Digital security requires a complex hybrid approach
In early June, Reuters disclosed that the US Federal Reserve had detected more that 50 cyber security breaches from 2011 through 2015. It should be noted that this may only represent a small fraction of the Fed’s total exposure during this period.
It turns out that, unlike the Washington-based Board of Governors, the 12 privately owned regional branches of the Fed are not subject to the Freedom of Information Act (FOIA) request, so their breaches went unreported.
Today the Fed, like many other financial institutions, is built on an evolving hybrid of many different security technologies. Unfortunately, most consumers view their bank’s security through the narrow lens of their user ID and password, or simply their fingerprint, to begin the banking process. It is only when they read about the aforementioned story on the Fed or the Bangladesh Bank that they begin to wonder if there’s more.
Prior to 2011, the conventional wisdom was that a strong digital perimeter, a hard shell, composed of properly managed firewalls, intrusion prevention systems, routers, and switches was all you needed to secure your institution. Today’s cyber thieves employ strategies like phishing, and the psychology of social engineering to gain access to the inside of an institution.
Phishing attacks are carefully constructed emails or web pages that when opened convince the reader to provide sensitive information or inadvertently install malware.
Social engineering is the science of using a person’s humanity, their natural desire to trust, and be helpful or curious in an effort to further provide similar sensitive information in person or over the phone.
As the Fed learned from its collective set of attacks, the hard digital shell no longer protects it from the soft human center of the institution. Well-intentioned employees can easily be tricked, often unknowingly, into giving up the information cyber thieves seek. Some report shiny new USB thumb drives found in the employee parking lot, only to discover (or not) that they contain malware that spreads the moment the thumb drive is inserted.
That is why new education and technology needs to be deployed throughout the organisation. Employees need to be trained to spot phishing attempts and thwart social engineering efforts.
New software needs to be installed on desktops, servers and switches throughout an institution to detect and mitigate breaches before critical data can be exfiltrated.
Today, security solutions exist that should be deployed at the very edge of where your publicly facing services and applications reside, along with your desktops, laptops and mobile devices. These solutions are often subscription-based so they can rapidly evolve as new attacks are reported, and counter measures deployed.
Cyber criminals are constantly crafting new methods to gain remote access into financial institutions. The Carbanak malware exposed last year, specifically targeted over 100 banks in 30 different countries with a phishing exploit that cost these institutions a combined $300 million to $1 billion in losses, possibly more as no one really knows.
Before most phished data can leave the enterprise though it has to go through a series of internal servers, switches and networks. This is another opportunity to stop it. Today technology exists for each of these computing layers to actively participate in defending the enterprise from within.
Servers can have white lists applied to all network traffic via server based hardware and software firewalls, permitting them to talk with only approved systems on approved ports. Classes of servers like email, DNS, database, and web can also deploy platform specific counter measures.
Additionally, in real-time, network traffic flow data can be interactively collected from these servers, and analysed for patterns indicative of a pending breach. If something is detected, then the appropriate security policies can quickly be crafted and deployed to the proper systems thereby thwarting any breach. Unfortunately, the Bangladesh Bank loss of over $80 million, demonstrated failures in nearly every aspect mentioned above.
Today, the best defense against cyber criminals is a complex hybrid of technologies deployed at every level within the enterprise.
It starts with training every employee who touches a computer, from the cleaning staff to the CEO, on the basics of cyber security and social engineering.
It involves deploying the proper malware prevention tools on your institution’s mobile and desktop systems.
It includes protecting all the servers within your infrastructure through very specific on-server white listing, and watching over the network data flows from both servers and switches accompanied by a rapid remediation capability.
Of course, all of this assumes a robust digital perimeter.
By Russell Stern, CEO of Solarflare