Small Firms, Same Targets: Proactive Security for Community Institutions

Smaller financial institutions face the same threats as their larger peers but have far fewer resources. Yet Dana Turner, the CISO at Nebraska’s Union Bank and Trust, has designed enterprise-grade resilience without enterprise-scale assets, such as multinational cyber range exercises involving 14 infrastructure industries, and an IT inventory of every person, place, and thing in the bank. His approach is the result of years of experience, the knowledge of what matters to his exec team, and a firm belief that threat actors care more about an institution’s exposure than its size.

Transcription (edited for clarity)

Elizabeth Heathfield: Welcome to FS-ISAC’s podcast, FinCyber Today. These days, every financial firm is a target, no matter its size. Dana Turner, CISO of Union Bank and Trust in Nebraska, has been maturing his firm's incident response capabilities for decades and shared some thoughts with me about how his peers can prepare for a bad day long before it comes.

Heathfield: Thank you so much for sitting down with me. I really appreciate it. I know it's a busy time, if you will. So let's talk about incident response, especially from the perspective of community institutions. I would love to hear how you think about it from your perspective. We talk about it a lot from a sector level, public-private partnerships, and all of that. But I would love to hear about it from on-the-ground, where you are serving your customers with a small group of people. What is it like?

Dana Turner, CISO, Union Bank and Trust: Our story's a little weird. So it's really unique. We obviously do the tabletops like everybody else, bank-wide, IT-specific. One of the things that we do is range exercises, pretty extensive range exercises. We started doing a couple that the ISAC provided back in 2015-2016, which spurred an idea for us to do larger scales. Originally, it started off sector-specific. We were going to find other financial institutions and get them involved and do a capture-the-flag type thing.

That quickly morphed into a cross-sector event that we've been doing for the last four years. This will be our fifth year. It's called Cyber Tatanka – it's the little logo right here with the buffalo. Tatanka is the Lakota word for big beast or buffalo, and essentially for the Plains people, that was their lifeblood. It was their food. They used hides for shelter. There was religious significance. So it literally was their critical infrastructure. That was the concept behind it.

There were several groups [involved] – a couple of electric companies that we have in Nebraska, the Nebraska National Guard. There were military events that were out there, but unless you actually had clearance, you couldn't participate in them. So that pretty much shut the door to a lot of financial institutions being able to do that, even other organizations in different critical infrastructure sectors. So we decided that we were going to create an unclassified event based off of Cyber Flag, Cyber Shield, Locked Shields, the different military events that they have.

So like I said, we've been doing that for about four years. We invite other financial institutions. Financial institutions are a little different. I've been with our organization for about 34 years. So I've worked with a lot of counterparts and peers at different organizations, and sometimes they participate with the ISAC, but you try to get them to come together and do things in a collaborative event like that, and it's dicey. We've been the only bank that's been doing this event for going on five years. But we have insurance companies, there's transportation, so we hit 14 of the 16 critical infrastructure areas. So a week of training and then a week of range. We do different simulations every day in the second week.

But it's a fun thing, and it's actually an international event. We invite other states’ National Guard units for every state [that has] international partnerships. For example, in Nebraska, we have the Czech Republic, Rwanda, and Tanzania. So every year that we've done this, we've had a fairly hefty contingent of the Czech Army that comes in, and we integrate them with the other teams or enclaves that we have.

And the thing to remember with this – I mentioned the capture the flag event before, but this is all non-competitive. The whole idea is that we're trying to bring organizations in. Again, we'd love to have more banks come in, bring their incident response plans, and exercise their plans. That’s the whole thing. We’re about ‘bring what you have, we'll put you into a range.’

We don't charge anybody for this. It's all partner-supported. There's a little bit of funding that we get from the military just because there's a component that, in order for them to train with us, we have to have that authorization and that funding come in. But like last year, we had a Distinguished Visitors Day event on the range week, with all kinds of pomp and circumstance. You have one-star generals, Lieutenant Colonels, commanders from Cyber Command.

Heathfield: I had no idea when we sat down that this was the extent of what you were going to talk about.

Turner: Yeah, most people don’t. We’re trying to tie in cross-sector collaboration with incident response because that's the problem. People don't exercise their plans. For smaller institutions, it's really hard for them, outside of tabletops. We talked a little bit about CAPS. Unfortunately, a lot of our member institutions, they just use that to check off a box to make the regulators happy. That's the unfortunate thing. They need to do a better job. They need to exercise their plans. They need to pull them off the shelves. It doesn't matter whether they have a small team, like one or two people, or if they outsource; they still need to have a plan and know what to do when they have an event. Because the events aren't stopping anytime soon. Warfare's changed. The nation states are no longer going after other countries – they're going after critical infrastructure, which financial services are a part of. And they're not going after just the big banks. They're going after the little banks.

