Can Your Employees Be Manipulated?
Banks at Risk from Coercion, Ancient InfrastructureAs financial institutions update their defenses in light of new types of online threats - from scams to network-penetrating cyber-attacks - they must factor in all of the ways that their systems and employees might be directly targeted or manipulated.
See Also: How Active Directory Security Drives Operational Resilience
So says Dublin-based information security consultant and Europol cybersecurity adviser Brian Honan in the wake of the Federal Financial Institutions Examination Council issuing new security alerts. Those warnings focus on destructive malware attacks as well as online attacks that are designed to harvest large amounts of valuable data at once.
The FFIEC alert warns that attackers are favoring phishing and malware-based campaigns, which are relatively inexpensive and offer high probabilities for success. "Criminals will use various ploys to get staff to click on links or download attachments, which, in turn, infect their computers," Honan says.
Other attacks, however, may be made directly against vulnerable systems. "Common Web flaws are one way that large amounts of data are stolen," Honan tells me. For example, injection attacks - such as those targeting SQL injection flaws - can give remote attackers a potential way to steal large amounts of data at once if they can successfully pass "data dump" commands to Internet-connected databases.
OWASP Top 10: Few Changes
When it comes to exploiting common Web flaws, unfortunately, online attackers continue to enjoy many options. Indeed, the top 10 list of the worst Web flaws - maintained by the Open Web Application Security Project, or OWASP) - includes injection flaws, broken authentication, cross-site scripting and security misconfigurations. What's notable is that these risks don't appear to be dying out. According to an OWASP review of the top-ranked threats from 2003 until 2013, for example, while the ranking of various types of flaws may have changed, the list continues to be comprised largely of the exact same flaws.
Some of those risks are more dangerous today than in the past. For example, while attackers previously used cross-site scripting, or XSS, attacks to steal users' session cookies and impersonate them on websites, attackers today may employ XSS to infect visitors to a website with malware that gives the attacker backdoor access to the victim's system, says Ilia Kolochenko, who heads Geneva, Switzerland-based security firm High-Tech Bridge.
Why Common Flaws Linger
One reason such flaws linger, Kolochenko tells me, is because as developers get a handle on how to eradicate them, new types of technology or protocols - such as HTML5 - come along. Developers must then learn anew - or less experienced ones for the first time - how to spot and eradicate common, easily exploitable Web flaws.
Another reason such vulnerabilities don't die, he says, is because a lot of old infrastructure remains in use. In one recent security test for a customer - Kolochenko declined to name the firm - penetration testers from his company discovered that the business had launched an online platform in 2006 that it was no longer supporting. But the infrastructure was still active and presented the penetration testers with a variety of easy-to-exploit, Internet-connected systems with well-known vulnerabilities, which would have given a real attacker a pathway to corporate systems storing sensitive customer data.
Banks in particular remain at risk from outdated infrastructure. "We are still seeing banks that have some internal software that is running on Pascal, on Ada, on some ancient programing languages that contain hundreds of problems, vulnerabilities and so on, and yet are still running on ... Windows 2000 or some historical operating systems, simply because [essential] software is too old [and] not compatible with any modern platform," Kolochenko says. "But replacing this software is extremely difficult and extremely expensive."
Wielding Coercion, Bribery
When it comes to locking down financial services systems and data, however, organizations must be sure to address internal threats. "Institutions should not overlook the internal threat, whereby staff are coerced, bribed or indeed have criminal intent to download data and pass it on to third parties, such as criminals," Honan says.
Insider attacks remain tough to mitigate. Just ask the U.S. National Security Agency or the Department of Defense, which, respectively, failed to prevent the leak of an unknown quantity of top secret information by insider Edward Snowden and the unauthorized disclosure of a half-million diplomatic cables by Chelsea Manning.
But as Honan notes, well-intentioned insiders may also be coerced. Take an employee at Canadian Internet service provider Rogers, who was the target of an extortion attack by hacking group "TeamHans," which demanded 70 bitcoins (about $17,000) in exchange for not leaking customer data they'd stolen from the employee's PC. Wisely, the employee reported the threat to his managers, who reported it to police. No ransom appears to have been paid. But what if the attackers had been wielding information of a more sensitive or personal nature than just an account manager's customer data?
Are Banks Prepared?
Granted, Rogers is an ISP, but the attack begs the question of how many financial institutions have security policies and response plans that cover Internet-promulgated extortion attempts, or response plans in place if they discover insiders who - for one reason or another - decide to do bad things.
However uncomfortable this may sound, Honan says financial institutions must ask their employees to keep an eye on each other. "Effective security awareness training, which empowers staff to identify and report such attacks, or indeed to identify and report suspicious behavior of other staff, is one of the critical tools in an organization's security arsenal."