieved from https://kilthub.cmu.edu/articles/Insider_Threat_Study_Illicit_Cyber_Activity_in_the_Banking_and_Finance_Sector/6574517

Saraydayran, J., Benali, F., & Paffumi, L. (2011). A Survey on new Threats and Countermeasures on Emerging Networks. Intrusion Detection Systems, 195. Retrieved from http://cdn.intechweb.org/pdfs/14364.pdf

Schaffer, P. (2018, March 20). The cost of a cybersecurity breach for financial institutions. Retrieved from https://www.itspmagazine.com/from-the-newsroom/the-cost-of-a-cybersecurity-breach-for-financial-institutions

Schwartz, M. J. (2019, August 7). North Korean hacking funds WMD programs, UN report warns. Retrieved from https://www.bankinfosecurity.com/north-korean-hacking-funds-wmd-programs-un-report-warns-a-12884

Souppaya, M. & Scarfone, K. (2013, July). Guide to malware incident prevention and handling for desktops and laptops [Special Publication 800-83, Revision 1]. National Institute of Standards and Technology, U.S. Department of Commerce. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf

Souppaya, M. & Scarfone, K. (2012, February). Guidelines for securing wireless local area networks (WLANs) [Special Publication 800-153]. National Institute of Standards and Technology, U.S. Department of Commerce. Retrieved from https://csrc.nist.gov/

publications/detail/sp/800-153/final

SpeedTest. (2019, June). SpeedTest Global Index China. Retrieved from https://www.speedtest.net/global-index/china

SpeedTest. (2019, June). SpeedTest Global Index India. Retrieved from https://www.speedtest.net/global-index/india

SpeedTest. (2019, June). SpeedTest Global Index Iran. Retrieved from https://www.speedtest.net/global-index/iran

SpeedTest. (2019, June). SpeedTest Global Index Israel. Retrieved from https://www.speedtest.net/global-index/israel

SpeedTest. (2019, June). SpeedTest Global Index Pakistan. Retrieved from https://www.speedtest.net/global-index/pakistan

SpeedTest. (2019, June). SpeedTest Global Index Russia. Retrieved from https://www.speedtest.net/global-index/russia

SpeedTest. (2019, June). SpeedTest Global Index South Korea. Retrieved from https://www.speedtest.net/global-index/south-korea

SpeedTest. (2019, June). SpeedTest Global Index Syria. Retrieved from https://www.speedtest.net/global-index/syria

SpeedTest. (2019, June). SpeedTest Global Index United States. Retrieved from https://www.speedtest.net/global-index/united-states#fixed

Stadnik, W. (2019). The changing face of disaster recovery for financial institutions. Retrieved from https://disaster-recovery.cioreview.com/cxoinsight/the-changing-face-of-disaster-recovery-for-financial-institutions-nid-9586-cid-106.html

Stonefly. (2017, October). Business continuity and disaster recovery for financial services providers. Retrieved from https://stonefly.com/blog/business-continuity-disaster-recovery-financial-services

SWIFT. (2019). About us. Retrieved from https://www.swift.com/about-us

SWIFT. (2019, February 12). The evolving cyber threat to the global banking community. Retrieved from https://www.swift.com/news-events/news/the-evolving-cyber-threat-to-the-global-banking-community

SWIFT & BAE Systems. (2017). The evolving cyber threat to the banking community. Retrieved from https://www.baesystems.com/en/cybersecurity/feature/the-evolving-cyber-threat-to-the-banking-community

UMGC. (n.d.). Contingency planning for disaster recovery. Retrieved from https://lti.umuc.edu/contentadaptor/topics/byid/6a06f595-0225-494f-aa5e-713213cf47e5

UMGC. (n.d.). Cyber security awareness month – day 31 – business continuity and disaster recovery. Retrieved from https://content.umuc.edu/file/6aa8bfb8-7053-4fed-94f6-2547e454c501/1/web/viewer.html?file=https://content.umuc.edu/file/11c0a5ee-479b-45b0-a42b-512032d68ed3/1/CyberSecurityAwarenessMonthDay31BusinessContinuity

andDisasterRecovery.pdf

UMGC. (n.d.). Encryption technologies: pros and cons. Retrieved from https://lti.umuc.edu/contentadaptor/topics/byid/ab3e322d-23c1-4e51-80d2-368ef5a3c143

U.S. Department of Homeland Security. (n.d.). Financial services sector. Retrieved from https://www.dhs.gov/cisa/financial-services-sector

U.S. Department of Homeland Security. (2013). NIPP 2013 Partnering for critical infrastructure security and resilience. Retrieved from https://www.dhs.gov/sites/default/

files/publications/national-infrastructure-protection-plan-2013-508.pdf

U.S. Department of the Treasury, Office of Financial Research. (2017, December 5). 2017 Annual report to congress. Retrieved from https://www.financialresearch.gov/annual-reports/files/OFR_AR2017_Ch2.pdf

U.S. Department of the Treasury, U.S. Department of Homeland Security, Financial Services Sector Coordinating Council, & Financial and Banking Information Infrastructure Committee. (2015). Financial services sector-specific plan 2015. Retrieved from https://www.dhs.gov/sites/default/files/publications/nipp-ssp-financial-services-2015-508.pdf

The Web Application Security Consortium. (n.d.). Improper Input Handling. Retrieved from

http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling