By Matthew Stockham, GTreasury
Network security in cyberspace is never far from the headlines. When it does reach the headlines, it’s never good news.
Here are just a few famous – or infamous – security breaches of the not-too-distant past, even though they might seem like ancient history by now: Target, Adobe, TJX, Home Depot, Sony Playstation, Heartland, Epsilon.
More recently, we heard of breaches and fraudulent funds transfers involving large banks. The Bangladesh Bank lost $81 million; had there not been a typo in one of the transfer messages, the loss could have exceeded $1 billion.
Soon followed news of similar breaches in the Philippines, Vietnam, Ecuador, and about a dozen others. Those transfers either took place or were attempted over the SWIFT network. That was a new wrinkle. It wasn’t just credit card data or personal information. It was an assault on the world’s financial messaging system.
Corporate treasurers – our customers – took notice. We work with SWIFT. We fielded many questions. What happens with SWIFT payments, and what happened here? Are my payments safe? What can you, GTreasury, do to help?
The customers were right to ask. I don’t blame them for being uneasy. Hackers and cyber-thieves are, unfortunately, good at what they do and getting more sophisticated all the time. They take advantage of gaps and weak spots in information technology systems. But those gaps and weak spots are there, almost exclusively, because some human being wasn’t doing his or her job properly.
We can always improve our hardware and software, and I’ll discuss a few ways we’re doing that. But it doesn’t matter how powerful or expensive your system is if you don’t know how to use it.
What Happened: Outdated Technology, but Human Error Too
The malware altered payment orders, increasing transaction amounts and changing payment destinations. It also changed the SWIFT payment confirmation messages back to the original amounts or deleted them entirely.SWIFT is a messaging system used by banks and financial companies. SWIFT messages include, but are not limited to, payment orders. The SWIFT network itself was not hacked. But the hackers, operating from Egypt, penetrated the banks’ systems and installed malware. The malware modified the bank’s Alliance Access software, which reads and writes the SWIFT messages and records transactions.
A police investigation showed that the Bangladesh bank had no firewalls and was using second-hand, ten-dollar switches on its network. The Philippine bank was using a $25 router and default passwords. It’s little wonder that the crooks were able to get into the network. Anyone who takes security seriously knows that security demands investment. You can’t expect good results by picking cheap components off the shelf, plugging them in, and hoping they’ll work. The components need to be part of a coherent plan.
But I could buy a million-dollar security device for my network and it still wouldn’t make a difference if I’m not managing it correctly. The SWIFT breach gave my company an impetus to review everything we were doing in the way of security, both in components and in management of them, and we did find ways to tighten things up even further. I have no doubt that many companies within the financial services ecosystem did likewise. Below, we’ll discuss some specific steps that should be considered.
How the Enemy Works
Spam. Spear phishing. Social engineering. Confederates inside the target institutions. Black-hat tool kits that are more advanced than the tools that developers work with when building applications. They’re all part of the arsenal that hackers use.
Nowadays we don’t hear much from the deposed African prince who wants to split a hundred million bucks with us. Cyber crime has gone way beyond such stickups of unwary individuals.
The cyber criminals are working full time and studying your business. They scan for the open port, look for SSL vulnerabilities, do automated testing. They seek out the one vulnerable machine on the network or the one gullible or inattentive person who clicks on a link and lets malware in.
They also learn who does your payroll, whether you use FedEx, who’s your ISP. They’ll send you an invoice that says your account is overdue and you’ll be terminated if you don’t reply. People click on the invoice link, which can look like a pdf file but which masks an executable one, without thinking. Even high-credentialed employees like executives, CFOs, and treasurers get duped. They’re in a hurry, and they click on links without thinking.
All the hackers need for a response rate is for one percent of their attempts to succeed, but the percentage of the population that falls for it is much higher than that.
In my experience, something more than 80% of malware that reaches its target gets distributed by phishing, or by somebody’s clicking a link on a compromised web site. This campaign highlights the fact that organizations are only as strong as their weakest link, and in this case, it’s their employees. IBM’s 2015 Cyber Security Intelligence Index indicated 95 percent of all attacks involve some type of human error.
Attackers rely on that factor, counting on someone to open a fraudulent attachment or link. Wordpress sites are a particular problem. Many people who use WordPress do it as a hobby, not in their full time jobs. They don’t keep security patches up-to-date. So if some hacker compromises a WordPress site and adds their own code, and then you click on one of the site’s links – behind the scenes there’s a software download to your machine.
Defending Your Castle
Think of your business as a castle. Build the walls and dig the moat. Most attackers are looking for the soft spots and easy pickings – they prefer to probe for open doors to your system, and to simply walk in. You can turn these intrusion attempts aside by having those walls and moat – appropriate policies and components – in place.
The drawbridge and the great wooden door are the entryway to the castle. Sometimes that door must be opened, or the castle can’t function in the world outside. The door should open only when needed. No other entryways, such as windows or emergency doors, should be left unlocked.
