Caught in the crossfire
In the early hours of 10 February 2014, hackers struck the Las Vegas Sands Corporation. Within hours, malware had obliterated much of the company’s IT systems, wiping hundreds of computers clean, deleting key company files, destroying the backups and shutting down servers. Within less than 24 hours, the attack inflicted an estimated $40 million worth of damage.
The incident serves as an illustration of the devastation that can be inflicted by cyber attackers in a short space of time – and nobody believes the problem isn’t getting worse. Cyber attacks on financial institutions have made headlines repeatedly in recent months, notably in February 2015, when a joint international operation by Europol’s European Cybercrime Centre seized servers said to have controlled the Ramnit botnet that had infected 3.2 million computers internationally.
Other recent attacks include the Carbanak cyber-attack which stole $1 billion from banks in 30 countries in the two years leading up to February 2015. Cyber security firm Kaspersky Lab, Interpol, Europol and authorities from different countries combined their efforts to uncover the plot. Kaspersky Lab data revealed that the Carbanak targets included financial organisations in Russia, the US, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the UK, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria and Australia.
“The issue here is that there’s asymmetry between the cost to the attacker and the cost to those being targeted,” says Mark Clancy, chief executive of Soltra. “The attacker does something once and 100 people have to respond. Each institution ends up responding in a different way. Banks are forced to spend millions to defend against something that may have cost the attacker a few thousand dollars.”
While no bank wants to be a victim of cyber crime, institutions can differ on how they approach the problem. At the one extreme, some vendors report encountering senior bank executives that take a Machiavellian view. Phil Barnett, vice-president Emea at vendor Good Technology recalls a meeting with one senior executive who was more interested in what he could get away with than in parting with a single dollar. “He asked me ‘how many breaches are you seeing?’ and I just thought to myself, ‘well, how many do you want?’” says Barnett.
At the other end of the spectrum, some banks are hiring many employees. Barnett reports that another bank told him it was hiring 2500 new staff to cover risk and compliance within the next 12 months. The bank in question had around 60,000 existing employees. “Where do you find that number of people with the right skills?” Barnett asks.
The first step in countering cyber attacks may be the simplest – sharing information about incoming attacks. Soltra is a joint initiative that was created by US post-trade utility the Depository Trust and Clearing Corp (DTCC) and the Financial Services Information Sharing and Analysis Center with just this purpose in mind. Launched in December 2014, Soltra allows financial institutions to share information about cyber threats with each other. The idea is to raise awareness and visibility of incoming attacks, giving banks a chance to prepare their defences accordingly.
“We need to redress that balance by increasing the cost to the attacker,” says Clancy. “You can increase the attack cost to the attacker by outing them. Most attacks that happen are not new, they were known by somebody, it’s just that it wasn’t known by the target. They exploit Web browsers, for example. If you know that, you can patch against it. If you share techniques, you force the attackers to change their tactics, and that’s expensive for them.”
A cynic might say that a bank doesn’t necessarily need to have the best cyber security defences – it only needs to be better than the next bank. Likening the situation to a herd of wild animals being hunted, the observation goes that only the slowest animal will be picked off and eaten by the lions. However, Clancy doesn’t buy into that scenario.
“That works well if there is one bear,” he says. “But if there are apex predators out there, they will do whatever it takes to get you. If you have a house with a thousand doors, it takes every door to be locked to feel secure. But if you can also see which doors the predators are coming to, monitoring what’s going on and what is being targeted allows defenders to protect the right doors.”
Soltra Edge consists of a free to download tool which operates on a ‘freemium’ model – that is, users can start using it for free, but are charged for a premium version. At present, the DTCC estimates that there are 1800 installations in use. Part of the inspiration for the project was the need for a common language, with which to compare reports of attacks. Without it, half the task would be made much more difficult by the need to be constantly translating between different formats. Soltra uses two standard data languages adopted from the US military.
For the time being, Soltra is a peer to peer sharing service, meaning that information is shared bilaterally. But the next stage will be to implement a ‘hub and spoke’ model, creating a central hub that will store information that can then be analysed. Later this year, Soltra plans to launch a new platform based on the hub and spoke model, allowing members to share information bilaterally if they prefer or more widely – it will be up to them.
“If you are a member, you will be able to set up a sharing group, for example creating a community group for companies based in the UK, or companies that focus on certain sectors such as healthcare, financial services and so on,” says Clancy. “The publisher of the information can decide how it is shared and what the privacy settings are.”
The ancient Chinese master strategist Sun Tsu said: “If you know yourself and you know your enemy, though you may fight a thousand battles, your victory will never be in doubt. But if you neither know yourself, nor your enemy, then your life will always be in danger.”
To apply this maxim to cyber security, if Soltra represents knowledge of the enemy, then there is still a need to understand the self. In 2002, the White House commissioned a series of cyber war games called ‘digital Pearl Harbor’ in the US. The project involved 100 CIOs of systemically important companies, including top tier banks, telecoms providers and water and power supply utilities. The object of the exercise was to simulate a concerted cyber attack on the US. Former US Navy officer French Caldwell was involved in the cyber games.
“Banks are caught in the crossfire of cyber warfare daily,” he says. “It’s not just about good old-fashioned hacking. Threats to critical infrastructure are real. The government to government attack may be the most dangerous threat.” According to Caldwell, simulating these types of attacks can help to identify weaknesses and help banks to up their game, in preparation for genuine nefarious attacks.
Several such schemes exist in other countries too. In the UK, CBEST was launched in June 2014 by the Bank of England, together with UK regulator the Financial Conduct Authority and non-profit security organisation Crest, as well as cyber intelligence company Digital Shadows. It sets out a blueprint for controlled cyber security testing, the aim of which is to ensure important financial assets are protected against cyber crime. The tests mimic the actions of threats such as sophisticated cyber-attacks against financial services assets.
Sometimes a bank’s own staff can be the biggest danger. Insider trading and other nefarious activities can undermine security. Employees may send work emails to an unprotected home email address, inadvertently compromising the information contained therein. The practice of employees bringing in their own devices for work tasks further complicates matters.
“One bank we spoke to had 87 per cent of their employees bringing their own device, and they want to get that up to 100 per cent because it saves costs and makes their staff happier,” says Barnett. “A few years ago, a chief security officer would say, ‘As long as I’ve protected what’s inside the perimeter, I’ve done my bit’. It doesn’t work like that anymore.” The solution, he suggests, is to give employees a download for their own devices that will protect them and bring them inside the fold. “We provide a container we put around mobile applications to make them safe,” he says. “It’s a download that ring-fences and encrypts everything, including all the information. It’s very useful to encrypt the application and the data. It’s better than locking the device.”
Even then, however, some observers warn that bring your own device (BYOD) should be treated carefully and no risks should be taken. “A lot of companies manage BYOD by putting a system on the employee’s device, but it really needs to be part of the same governance process and the device needs to be wiped clean automatically when they leave,” says Paul Trulove, vice-president of product management at SailPoint, a developer of cloud-based identity management software. “BYOD maybe should be flagged as a higher risk area because you can’t control it and you have no idea what people are doing outside working hours.”
IT security specialist Kaspersky Lab points out that in addition to IT-based security solutions, firms also should pay attention to staff. A major share of data security breaches occur because of employee actions, either intentional or unintentional. In order to prevent security breaches, firms should boost awareness of data security among its employees. This includes building a stronger understanding of working with and handling corporate information on mobile devices. Security policies that set out an employee’s responsibilities and accountability regarding confidential information is recommended. “The human element is important and should be the starting point. Educating staff as to what is important regarding cyber security and how they might be exploited in order to gain access to a system will help,” says David Emms, principal security researcher at the firm.
Meanwhile, both Barnett and Trulove point out that the third-party supply chain also can be a weak point. For example, there are hundreds of thousands of lawyers that often work closely with financial services firms and some of them will have access to the bank and its systems or even customer information. These individuals may be employed by external firms, but due to their role they have access to sensitive information – and that can be exploited.
“Banks used to keep access internal but now that’s just not the reality,” says Trulove. “Third parties increasingly have access and it’s not always covered by security.” This leads onto another problem, which is the internal silos that exist in many large organisations. For example, a BYOD scheme may focus only on the employees in one particular division of the company. But with the nature of contractors and third-party employees interacting and moving around the bank that might create loopholes that could be exploited.
“If you spot an anomaly, you need to disconnect a compromised account across the board,” adds Trulove. “Not just in one small part of a company. But to do that, you need collaboration inside and between a company’s silos. Using digital identity to achieve that is a good idea.”
Identity management can be crucial, he added, because it can give the company a ‘360-degree view’ of each user, allowing the bank to identify what the user can access and what that user has been doing. For example, identity tools can be used to show where the user was when he or she logged in. “That helps to identify if the culprit really is the person who holds the account, or whether the password and username details have been stolen and another person somewhere else is using those details,” says Trulove.
The final incentive for countering cyber crime may come down to good old-fashioned competitive advantage. The Edelman Trust Barometer, which monitors public confidence in institutions, found that banks and government are the two least trusted groups. This might be turned into an opportunity, he says, by an enterprising bank on a mission to steal a march on its competitors.
“If you can avoid losing data and get your trust up even a little bit, then you are ahead of your peers and that can be a competitive advantage,” he says. “It’s also worth remembering that if you can increase customer trust, you also increase trust in the banking industry itself. Lack of trust triggers regulation. So banks really need to get a grip on this and sort it out. Financial institutions are likely to suffer more and more enforcement actions and more onerous inspection until they solve this.”
Many cyber attacks are random, perpetrated by criminals who just want to enter an organisation’s systems and steal information. “Any organisation is vulnerable to attack,” says Kaspersky’s Emms. “In the financial sector there is an added dimension because attackers can move money around.”
Attackers tend to go after consumers via methods such as phishing, rather than directly after the banks, he adds. However, banks were directly attacked via the Carbanak attack.
Organisations can be vulnerable to attack if they do not keep up to date with software patches, he says. Often users don’t understand a download is a security update and they may dismiss it. For banks, which run many systems that are quite old, software patches for redundant, unsupported operating systems can be expensive. “Banks that have to organise emergency patches for systems running on, say, Windows XP, have to pay out a lot of money.”