The Overlap of Technology, Defenses, and Detection
Treasury owns cash, but do they need to know anything about penetration testing? Should scanning, testing, and monitoring be the responsibility of treasury or IT? Intellectual understanding and awareness of your group may be the difference between security and a loss of funds. On this podcast, Jason Campbell and Craig Jeffery discuss protecting your digital assets through testing and monitoring.
Jason Campbell, Strategic Treasurer
Craig Jeffery, Strategic Treasurer
Episode Transcription - Episode #210 - The Overlap of Technology, Defenses, and Detection
Strategic Treasurer currently has two live surveys open through July of 2022. They’re on different aspects of payments. Virtual card solution survey with MasterCard is a quick 10-minute survey on challenges, expectations, and value drivers of virtual card programs. Global payments with Corpay is one of our long standing premier surveys, researching FX, cross border transfers and new payment technologies. Please visit strategictreasurer.com/surveys to learn more.
Nicki Gillispie 0:42
Welcome to The Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car at the gym or wherever you decide to tune in.
Jason Campbell 0:56
Treasury is responsible for protecting the most liquid assets of the firm. They own cash. They are the superintendent of payment and payments security. IT or the CISO or CFO is responsible for data security, security around the perimeter, and more. Protecting assets whether it is cash, payments, confidential and banking information, often requires multiple parties to be involved in the defensive activities. This may include direct actions and necessarily includes awareness and intellectual understanding of the areas where the battle rages. Today, I’m talking with Craig Jeffery, Managing Partner here at Strategic Treasurer on the overlap of technical defenses and type of testing and monitoring what it is and why treasury professionals should care. Welcome, Craig, glad to have you on today.
Craig Jeffery 1:42
Jason, it is good to be here.
Jason Campbell 1:44
You know, this is a great topic. You know, I think when we think about necessarily security, you can never have too much. You know, whether it’s in life, whether it’s in business, especially when you’re protecting cash. Do treasurers need to know anything about penetration testing, or that just an IT concern?
Craig Jeffery 2:00
I think that’s a good question. Those two questions are not one or the other. Do treasurers need to know anything about penetration testing? About monitoring what goes on in the digital realm? Yes, they do. Isn’t that an IT concern? Yes, it is an IT concern there’s some overlap here. And that’s really the focus of today’s topic and of course the corporate to protect digital assets, cash, payments. There are elements about this that matter. And it’s foundational, why is it important? Why are we talking about this on The Treasury Update Podcast? When we think about the level of attacks whether it’s business email compromise, man in the middle, ransomware, exfiltration of information that might be related to banking, or attempts at the payment processes. You know, as a firm, we do business with insurance companies, banks, payment companies across the board and they have certain standards with their overall network of suppliers, providers, customers and may have certain levels expectations. This is not just how you have to do business. But it’s also important to understand why this matters because any vulnerability can be exploited and that exploitation will result in loss of confidential information that can result in a compromise of a payment system compromised credentials, resulting in loss of actual funds or trust. So, these are all important and the level of attacks and sophistication is great. And it comes to us, not just digitally. It’s a combination of digital, in person, remote, phone email, the surface area of attack vectors have come into come from a lot of different locations and we have to be aware of them. Treasury may be more attuned to ensuring their security of payments that information is exposed. IT may be more attuned to firewall or elements about protecting email. But knowing about all these things matters. So, knowing about penetration testing and how it fits in to some extent, it’s really helpful for treasury experts not at the level that the SEO may know about it and what they’re doing. These are all really important.
Jason Campbell 4:17
Couldn’t go back to looking at just in today’s world and how critical and how much information is shared in so many different avenues in so many different ways. The world today is nothing but a big informational highway per se. And especially over the past year, whether it’s past decade, decade and a half as technology continues to advance for a lot of businesses when you think about the types of layer security that has to be there to protect it. I think in any organization I think probably one of the biggest threats I’m sure you probably agree is a data breach right and we’ve seen it, we’ve seen it happen, you know, multiple times and none you know, and, and there’s not necessarily any organization that can say, hey, I think we’ve done enough work because you’ve got to constantly evolve. And there’s tons of examples we could probably go through if we had more time, but I think it’s just more so of having that understanding of what’s available out there to continuously look at how to protect your organization. So, tell me about the terms and what they mean. You know, you mentioned some scanning, testing, and monitoring. But let’s go a little bit deeper into that and define those a little bit more if you don’t mind.
Craig Jeffery 5:20
Sure. So, scanning or vulnerability scanning, we usually refer to this and think about it as you’re checking your system for vulnerabilities, usually an internal process, your IT group or external group may come in and insert tools or network sniffers, network devices to check for any vulnerabilities. So, this may be data that’s available and accessible. So, it might be bank account information or social security numbers or any type of tax ID. So, maybe looking for that or could be card information that’s exposed unencrypted. So, part of it is looking for data. The other aspect of it is it looks, and checks make sure patches are installed, ports are closed or blocked or certain types of activity. And so, running a vulnerability scan helps you be more comfortable from the inside out. That’s vulnerability scanning the second item is pen testing, penetration testing. You’re using a third party who tries to find out and perhaps exploit any weaknesses that you have. So, they usually want to know your digital assets, your IP addresses, you web domains etc. And is there the ability to compromise any of those and the perspective there is if they’ve been compromised, some part of system get in. They can then move laterally compromised more systems, gain more insight, and then exploit that either exfiltrating information or data as you’re talked about or compromising the payment process and getting funds out of the organization. So, those are the top ways that this can be managed encrypt data and ransom it and exfiltrate data, charge people for it or embarrass your organization or get money out. So, pen testing is a third party who’s checking those items out there looking at your web assets. Are your IDs and passwords secure? Do you block people automatically if they can try to brute force their way into your password so they have different styles and methods? A current one that’s pushed by the US government to standards there’s no red team’s testing and so this where you give them access to credentials, okay of office 365 credentials to your servers that they can see stuff and run tests and look at things. So, they can run scans see what the security settings are, see if there’s vulnerability. You can also come in and know what your assets are seeking to discover them when they come discover them. Or you can give them an inventory of your assets, your website, your reports. So, they know, and they can target their automated tools and or programs they have to see where you might have vulnerabilities or where you can be compromised. And then the output of that is here’s a result of where your exposures are. They’re usually classified by level of severity, to give you examples, so they’re oftentimes they’ll give you how to fix it. Is that a patch to the putting some code …. some type of security, that’s penetration testing from the outside and perhaps from the inside as well. Monitoring. There’s different tools out there that allow you to have this year round or continual penetration testing. And so, this is these are services that will look at your assets. Everything from your domains to header records to your email configuration to DNS, domain name servers, to see if all their settings are properly set proper to block compromised systems by securing email in certain ways. This type of monitoring is different from a pen test, but kind of a year-round continual, as opposed to just having a test every six months or every year or every year and a half. This is continuous and so you’ll get feedback on where those exposures are, and this monitoring can be your assets. But it could also be your suppliers. It could be your customers; it could be competitors as well. So, you can add that type of functionality just to be monitored. Here’s a key supplier–have they been exposed? Are they putting patches in to see scores and see particular vulnerabilities and the key thing here is not that everyone has everything 100% perfect, 100% up to the second, but that those regular patch cadences, the issues are being addressed in a timely manner. So that they’re practicing good systems security, systems hygiene from websites to their servers to wherever they are in the cloud. So those are the three types of testing and monitoring and pen testing and monitoring.
Jason Campbell 10:09
I remember a conversation you and I had, we were talking about you know just how sophisticated criminals are getting and even you know, not just necessarily your business functions or your business technologies but also to how they’re also you were talking about IP addresses and how third party may come to your house for example, and to have something in the mail and test it whether it’s you scan a QR code off of your cell phone, and that could have potential impact if your phone is linked to your business and thought property or their systems and just doing those types of testing. And to be honest, I remember when we had that conversation and made me think now every time I look at my mailbox and I pulled my mail out, and I see that hey, this great offer. Now I’m just a little bit more questioning the legitimacy of that mail piece or is it a potential where somebody is trying to check my vulnerability and you know whether or not you know, what is my next action with that so it’s kind of made me much more aware because it’s not just from a standpoint of, you know, I know that our business systems are well protected, but I’d never thought about outside of this house. You know, criminals are trying to access information because I mean, that they know that hey, potentially somebody has a job that’s connected to something or the other. They’ve done their homework and you know, they scan social media and addresses are public knowledge through county tax sites and things of that nature, your customers and so it just made me more aware of that and you know, we were talking about that’s something that just came to mind was that particular conversation that we brought to light.
Craig Jeffery 11:37
Yeah, I mean those things can make you almost paranoid, but the level of automation and sophistication is such that your company is being probed and targeted continually. And it’s not because an individual is saying I want to get after the company, it may be for certain companies, but it’s just as automated, on average to go after many, many more companies, find weaknesses, exploit them when they can. So, it’s a big issue and if you ever, as those who are listening to ever have a chance to talk to your CSO or spend time in their data center or spend time in their security monitoring area, you’ll find it very, very enlightening. And that’s horrifying. How many attempts are made people usually monitor where they’re coming from. You see how your systems are tracking them and blocking them out when it’s the level of mental sophistication but how that escalated over the years is it’s quite dramatic. And so, it requires a strong defense because instead of waiting for the criminals, the hackers to find us we need to be testing ourselves all the time in our assets and that’s part of the stewardship role as a protect the most liquid assets of organization. We have to protect payments and provides any number of steps that are necessary to protect those items. And we may not be responsible for every single item, the CISO’s responsible for something. AP does something, treasury does something else. But as superintendent of payments, treasury has to make sure that all these things are functioning reasonably not that you have to do all of those different superintendents. But if you’re careful to understand roughly what goes on or what are essential for understanding what’s needed on the side …
Jason Campbell 13:35
It is absolutely fascinating. It really like they said go behind the scenes and look at the more you know the war room. What did that really kind of look like, right? And I don’t think it’s like more games you know, that old 1980s movie or you’re watching like the military strikes, and you know what the threat was not a threat. It’s kind of what I pictured, I’m sure it’s on a laptop or something but you know, but you’re absolutely right to see you know, how many threats really come through an organization that they gotta fight off and then on a daily basis and you know, what becomes the norm and what becomes “Hey, this isn’t a slight issue.” Think we haven’t seen and how evolved… But I guess that question on this piece would be though, is why should treasury care about what can be argued as an IT security activity?
Craig Jeffery 14:18
Yes. So, I mean, that’s a good question. In terms of, you know, we started off with within an IP concern, or what does a treasurer need to know? And this brings us back as what is the overlap, and what do we care about? So how do you calibrate that? So, you don’t have to be nine layers deep in the demark programs of set in your email activity. I looked at that term off. The idea was you can’t protect things if you look at things in a unitary fashion. You have to understand all of these different areas as they’re trying to compromise your system by the weakest link. There’s people, there’s structure, there’s technology, there’s systems, then there’s controls that that layer across all those. So, if treasury says I’m gonna protect payments only by understanding wire transfers or only by understanding how I encrypt a payment file that gets sent to a financial institution, you’re leaving up all kinds of gaps inside the organization. You’re not understanding how people try to capture credentials so that they can act as I’m not worried about me doing anything that may be going on in your motives may be as pure as the driven snow, and will never be compromised, which is awesome. But if someone to get your credentials, they don’t have to have the same standards that you have. So, protecting your credentials. makes absolute sense and that’s really just the layers of security credentials, surface area of attack, the structure you have for your banking services, the bank provided tools for protection, whether it’s account level or a transaction level controls, and so forth. Those are–treasury has to care about it as superintendent for payments and steward, protector of that, because the