Security Think Tank: Cyber security needs to start with the simple things

Does the theft of $1bn from global financial firms by the Carbanak gang show it is time to seek new technologies or improve business processes?

The recent exposé that the Carbanak cyber crime gang took some $1bn from financial institutions points again to an apparent lack of awareness of information security – not just in the financial institutions, but generally across all industries and indeed the home. 

Is it a case of looking for new technologies? Well maybe, but there are some pretty sophisticated systems already available, which begs the question of whether these systems are being effectively used.

For example, there is no point in having a hundred video cameras covering every aspect of a building if you only employ one guard to monitor them. But sophisticated monitoring technology properly set up and tended is not the be all and end all.

Simple things like ensuring that file properties are correct and minimal for effective use and ensuring that the least privilege principle is applied for all authentication and authorisation purposes will help. Organisations should also ensure there are no default or shared passwords, and enforce password complexity. 

Additionally, applications and operating systems should be maintained and patched up to date, ensuring that server firewalls are activated and that all firewall rules are regularly reviewed to check they are fit for purpose. All of these steps will go a long way in defeating the cyber criminal.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more about Carbanak cyber attacks


Read more on Hackers and cybercrime prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

it is time to change the fundamentals of ICT Security.
New Technologies, better software  to detect any intrusion are required - always. But we already have lot of good product s in market. May be its not about the products but implementing security in totality. For example - if we have a anti-virus or other security software, just implementing it doesnt secure us. Security should be tested for , if possible - daily.
In the SW and especially in ICT security are many half-truths, PR phrases, etc.

Security must be the basis of the system, not an add-on.

Many viruses and hacker attacks were discovered after a few weeks or months, antivirus or IPS / IDS systems failed to detect it.
The problem is not the chosen technology, the problem is in the basic rules of ICT Security.
Unfortunately, over the past 10-15 years there came up a whole generation of users and experts who believe that - "We can not do it better."
Is time for a change.