By Chris McIntosh, CEO, ViaSat UK
The financial sector’s IT security is under close scrutiny: whilst the Bank of England’s recent revelation that cyber-attacks have put banks at risk of “significant” losses since May 2013 came as a shock to many, the writing has been on the wall for some time. The publication of the Government’s Waking Shark exercise results in 2014 will give some indication of how prepared organisations truly are: more and more the phrase “bank robbery” is likely to conjure up images of electronic, rather than physical, theft. If organisations have any doubts at all about their security, now is the time to act.
Means and Motive:
Financial institutions in the UK are an increasingly attractive target; as financial services become a foundation of the economy, so organisations are seen as part of the critical national infrastructure. A successful attack will not only affect a single organisation, but conceivably an entire nation: giving an added incentive to potential attackers.
Attackers have a growing range of technologies and techniques in their arsenal. Recent attempts to steal financial data from Barclays and Santander branches using simple devices connected directly to the banks’ machines, while uncovered by the police, show how technology can be used to circumvent a firewall. Indeed, when attackers can attempt approaches such as intercepting communications channels that increasingly use the internet; or worming their way in by first compromising customers’ machines, the firewall is no longer the bulletproof shield it was once thought to be.
Partly this is due to one of the age-old rules of security: the easiest way into an organisation is through its people. Using social engineering techniques, whether sophisticated or crude, attackers can potentially siphon a huge amount of sensitive information: from account details to passwords, or even worse. Such techniques can work on anyone: a CEO is just as vulnerable to a scam as workers at a cash desk. Regardless of who falls for the ruse, attackers can still gain information that damages the organisation.
When looking to protect themselves, organisations should remember that the majority of attacks are generally opportunistic and aimed at the lowest-hanging fruit. Any obvious vulnerability will be the equivalent of a “Kick Me” sign for potential attackers. To avoid neglecting potential weak points, organisations should take a holistic view: a security strategy should encompass the entire IT network, rather than focusing on particular areas. While it may be impossible to raise every potential access point to the same level of security, making an attack hard enough will deter a large number of potential attackers, who will look for easier pickings.
Sadly, thanks to continually developing new approaches, a sufficiently determined attacker will breach any defences. As a result, another lesson for organisations is to always assume that the network has been penetrated; and to ensure that potential damage is minimised.
Organisations must first spot when attacks have happened. A large part of this is being able to trust the devices and services that compromise the IT network. If a single access point such as a router or program is compromised, then the longer it stays open the longer attackers have to damage the organisation. Instead, all points of the network must be authenticated regularly in order to gauge if they are still trustworthy. Each device or program should exchange security “handshakes” with other parts of the network; if one of these is not returned correctly, alarm bells should ring. There should also be particular devices that the organisation can trust implicitly and that test other sensitive parts of the network. Any inconsistencies raised by these devices should be investigated immediately.
While this will help spot breaches, it is also essential to make sure that a breach produces the minimum of damage. For example, often an attacker will be seeking to steal sensitive data, from financial data to personnel records. By encrypting this information, it becomes worthless to any attacker even if they are able to remove it: the 256-bit encryption used today will often take decades or even centuries to break; if this can be done at all with any confidence.
While humans may still be the weakest link in any such system, there are still many ways to protect both the organisation from human error, and employees themselves from becoming scapegoats for any security breach. Actions such as data storage and transfer should be automated as much as possible, to remove opportunities for people to miss security best practice. For example, if sensitive data can only be saved on authorised, encrypted storage then it can be provided to workers with much more confidence.
Fatalist or Realist?
While this approach to IT security may seem fatalistic, it is also the only way to ensure an organisation is protected. Attacks on IT are simply a way of life in the 21st century. By taking a holistic approach to minimise weak links; regularly authenticating all points of the network; removing the chance of stealing anything of value; and protecting users from their own mistakes, organisations can at least ensure that they have the best possible chance of frustrating potential attackers.