Heathfield: I want to press into that. I would imagine that people [might assume], ‘I'm small, I'm not the target.’

Turner: Unfortunately, [when] you have money and you are part of critical infrastructure, they're going to go after you. Now, their motivations – you never know what they are. I mean, they're still threat actor groups. One of the presentations that I do [has a matrix showing] the different types of threat actors –these are their motivations. This is what they're after.’ It goes from nation-states all the way down to hacktivists. There are still those groups that are out there doing things, and obviously, the nation states – depending on where a financial institution is – they will target specific geographic areas, in relation to bases or other things that are there. At least that's the telemetry that we're getting from some of the threat intelligence that we see. It's not just the big boys anymore that are getting attacked. We're all in this together.

And that's another reason we try to do what we do – because we're safer. We're safer together than we are apart. And for our more mature organizations that participate in our event, there are definite benefits in bringing the less mature, one- or two-person organizations into exercise with them. Because we can teach them, we bring their skill level up, and everybody's better for it in the end.

Heathfield: Wow, that is amazing.

Turner: I told you it was going to go –

Heathfield: No, that was amazing. So, okay, you said you've been with your bank for a little while –

Turner: A short period of time, a few decades –

Heathfield: A few decades. Can you tell me about the evolution of how you have come to realize that this level of preparation is required?

Turner: Yeah. So that's a little odd, too. My background is in data. I got started right out of high school, actually doing statistical process control for a small manufacturing company. That manufacturing company had a couple of contracts, but the president of the company had a specific line of medical devices that he was manufacturing. And let's just say that it was some sensitive data.

Heathfield: Like IP.

Turner: Well, so it was actually dealing with the assessment of sex offenders. So you can imagine. And this was back in 1988.

Heathfield: So, like, IP.

Turner: Yeah, patient data, sensitive photos, those types of things, no security controls at all. And this is back when security really wasn't a thing. Barely had networks. I always tell the story [that] a lot of my friends went into data brokering and other things with data. I went the other side. So I went through and helped him write some security controls and some access controls into his system that went into doing database work for banks and insurance companies. I did CD-ROM production for a while, back when CD-ROM drives were the size of VCRs. And if I have to tell you what a VCR is, there's going to be a generational issue.

Heathfield: I'm shocked that you even think that you have to, but okay, sure.

Turner: And we did legal research information, so primarily with the state of Nebraska – statutes, Supreme Court reports, not really anything to do with security, but it was database work. There was a lot of parsing and data. We were doing conversion of nine-track tapes – which, if you’ve ever seen nine-track tapes, they’re about this big. So I've been doing this for a while, doing those data conversions. We modified and wrote a couple of retrieval engines to be able to access the data. So again, data background. Then I got back into doing some consulting. And that's how I ended up with Union Bank. I was their first IT employee, back when we were about $300 million. My first day there, I had floor-to-ceiling computers that I needed to install and a network to install.

Heathfield: So you built it from the ground up?

Turner: Built it from the ground up. And it was me for about six months. Then I got another person. So I've been through this. I know what it's like to try to operate an IT organization with one or two people. Over the years, we've grown. I’ve pretty much done everything in IT. We started our security practice shortly after Y2K. I had the opportunity to go work for Motorola down in Scottsdale and was convinced that I was probably better off to stay at the bank and continue on my path there. That was from one of my mentors – my boss at the time. He sat me down and gave me that advice, and I'm glad that I listened to him because shortly thereafter, the role that I was going to take in Scottsdale dried up. Motorola, as a cell phone company, took a different route.

Heathfield: Although I did have one of those Motorola walkie-talkies, those bricks, at one point when I was a local news reporter. I did love that phone.

Turner: Yeah, the StarTAC flip phone. That was probably the best one. I know.

Heathfield: Yeah, I know what a VCR is.

Turner: Yeah, okay. We’re good. We’re good. So shortly after that, we had Y2K come up. Everybody was losing their minds; that was going to be the next thing that was going to be the end of society. Yeah. So we did a lot of work, a lot of good work, to make sure that everything that we had was ready for the event. Standing on the roof on New Year's Eve of one of our buildings, waiting for all the lights to go off and then … nothing.

