DEFENCE AGAINST THE DARK ARTS – HOW BANKS SHOULD COUNTER THE CYBER THREAT

Geoff Webb, director, solution strategy, NetIQ

DEFENCE AGAINST THE DARK ARTS
DEFENCE AGAINST THE DARK ARTS

Since the earliest incarnations of the banking industry, security has always been of the highest priority. While security mechanisms have evolved from those times, the mechanisms defending high-street banks are still extensive with pin numbers, safes, security doors and alarms all part of their arsenal.

Fortunately, these solutions have made it nigh on impossible for criminals to gain access to cash held on site and bank breaches have almost been forgotten as the primary target for criminals. Unfortunately while the physical threat has receded the virtual threat has grown, with it now posing a very real danger to both retail and investment banks. Criminals are no longer limited to stealing what they can carry from a bank as they can steal far more data by going online. The internet has created a situation where criminals now assume far less risk to themselves, for far greater rewards. Funds stolen by cyber criminals dwarf the amount their physical forbears could ever hope to have escaped with, and data thefts can be far more damaging than stolen funds.

The techniques used by modern cyber criminal are sophisticated and varied in their approach. One technique that has come to the fore in recent years is the Distributed Denial of Service (or DDoS) attack, where criminals flood a bank’s server with requests in an attempt to bring down its network. Research by analysts has uncovered a number of DDoS attacks that have taken place as a way of diverting the attention of IT security teams while millions is being stolen through fraudulent wire transfers. The DDoS attacks do not even need to succeed in bringing down a whole network, a slower network can cause a trading floor to seize up entirely causing considerable financial losses. Internet Service Providers (ISPs) are usually effective at responding to a DDoS attack, providing much needed support when they take place. However, when a DDoS attack does take place it is imperative that banking institutions don’t focus all their attention on this intrusion, as the main attack may in fact be occurring elsewhere undetected.

Geoff Webb
Geoff Webb

One major difficulty for banks is that modern cyber-criminals can be almost indistinguishable from genuine employees. Once inside an organisation’s perimeter a cyber criminal will immediately aim to elevate his own authorisation levels to one of a privileged employee, using the clearance to steal data and other assets. As a result, talking about insider and outside threats to banking security is an increasingly outdated way of thinking. Banks have to assume that they have already been breached and as a result need to act accordingly.

At the same time, however, some hackers have shifted the focus of their attention away from fraud, to stealing raw company data which can be even more damaging. A customer’s personal financial information has real value to cyber-hackers as it can be sold on to other criminals running sophisticated fraud operations. If a customer’s account is compromised in this way, real damage can be incurred to that institution’s finances and reputation.

With this growing online threat, how should banks respond? No firewall can guarantee to keep out every attacker, so it’s inevitable that their perimeter will be compromised, so how can banks limit this threat and ensure corporate information is secure and protected? There is no doubt that this is a considerable challenge as banks are global institutions with thousands of employees. Identifying one intruder posing as an employee is no mean feat.

Some organisations try to identify the tools a hacker is using. This method is flawed as it’s easy to build unidentifiable tools but what can be uncovered is the unusual activity and behaviour a hacker displays. Is there an abnormal level of traffic going to a particular area of the bank or is data flowing in new ways around the business? Being able to spot and identify these signs gives banks a far greater chance of spotting an attack.

While identifying the irregular signs indicating an intrusion is important, ultimately actions need to be taken to prevent an attacker getting a foothold within the bank to begin with. This comes down to carefully controlling what employees can access and ensuring they can only access the data they need. An individual may move departments and not need the access they previously had, this should be acted upon but in reality many organisations struggle to implement this approach. Limiting access across an organisation makes it easier to spot hackers masking themselves as employees and better protects resources. Once this is in place it makes it far easier for the IT team to identify the eratic behaviour of a hacker and mitigate their effect.

The final action banks need to take is to put in place a plan of action for when a bad actor is found. What is the response? Who should be informed? Without this in-depth planning which seems obvious to many, organisations can end up struggling to respond effectively, leaving themselves exposed to greater damage.

Banks need to make available the time and resource to manage the access rights of their employees and get back on the front foot in the struggle with cyber criminals. If this is overlooked it will become increasingly difficult for banks to spot irregular behaviour early and mitigate the effects. Cyber attacks aren’t about to go away and banks need to ensure that they have the tools and processes in place to reduce the chances for fraud or a damaging data breach.