compromise can come from every area. And so that means coordination with other areas they see payroll, IT, your data, your protective protection area or group as they’re different. Certainly, talking with your CISO if you have a chief information security officer. This is this is important because you can’t just say I’m only focused on protecting one aspect if it’s because we lose money, and it came from other areas. Well, it’s not my fault That’s IT fault. That’s CISOs fault. Whoever updates people from human resources, who update their credentials on our system. There’s a shared responsibility and then there’s a superintendent aspect of protecting payments. So as superintendent payments need to understand whether some critical information that’s being shared, the battle is raging, and it’s going to continue to grow and scale and it’s changing. And so staying current is vital, and we have to understand what the battleground is what are those attack vectors, so that you don’t have to be a master at it. But you have to know here are there are things that are being done to compromise our company, our systems, our data, and here’s leading practices for defending and making sure that we’re aware of them. And our actions are making those patches whether it’s IT is putting in patches on your servers, or your you’re updating your team with security training. These are all essential if you can’t fulfill your role owner of cash, steward and protected of most liquid assets and superintendent of payments without doing anything and knowing some level of detail around your data. There’s so much overlap you’d have to understand,
Jason Campbell 18:01
That is a lot of good information. And I’m sure the listeners I definitely agree and how important security really is. And especially you know what treasury’s function, their role responsibility is in protecting the data itself and everything that comes with especially with payments and cash. All the things that we spoke about today. What would you want to leave these the listeners today with what’s your final thoughts around protecting digital assets?
Craig Jeffery 18:24
Cash is not usually stored in vaults or any currency around, it is all digital, or digital assets are confidential information banking information. Personally Identifiable Information, and the method of communicating how we can move and transfer value from a finance perspective, I think there’s a …talk about protecting digital assets with vulnerabilities and pen testing monitoring. How does that correlate something we may be more familiar with? As treasury professionals, treasury experts, I think about the scenario analysis that people do to run models to say what happens if interest rates do this or foreign currency pairs move in this way? A moment that future cash flows to a balance, the value of our assets. How do we respond to that? Right? That’s part of it. That’s a component of scenario analysis, seeing what could go wrong. Just like doing pen tests, vulnerability scanning is like saying, “What could go wrong? How will we know it?” You know, this idea of you want to verify our defenses are currently in a verify that they’re turned on. They’re working or not using the fob IDs and passwords and so these ideas the idea of using external parties to test to see if they can penetrate your organization, or they can monitor weaknesses or making sure things are being updated. People, patches to your system. Those are all crucial elements that we think of in the finance area. What if this happens from a risk standpoint, price movement, very different directions, these commodities, how does that disrupt our income? Does that create a particular type of situation and to address? Those are things you’re used to thinking about on the finance side, but there’s an element too that we need to think about on the technology side because exposure to these liquid assets comes through our banks. A bank, our systems, a profit practices established and then also kind of compromise people. So, looking at that from how do I identify what my inventory of risks are, identify my surface areas that could be attacked, the challenge, or controls that could be compromised? Layers or security, to try to strip off that idea of testing, verify that they’re working on a continual regular basis was a process not just as a single event or exercise? So, I think those things fit in with the security mindset. And the risk management mindset that most treasurers have, which I think it’s just making sure that we have a more comprehensive view of the overall landscape. Not that we want to own everything with regards to payments. But knowing that you’re the superintendent of payments, security that you own, responsible and that involves coordination.
Jason Campbell 21:21
Thank you, Craig, for joining us today. And we really do appreciate those final thoughts because your words of wisdom are always insightful. And to our audience, thank you for joining The Treasury Update Podcast Protecting Your Digital Assets. Please go out there and like us, on whichever medium you’re using right now currently to listen to this podcast. We appreciate it and let us know how we are doing. And, as well, if you haven’t already, please go out to strategictreasure.com where you can follow us through your media channel of choice. Have a great day. Until next time, take care.
You’ve reached the end of another episode of The Treasury Update podcast. Be sure to follow Strategic Treasurer on LinkedIn, just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast, are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark strategictreasurer.com
Subscribe to the Treasury Update Podcast on your favorite app!
Global Payments Survey
The goal of this survey is to obtain a complete view of the global payments environment as it pertains to the treasury and AP functions and identify which payment technologies and processes are top of mind for practitioners heading into the next several years.