So after that, we started talking about what's going to be the next big thing? And again, because of the data protection, some of the things that I had done with the manufacturing company – I was a very early adopter of the Internet, you know, back when it was dial-up and BBS (bulletin board) systems. And I knew that was going to be something that we needed to focus on. But in order to do that, we needed to secure it properly.

So ultimately, we ended up starting our cybersecurity group. We were called network security at that time because cyber really wasn't in the lexicon. It was there, but not a lot of people used it – I think there's some literature back as early as ’88, ‘89. So that was our group that we started.

At that time, I actually managed the team. There were four of us altogether, and it was a little weird because we didn't do just security work. We were handed projects that nobody else wanted to do. One of the defining things in my career was a leadership development program that we went through. We had the facilitator come in, and she had a table set out with all these different things, like a hammer and forks and spoons and pieces of paper … She wanted everybody to go grab something that represented what they were. So I'm looking over the table, see a plunger, go over and grab it, then go back and sit down. And she goes, “I'm saving you for last.” So she finally gets to me, and she goes, “Now why? Why the plunger?” And I said, “Well, because my team is the tool that people go to for jobs that they can't or won't do.”

And that was our thing for our security group. We created an ACH (Automated Clearing House) system to transfer funds for one of our business lines. We started taking in large amounts of ACH. Some that, had there been a problem – had there been any fraud, had there been some type of security issue – probably would have bankrupted the bank. So we built a system to transfer all the way, end to end, except for a little bit that's a race condition between transferring the file from us to the Fed. It was totally secure.

I was a firefighter, volunteer for about 10 years, also an EMT, did a short stint as our training officer, and that's where I came into the incident response. There are a lot of similarities between incident response and fire service, EMS, and law enforcement. And that directly correlates to cybersecurity or network security. The processes are the same. You end up with different tools; you're obviously doing different things in different areas. But the steps are the same. So it was a very easy concept for me to get, because I'd done the stuff in the fire service, and it resonated with me. It's like ‘this makes a lot of sense.’ And I took to it like a fish to water.

And I've done speaking on that and trying to build. Again, that's what got into the whole range concept. I've been trying to do more and more of that just to help people exercise their plans. That's the thing that most of the community institutions, smaller institutions, and even other smaller organizations in different sectors just don't do.

Heathfield: You have all this wealth of experience that, as you said, lends itself to being, ‘well, what could go wrong? We better practice it before it does.’ What do you see across community institutions more broadly … is it that there's just not the time because they're such small teams? There's not the knowledge of ‘how would I actually do it?”

Turner: It's all the above. Or, my other answer would be it depends. It really depends on the organization, the people that they have, their team size, and whether or not they've had an incident. If they've got managed services, they may not worry so much about it. But ultimately, it does come down to time. If you look at CAPS – we just had the CAPS breakfast this morning – it takes us about six months to plan and get that thing going. In order to do an exercise that really tests your plan, it takes a lot of time. And people don't have a lot of time. They don't have the resources. So it really depends on the size of the organization and what their risk appetite is.

Heathfield: Yeah. What would you recommend that your peers, especially in other community institutions – you said test the plan. Okay, but what are the steps that they actually need to go through? What are the resources that they can access to be able to actually do, given the fact that they might be a one/two/five-man shop?

Turner: Ultimately, it gets down to [knowing] what your risk exposure is. If you don't know that, it's kind of hard to pick a scenario that's actually going to affect you. You know, the big one that's been a problem – still is a problem – is phishing emails, business e-mail compromises. That's a pretty easy one. The unfortunate thing is that people think, ‘well, that's been around for 15 years. We don't need to worry about it.’ Well, it's still a problem. So identify the things that will cause you the most harm, cause your organization the most harm.

Heathfield: And it’s even more of a problem because of AI.

Turner: That's a whole other thing. The cat’s been out of the bag for a very long time with data. Now we have generative AI. The threat actors have been using that for a very long time. I remember a presentation that I did with the FBI back in 2014, and I had a slide on artificial intelligence and data mining out of inboxes. So it's been 12 years, and that was just getting started. Now their capabilities have far exceeded what ours are as defenders. That's the other thing that people don't quite understand. There are a lot of really nefarious things that are possible, and I'm surprised we haven't started seeing them yet. But we will. Just with the amount of data that's out there, the generative AI technologies, you know, deep fakes – that stuff is getting better. The criminals … can clone somebody's voice in a matter of seconds. I've heard some of those calls, and they're pretty convincing. It doesn't take much. But again, they've been perfecting those steps for a long time, for a very long time.

