In late September 2016, the New York State Department of Financial Services (NYDFS) proposed 23 NYCRR 500 in response to an unprecedented number of cyberattacks and data breaches that have affected both financial organizations and consumers alike. This regulation requires banks, insurers and other financial providers to establish programs and policies to protect their most sensitive data. Starting February 15, 2018, all affected entities will be required to submit a Certification of Compliance with the NYDFS each year to prove compliance.
The new guidelines officially went into effect on March 1 of this year, leaving many global organizations scrambling to comply with these tough new regulations. Each company will first be required to calculate a risk profile specific to their organization, and subsequently develop programs and policies that specifically address their profile.
Focused on improving cyber-readiness, much of 23 NYCRR 500 requires organizations to properly assess risk to their security gaps, and detect and respond to cyberthreats that exist within their IT infrastructure. As attacks become more targeted and damaging, traditional security controls focused on perimeter defense are not enough to protect an organization’s environment against advanced attacks. The pathway attackers use continues to evolve as more organizations transition to next-gen workloads for cloud, mobile, internet of things (IoT), and more.
The goal is to protect the confidentiality, integrity and availability of the information systems that are the heart of an organization. These systems represent a gold mine for attackers, providing access to the treasure troves of data. Protecting the most popular gateways for accessing these systems—privileged accounts—is critical for achieving compliance with 23 NYCRR 500.
What Are Privileged Accounts?
Put simply, privileged accounts are used to access to critical systems such as servers, switches, firewalls, financial trading systems and other business critical applications. Left unprotected, these accounts represent one of the greatest security vulnerabilities in an organization.
Cyberattackers understand the power of privileged accounts, explicitly targeting them for theft and exploitation. These accounts enable external attackers and malicious insiders to easily move across a network, jumping from system to system, all while hiding in what appears to be completely normal business traffic. The power of these accounts can leave attackers undetected for months, and in some cases, years.
Cyberattackers covet this level of access within financial organizations and have developed specially crafted hacking tools to seek out and steal these accounts. By protecting and securing their privileged accounts, organizations can achieve compliance with the following key sections of 23 NYCRR 500:
Sections 500.02 and 500.03 – Policy & Programs
These sections require organizations to implement and maintain security programs and policies to project the confidentiality, integrity and availability of information systems. Protecting privileged accounts is a fundamentally important part of this section.
The first step is to conduct an audit of all privileged accounts across the infrastructure. Unfortunately for many companies, these accounts can be hidden or even forgotten. Research shows that every organizations has about three to four privileged accounts for every one employee. Identifying these accounts is the first step to applying sound policy in governing their usage.
Section 500.06: Audit Trail
Organizations need to include audit trails designed to detect and respond to cyber security events that have a reasonable likelihood of materially harming any material part of the normal operation of the organization.
Privileged account security provides the opportunity to implement a measureable security program where each privileged user or application can be identified with all tasks and activities logged, providing full accountability for the actions taken through these accounts. This provides auditors with a more streamlined approach to finding internal and external threats, enabling them to prioritize accounts with the highest risk scores.
Section 500.07: Access Privileges
User access privileges for information systems that provide access to nonpublic information need to be limited and auditable. This is also known as the principle of least privilege, ensuring users have only the necessary level of access to successfully perform the main functions of their jobs. By managing, securing and monitoring privileged accounts, organizations can enact and enforce this policy, to better meet these requirements.
Section 500.11: Third Party Service Provider Security Policy
Organizations will require written policies and procedures designed to ensure the security of information systems and nonpublic information that is accessible, or held by, third-party service providers.
Cyberattackers take advantage of an organization’s key weaknesses. In many financial organizations, this weakness is through remote third-party vendors that are connected to the target network. These service providers typically are less sophisticated, with security defenses that are much easier to infiltrate. Most leading institutions have 200 to 300 high-risk third-party relationships at any one time, creating a massive attack landscape.
Complying with this section starts by identifying elementarily of third-party users and account credentials used to access the internal network. By discovering and locking down these accounts, organizations can meet requirements and significantly strengthen security.