November 4, 2019
The chaos and chatter around recent “hacker” attacks in the US and abroad are louder and more confusing than ever. And unfortunately, the reporters who communicate the events back to us typically do a horrible job describing the real problem. They skip the hard facts in favor of big headlines and bold statements that are designed to sell papers and ads.
We thought it was worth a few minutes for you to hear about IT Information Security -or “Cybersecurity” if you prefer the new lingo used by your auditors and regulators – from the trenches where the actual war is taking place.
UNDERSTAND YOUR SET UP
Make sure you understand your network diagram for your bank. What is inside the trusted part of the network and what is in the “untrusted” part. The untrusted part of your network is usually the most dangerous with the most exposure. It includes customer devices, phones, apps, etc. that are “out there” on the internet.
STI has a DMZ where we permit limited encrypted traffic to come inside from the internet. The firewall (an expensive one) tries to block all of the hazardous items. Only DMZ traffic (never Internet traffic directly) is allowed through that second firewall (also expensive) to the Internal Servers. Finally, bank PCs can access the Internal Servers, but there is a third firewall that they must pass through for extra security.
REAL RISKS
What are the real risks and what should keep you awake at night? In current articles you’ll hear about “ransomware”, major “hacks” (we hate the generic term), SWIFT hacks, Trojans, “attacks,” and just about any other colorful term that will sell an article. But, what if we told you they’ve got you worried about all the wrong things? We submit that the water has been so muddied with phrases and fear that you, the banker, don’t really even know where to start to work on the problem. You aren’t really even being told what the problem is. Now don’t shoot the messenger here, but if you really want to know where to focus resources in an effort to lower your risk of losing data or money to thieves online, go to work on the #1 threat in your bank … the employees that work there.
Did you know if you look back across nearly every news story of a “hack” on a bank, retailer or online shop in the past 10 years, nearly every single one was initiated by a human that worked for the victim company or one of its contractors. If you care to review a few:
February 2016 SWIFT “hack” on Bangladesh Central Bank – users at the victim company received emails with attachments laden with a piece of malware (bad software). The malware names were: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee. Users installed those pieces of software in trusted parts of the network and that allowed external thieves to send email-like messages that were then used to transfer money. Yes, at the end of the day, the victims installed the criminal’s software for them and even then, lost about $100MM because of an instant message between Bangladesh and the NY Fed. SWIFT has promised to work on their messaging system. Maybe they ought to consider a call-back on any $81MM dollar transfers! Summary: Bangladesh Central Bank employee(s) accidentally installed malware on their PCs that allowed the bad guys to send an “instant message” over the SWIFT network to make a large fraudulent transfer of funds. No one checked to see if the message was legitimate.
In 2013, Target allowed thieves to download a few million credit/debit card numbers. How? An air-conditioning company that worked for Target in Pennsylvania exposed an administrator username and password. That HVAC company apparently had the credentials because it needed to get into Target’s network to monitor equipment and temperatures online in various stores. Once the bad guys had the administrative credentials, they installed software that would send them what they needed. Surely the contractor’s employees didn’t just hand over the credentials? Nope, they received an email that contained a program which they then accidentally installed. That software (malware called Citadel) is designed to look for other text documents and emails with passwords in them. Mistake number 2… the username/password stolen was contained in an earlier legitimate email and found in the user’s mailbox. The malware simply found it and emailed it out to the bad guys. Summary: Target and/or its vendor shared admin username and password in an email with each other, then the vendor accidentally downloaded and installed an email attachment that shipped the secure information to the bad guys.
Home Depot in 2014 and Wendy’s in 2015 – in both cases, the theft began with as-yet unnamed third-party contractor credentials being used to then install software on POS terminals.
An IBM study not too long ago showed that 95% of all of these breaches of confidential information were directly attributable to a human intentionally or accidentally manipulating software from within the victim organization. What should keep you awake at night is not whether a wizard-like “hacker” is going to come through all the layers of security from the internet to your trusted servers (although we do study that a lot for you), but rather the employees sitting around you right now… and maybe even yourself on accident.
EMPLOYEE TRAINING
Practice over and over until people get it. Send test emails, use failures as examples and punish the repeat offenders. Everyone needs to understand that you don’t need to immediately download attachments from emails or to click on links in emails you don’t expect. Simply pick up the phone and ask the user if they intended to share said information with you. Pay attention, too. Hover over the links to see where they are really taking you and think carefully about whether you really intend to go to that web site.
If I send you an email saying you should take a look at our new web site: https://www.sibanking.com, do you see anything wrong with that? If you’re reading this on paper, you won’t. But if you are reading it on a screen, you should hover over it and see that I’ve simply put a label over the real web site target… that link will take you to Google not to SIBanking.
And remind everyone that emails from executives are worth double-checking. Ask, would the CEO normally tell me to pay an invoice? Does that make sense that the Chairman is asking me to wire money? And the leadership is going to have to be patient… false positives are going to happen and you can’t get frustrated if a CSR interrupts you to ask if the instructions you sent him/her are legitimate!