Maksim Kabakou - Fotolia
In the world of cyber security, we can argue that threat actors will largely stay the same: the insider, the criminal, the hacktivist and the hostile state. What is changing, however, is the methodology of that attack vector; specifically, the shift of focus from a customer to an organisation’s data.
We know from Lloyd’s of London that the cost of the financial world mitigating against cyber breaches is as much as $400bn a year, a figure that includes both preventative and remediation activities. This reflects the fact that a financial institution is 300 times more likely to be the subject of an attack than any other organisation, hardly surprising when we consider the risk/reward ratio of successfully breaching a bank’s perimeter. Financial institutions will remain the primary focus of any threat actor that seeks financial gain.
Last year was notable, however, because it marked a turning point in how attackers sought to make financial gain. The Financial Conduct Authority (FCA) deemed the Tesco Bank attack “unprecedented” – in scale, yes, in focus, no. Targeting customer accounts or information is not new. The Tesco attack resulted from a sophisticated form of guesswork that successfully calculated the variations of customer card details, which were then used against various websites.
In hindsight, only months later, the Tesco Bank attack appears quaint in its level of sophistication – somewhere between the Great Train Robbery and the Hatton Garden diamond heist. The real focus of the cyber security professional must be on the methodology of the Swift and Carbanak attacks.
Let us be clear: the attack on the Swift payments network was not limited to the Bank of Bangladesh or other financial institutions in the developing world. We know there have been subsequent waves of attacks against institutions in the US, Australia and Hong Kong.
The Swift attacks are notable for two things: the attacks were against the banking system itself, not customers; and the attackers were modifying, not stealing, information. Perpetrated through phishing, the malware allowed the attackers to delete outgoing financial transfer requests and amend those received. The attackers also had the ability to amend customer accounts and even intercept and change PDF statements to successfully cover their tracks.
It is the ability of attackers to cover their tracks that is concerning. The fact that the Swift attackers knew PDFs were issued to validate accounts demonstrates an inside knowledge of the wider financial infrastructure. Once legitimate credentials are stolen, can we really say with any assurance that all transactions are bona fide? It was only by chance that the attackers did not steal $951m rather than $81m.
The Carbanak attack further illustrates this trend of manipulating the integrity of financial data. Again, perpetrated by phishing, the malware allows remote access, so attackers can record the legitimate actions of bank employees. Authorising the transfer of money, the attackers would then cover their tracks by using banking officer accounts to amend information before and after the attacks. The fact that more than 100 banks have been targeted since 2013, with more than $1bn stolen, shows that the criminal world is fast catching on to the value of amending data.
Read more from Computer Weekly’s Security Think Tank about dealing with data integrity attacks
So what can be done to meet this threat? The first step is for an organisation to do the basics well. As seen in the Swift, Carbanak and Carberp attacks, phishing is still a major attack vector for criminals. Employee awareness of legitimate email traffic therefore remains a key control. Secondly, physical security and access through the perimeter to networks and even working environments, where an attacker can glean intelligence from employee conversations and unattended documents, is a straightforward but highly effective mitigation measure.
Most obviously, internal data integrity controls are now a priority – both manual dual controls and automated file integrity checkers. Think Tripwire, but on an industrial scale. It is also crucial, now more than ever, for organisations to stay up to date with the latest industry governance frameworks, such as COBIT 5.
The most important element in meeting the threat to the integrity of data is the formation and embedding of a “banking alliance”. The Swift attack was perpetrated against the banking system – not a particular bank. The Swift network serves 11,000 institutions in more than 212 countries. It is a system built on trust. The moment the integrity of that system is called into question, the entire foundation will start to shake.
The view of the banking system as part of the critical national infrastructure (CNI) is not new. The Bank of England has taken significant steps to ensure the ongoing stability of the UK financial system, with a key aspect being the creation of the National Cyber Security Centre (NCSC), whose remit is to protect and respond to attacks on CNI.
Similarly, CBEST is a cross-industry, intelligence-led security testing framework designed to standardise the ability of financial institutions, telcos, energy providers and other CNI organisations to withstand an attack. Further, the creation of the Cross Market Operational Resilience Group (CMORG), comprising all the major banks, is an acknowledgement that one attack may affect the integrity of all.
The attackers have now graduated from isolated incursions to the potential of launching a devastating strike on the banking industry. To withstand this threat, the financial industry’s greatest strength is in presenting a united front.
Kevin Murphy is president of ISACA’s Scotland chapter. ................................................................................................................... ................................................................................................................