Heightened banking cyber threats require clear focus
As the US Federal Reserve joins a growing list of financial institutions targeted by cyber criminals, reports of an organised campaign to recruit hackers for a large-scale malware attack, dubbed Project Blitzkrieg, has further highlighted the challenge facing the banking sector, writes Seth Berman, executive managing director and UK head of Stroz Friedberg.
Adversaries are becoming more sophisticated, as signs suggest state-sponsored attacks could also be on the increase. The chairman of the US House Intelligence Committee, Mike Rogers, last month went as far as suggesting he was “99.% confident Iran initiated recent cyber-attacks on PNC and other major banks and that it clearly has the capability and desire to trigger more destructive assaults”.
Such risks have caused financial services institutions and, in particular, banks to seek greater preparedness. However, as with any security system, there is no fool-proof way to prevent a cyber-attack. There is consequently, a growing need to focus on how such threats can be tackled more effectively.
Addressing these concerns requires equal measures of prevention and preparation for a response – to use a real world analogy, banks need to take steps to prevent a fire, as well as to deal with one.
A key step is one that sounds simple, but is all too rarely done: conduct an audit of the IT and physical security system. A security assessment, like a financial audit, should be carried out by an outside team without a stake in the existing IT infrastructure.
The team will be looking at the organisation’s threat profile and vulnerabilities. In addition to ensuring that IT security practices are up to industry standard, a thorough security assessment will also identify where sensitive data is stored and whether this can be segmented or further removed from the rest of the IT system.
For example, a recent breach occurred through a heating control system that was accessible from the internet. Because no one at the organisation was particularly concerned that hackers might adjust the office temperature remotely, the system was poorly defended. However, since the heating system and primary user data were hosted on the same server, a hacker was able to use the entry through the control system to install software that ultimately provided access to all data, including key corporate secrets, on the server.
A good security assessment will go beyond the infrastructure security, to review the weakest link in any security system: the users. Are passwords up to date, or can they be easily guessed or broken? Do users know not to click on attachments to suspicious emails? Are they tested to see if they in fact do not click on such attachments? Do users know who to call if they accidentally do click on such an attachment?
However, as with physical security, the best preparation cannot prevent all attacks and preparing a response strategy is essential. Banks should determine what the chain of command will be for the incident response team. A specific executive should be nominated to lead the internal response team and the organisation must designate in advance its external lawyers and IT consultants.
After a breach is discovered, one immediate goal will be to determine whether to notify law enforcement. This is not a simple decision.
A hacking or data breach may require a different response compared to other types of crime. In particular, incidents triggered by outsiders are likely to present a much steeper challenge to law enforcement, as the perpetrators could be thousands of miles away and using proxy servers to hide both their location and identity, greatly limiting law enforcement’s effectiveness. Moreover, law enforcement will have trouble determining the scope of the incident – what was actually taken – without detailed knowledge of the corporate IT infrastructure. Most banks prefer to avoid giving law enforcement the necessary level of unfettered access.
In my experience, most companies faced with this situation conduct a private investigation before notifying law enforcement, with three factors often driving this decision:
- Sophisticated hackers rarely advertise their presence. As initial evidence may be confusing or hard to interpret, it is not always immediately clear whether any laws have been broken or not.
- Hackers do not leave detailed lists of what they stole. Only painstaking reconstruction of a hacker’s activities through sophisticated computer forensics can determine the scope of the offence. This requires nearly unlimited access to secret corporate data and restricted networks, which most banks do not want to grant unless legally required.
- It is much easier to control the public relations and communications strategy if the extent of the problem is known before going public. By handing the investigation over to the authorities, a bank would lose control over the timing and content of any public notification. This could prove a public relations disaster.
Banks are likely to remain prime targets for cyber criminals for years to come. Tackling this challenge will require a clear understanding of the underlying risk, a strategy to mitigate such threats, alongside a rapid response at the first signs of a breach.