When the door is opened, be sure you have vigilant, armed, well-trained sentries on duty. They’ll protect you from almost every other external threat – the attackers who go beyond casual probing to methodical intrusion attempts.
With the above measures in place, you’ll be guarding against about 99% of all forays against your system.
Finally, station hundreds of vigilant guards atop the castle walls and around the base of the walls. They’ll spot and dispatch the final one percent of attackers, those lone daredevils who try to scale the walls or tunnel beneath them.
To summarize – the walls and the moat are administrator rights to your system. More precisely, they’re the curtailments, the strict limitations, of administrator rights. Smart, aggressive control of administrator rights can neutralize around 85% of malware attacks.
The drawbridge and sentries are password controls. Eliminate stolen passwords and you’ll turn back almost all of the remaining intrusion attempts. About 14 percent of them.
But if, somehow, an attacker climbs the wall or digs underneath it, the vigilant guards that will nab him are the two-factor authentication brigade. That’s the final one percent of protection.
We’ll discuss them all in more detail. But before we do, let’s carry the castle analogy just a bit further. It will be much harder to defend the castle if you don’t keep the walls mortared and if you don’t keep the food and ammunition supplies fresh and plentiful. That’s your hardware and software. Keep it current, and keep it patched.
Finally, if your soldiers and sentries are untrained or lazy, it doesn’t matter how strong your walls are. The human factor has always posed the biggest risk in cybersecurity. All of your employees have a part to play. So keep them trained and informed. Whether they realize it or not, they’re on duty all day, every day in the fight against cyber-thieves.
What They’re Capable Of: An Attack-in-Depth
The “Dyre Wolf” campaign against banks shows just how sophisticated the hackers have become. Discovered and named by IBM researchers, it’s an invasion-in-depth, a mirror image of a defense-in depth. Dyre Wolf has pulled off several million-dollar heists from banks and corporations.
Run by criminals in Eastern Europe, Dyre Wolf uses spear phishing or spam emails to get a foothold in the system. Then its minions post phony dialogue boxes about system errors, prompting a phone call to a fake service center. They lure employees of the target company into revealing their passwords and authentication codes over the phone. They also post spoofed web sites, where gullible employees think they’re logging in.
Within seconds, millions of dollars get whisked away through a maze of foreign banks. The attackers frequently launch a Distributed Denial of Service (DDoS) attack on the target bank to prevent it from seeing what just happened.
This is all very scary. But the first, essential break in the target bank’s defenses came when an employee or some other insider such as a vendor allowed a download of malware. The enemy made it through the castle walls and plucked the keys to the castle keep from another employee.
IBM’s 2015 Cyber Security Intelligence Index, which describes Dyre Wolf in detail, stated that 55 percent of all attacks recorded in 2014 were carried out by those who had inside access to the target company’s systems. Some of those insiders were malicious; others were unwitting dupes.
Elsewhere in that report, IBM states that 95% of actual breaches were caused by human error.
So, by now it must be obvious. You’re only as strong as your weakest link, and that link is almost always an employee. So what to do?
Building a Defense-in-Depth
Let’s return to the castle and its walls, moat, and sentries. Let’s also narrow our discussion to the breaches that keep bankers and corporate treasurers tossing and turning: those that result in unauthorized transfers of money.
In broad strokes, if you start from a secure base, a system in which nobody has rights to anything, and then you open it up to people or processes as necessary, then your solution will be secure and will enable people to do things that must be done.
On the other hand, if you start with a system that is wide open and proceed to lock things down, you will inevitably will miss locking or closing certain doors. Moreover, as things change, as people come and go or acquire new privileges and responsibilities, you’ve got to be especially vigilant in monitoring everyone and in shutting down additional doors. It’s far easier to grant as necessatyr rather thn trying to deny access once some change occurs.
Let’s assume that an attacker has fooled someone into downloading malware onto his or her computer. How much damage can that do? Some, of course, but you can limit it substantially if the infected computer does not have access to administrator rights.
If the user of said computer is a “standard” or “least privilege” user, then the worst-case damage will be limited to what that user can do. It can’t change files, install software, change processes, and so on. In other words, it would not allow the types of changes to the SWIFT messages that hit the Bangladesh Bank.
The “2014 Microsoft Vulnerabilities Report” by Avecto, a UK software firm, states that “97% of critical Microsoft vulnerabilities could be mitigated by removing admin rights across an enterprise.”
One of the report’s key findings almost reiterated the point: “97% of Critical Remote Code Execution vulnerabilities could be mitigated by removing admin rights.”
The report explains “mitigation” in stating “a standard user account either nullifies the vulnerability itself or nullifies the impact of the vulnerability by preventing the exploit from gaining elevated privilege throughout the user.”
The Avecto report dealt with Microsoft vulnerabilities. But applications like Flash and Java can be exploited as well. Granting admins right to them, or to any other application with known vulnerabilities, is to be courting disaster.