Heathfield: So, what would you advise your peers in the industry on how to go through and figure out how to build their own incident response plan for what you need?

Turner: So, first off, you have to have an inventory. We're trying to take it from the perspective of inventory as any person, place, or thing. You don't need to go to that extent. Primarily, it's going to be your software systems, your electronic systems, and anything you have on your network. That's the lynchpin. If you don't have a good idea of your inventory, what you have for devices – you don't know what to protect if you don't know what you have. So that's the first thing.

Then go in and do risk assessments based off of those systems, their exposure level. You can get really complicated. My cyber operations officer and I are working on a framework that's very close to C10, which is continuous threat exposure management, to try to operationalize the vulnerabilities and the risk that you have inside of the organization, but we're actually applying it to people, places, things. So you can start off pretty simply, but again, you've got to know what you have before you can protect it. And then you do risk assessments on the most important things, and then you can build your scenarios based off of potential attacks or potential threats to those systems and the vulnerabilities that they have.

Heathfield: When you do these exercises that you're talking about, do you rope in other parts of the organization, like the executives? Can you kind of walk through who you need to get involved at least to test what they would do in a scenario?

Turner: Yeah. So for us, we have a critical incident response team that's been defined for a lot of years. It's a makeup of people from IT, legal, HR, business units. Usually the managers or supervisors or directors of whatever business unit. For other institutions, if they don't have a team like that, that's put together, they need to create one. They need to figure out who needs to be involved. Obviously, you always want to have legal involved, and if you don't have inside counsel, whoever your outside counsel is. In a lot of cases, that's a hit-or-miss because there's a lot of firms out there that don't understand cyber. We happen to be fortunate enough that we have a couple that we've worked with for a lot of years. So it's pretty easy. And we also have inside counsel. So we get them involved.

But you really have to know the players inside of your organization. Know the ones that are going to have to make those decisions. Because as security practitioners, we can advise, but in most cases, we shouldn't be making the decisions. That's up to our exec teams and ownership to do those. So they've got to figure out who they need to involve from their organizational perspective.

Heathfield: And then how often do you think that community institutions should be doing these kinds of exercises? How much practice is required?

Turner: Enough where you can start getting some muscle memory. If you do it once a year, you're never going to get muscle memory. You might be a lucky organization that doesn’t ever have any incidents. But unless you're practicing once every quarter, you're not going to end up with muscle memory. And so that's the whole concept of what we're trying to do. In our institution, we do an all-bank disaster recovery/business continuity exercise every year. We do the CAPS exercise every year. CISA [Cybersecurity Infrastructure Security Agency] actually has several scenarios that they have available.

Heathfield: So they don't have to invest. My understanding is that most community institutions outsource all of their security. So for whoever's managing that, how should they be working with their security providers to still do this kind of test?

Turner: They need to have those managed service providers … integrated into the response plan. Because for an institution like that, you never want to just turn everything over to your provider. You still have to be in charge. Your leadership, your ownership, whatever your command structure is inside of your organization, they have to be actively involved in the decisions that are being made during that incident.

So while you may have somebody that's doing the technical things that are not part of your company, you still need to have your people engage with them. There needs to be a very good line of communication so that you understand what they're doing, and how what they are doing will affect you. If it's going to take down services, if it's going to impact your customers, because there's regulatory reporting requirements – if you have an outage that affects your customers for 36 hours, you've got to be reporting there. With managed services, you can't just be hands-off and let them run with the ball; you've got to be involved with it and calling the shots.

Heathfield: What else do cyber defenders – or whoever is actually responsible for security and incident response at community institutions – need to know? What other advice can you give them?

Turner: Know your business, know your organization, have open conversations. If you have the ability, get to know your Board. That's probably the biggest thing. Right before this, I had a call with our team, talking about key risk indicators. Then, know the things that matter the most to your organization. Because as IT security practitioners, there are a lot of numbers, there are a lot of metrics that are important to us. But ultimately, it's your exec teams, it's your leadership, it's your Board, [so understand] what interests them, what's important to them. Do the inventory, know the things that really matter the most to them. That's the stuff that you need to know. You need to be able to communicate to those individuals and still keep track of all the other stuff that is important to us. But ultimately, it's letting your leadership, your Board, have a comfort level with where you're at, with your security posture.