Mapping and anticipating emerging threats can help inform crisis response but don’t be lulled into a false sense of security by compliance, or divert resources into fighting fraud fads, says Jamal Elmellas.
Eisenhower once said “We will bankrupt ourselves in the vain search for absolute security”, a statement as applicable to the enterprise as it is to the state. No network can ever be totally secure and any enterprise pouring time, money and resource into trying to achieve that goal risks chasing a phantom menace. How then to focus security spend? Contextual security is a phrase that is commonly used and suggests organisations should look at sector-specific threats. Monitoring and mapping threats as they emerge can provide some predictive capabilities but this crystal ball gazing should always be underpinned with sound security policies and processes backed by the business.
DDoS attacks have been reported widely by the media over recent months and there have been cautionary tales warning of a banking Armageddon this year. A recent report by the Ponemon Institute suggests financial institutions are unprepared for an expected onslaught of DDoS attacks this year, mainly because of an over reliance upon point solutions such as firewalls, and calls for more investment in DDoS tools. This warning seemed to be substantiated by a DDoS attack which caused 249 hours of downtime for US banks during a six week run in February and March. Initiated up to a year ago, the fraud involved regular attacks which extracted credit card details to clone cards. Each onslaught sought to overload bank websites in order to draw IT resource away from the target data before accessing bank systems.
A simple Google search will throw up other examples such as Heartland Payment Systems across the pond and closer to home the beleaguered HSBC, which most recently suffered a DDoS attack in October that took down the bank’s servers, affecting customer internet banking worldwide (the year before, the bank’s network was also hit, affecting ATM services, and it was fined £3million back in 2009 for a major data breach of customer data).
Reliance on compliance
But while network attacks are an issue, there is a more endemic problem here, namely an over reliance culturally on compliance. While compliance is a good starting point, the ever-changing threat spectrum calls for a more proactive approach. How we protect against these threats needs to evolve. Financial organisations need to move beyond the compliance remit to look at how best to embed security throughout their operational processes. This can be achieved through the application of effective risk management, protective monitoring and the use of appropriate and proportionate security controls.
Essentially attacks will happen and in an information age the direction of the attacks will normally follow the money. One need look no further than the recent $45 million debit card hack which took place over a reported seven months where credit limits were raised to allow ATM withdrawals. Despite the existence of PCI DSS security compliance, the hackers were able to circumvent the security controls in place. This suggests that the sector tends to rely too heavily on prescriptive compliance controls for protection. Perhaps we should be asking does business actually have the ability to identify a compromise and/or track trending hacker activity to anticipate such an attack?
Attacks are inevitable and will happen: seeking to prevent them is futile. What is important is that these organisations have the ability to identify an attack as quickly as possible and prevent a compromise. Real business security is essentially about the business process being monitored and anomalies being highlighted; this is not a new paradigm, it has been in existence throughout the history of business. Effective security has never been about products but about process and security has to be built into key business processes. By overlaying security onto the business process it is possible to embed security process into the operational functions of the business and this in turn heightens awareness of suspect activity on the network.
Looking forward, we can expect attacks to become more sophisticated, more focused and globally ambitious. Targets are being pinpointed as cyber criminals seek to find the weakest link in the information process chain within which financial institutions have their operations and systems. These are spread across different continents, providing the criminal with the ability to sabotage systems globally. APTs (Advanced Persistent Threats) are also becoming more of an issue, as evidenced by Operation Shady Rat. A sophisticated cyber attack that penetrates network defenses, APTs can remain undetected for a considerable amount of time, siphoning data from the network, deploying trojans to gain control of end-user devices or conducting SSL man-in-the-middle/man-in-the-browser attacks. Such as Spy Eye, for example, which not only steals passwords to access bank accounts but even creates bogus statements to cover its tracks.
Don’t believe the hype
Yet forewarned does not necessarily mean forearmed. The financial sector needs to ensure it doesn’t overreact to the current scaremongering as a knee-jerk reaction can cost time and resources. Anonymous recently threatened a DDoS attack against US banks on 7 May but this did not materialise. A DDoS attack may render a bank temporarily impotent but if it has the measures in place to mitigate reputational damage and ensure the crown jewels – the data – remain protected it can withstand the assault.
Understanding the risks is crucial and it is also the only way to justify security investment. We need to fight the perception of security as an inconvenience and an additional cost and open executive eyes to security as an enabler that can dampen and channel these attacks.
Jamal Elmellas is Technical Director for independent security consultancy, Auriga Consulting Ltd ( www.aurigaconsulting.com ) which has carried out security projects on behalf of major financial organisations in the UK