Privilege management is not a panacea. If you’ve got sturdy castle walls but the drawbridge is open, the barbarians will storm through the gate. At that point you’re relying on your guards. But who is verifying the guard’s activities – the familiar question “Who’s guarding the guards?”
Some guards need access to sensitive ares of the castle. Who is verifying that they’re doing everything they must be doing, but only what they must be doing. This is where auditing comes in. Remember the percentage of attacks that stem from human error. Some errors are inadvertent; others are deliberate. Does an independent party review your logs, daily, of who accesses production servers? Do you have somebody who is independent of the guards’ function reviewing these accesses? It is similar to the “dual control” of cash practiced by banks, or the requirement for “four eyes” needed to complete an action.
Limitations on Applications
Think about what kinds of applications your employees need in order to do their jobs. Do they need Flash installed? Or Java? Perhaps you should consider having application whitelist, to specify what can be installed on company machines, and what will be blocked by default.
Most applications installed by users have little to do with their jobs. They may go onto Facebook. They may have a Google dropbox. They will install things to do at lunchtime. If a company does not know what applications its employees have installed, or how they are using them, then the company will have no control over the information that is flowing through users’ machines on the network.
Policies and Passwords
In the case of the Philippine Bank breach mentioned above, the bank was using a $25, second-hand router. It also had no firewalls and used default passwords. Human error, anyone?
By now, it should be obvious to any user of IT that their passwords should be in a format that is hard to guess or to discover through algorithms. Passwords should also be changed frequently. Company policies should mandate such approaches. It is a very easy thing to enforce password complexity. Companies should also routinely test passwords to see if they can be broken easily.
The whole issue is so familiar that we needn’t go through it here. Still, there’s a distressing proportion of computer users whose password is “password” or “123456.”
Single Sign-On (SSO) is another effective countermeasure. With SSO, a session and user authentication service permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. It is easy to set up and manage. There are many third-party products, including Microsoft Active Directory Federated Service (ADFS) that work well. They balance out the tradeoff between ease of access for the end user and tight, documented security for the auditors and internal security team.
With SSO, mandated password changes are easy. You only have to change the password in one place to update if for every application that supports SSO. You don’t have to go into every system and individual application. Managing multiple passwords, and having to remember them for every system, causes a great deal of user frustration and password-related errors.
Because SSO is authentication by a trusted server within the company network, third-party applications like GTreasury do not have to make their own determination that a given user’s credential are valid. The, third parties ca use the same trusted source that the company is using for its users’ identification and validation.
Multi-Factor Authentication (MFA)
Multi-factor Authentication (MFA) combines “something you know” – a password – with “something you have.” The “something you have” portion might be a physical token with a distinct, encrypted security code. It might also be a message sent to a mobile phone or a laptop computer. Even if some hacker penetrates your network and steals your password, he can’t make off with the goods unless he also gets hold of the other authenticating factor.
MFA does not just need to be on login. It could also come into play at any functional point of using an application – such as approving a payment.
The Dyre Wolf guys scored despite MFA because they succeeded in getting both pieces of the puzzle. With faked phone calls and spoofed web sites, they tricked the victims into revealing or entering essential information like security codes or passwords. Again, this shows that no technology is foolproof if humans mishandle it. It also shows the need to layer security, rather than to rely on any one method or solution component.
Mobility and the Cloud: More Cautionary Tales
If you do a good job of restricting administrator rights, of managing identities and passwords, and of implementing two-factor authentication, you’re showing that you’re serious about cyber-security. Your auditors will approve; so too should your lawyers and law-enforcement authorities.
Data breaches are a real threat nowadays, even for companies that are diligent about security. If your company’s systems are breached, your legal liability may be much less if you have followed a strategy of defense-in-depth than if you were oblivious to best security practices. In the event of the latter, there could be additional or punitive damages assessed.
But you didn’t think that was the end of it, did you? The war is never over. Before we conclude, I’d like to offer some further items for your consideration.
If you’re a corporate treasurer, be very careful about using your home computer or your mobile device. If you’re in an airport, for instance, you might inadvertently login onto a Wi-Fi that looks legitimate – named something like “Lagardia” or “Heatrow” – and send critical data to a hacker for a man-in-the-middle attack.
Again, going back to the human element, remember that terminated employees aren’t fully terminated until they no longer have access to any of your systems. When you dismiss someone, you shut off access to the internal network. But do you use one or more cloud-based services? If so, someone has to go out and delete the departed individual from every one. It takes some extra work and doesn’t happen automatically unless your cloud provider’s web services offer to disable terminated users’ accounts.
My company, GTreasury, has recognized this need. We’ve built up an arsenal of weapons to help treasurers secure their environments. It may be MFA, SSO, IP whitelisting, audit trails, internal change control, file integrity monitoring, web application firewalls (a device that monitors all traffic flowing through the web server, looking for potential malicious code and traffic, intrusion detection systems, log files, auditing, access monitoring, code scanning, server vulnerability scans, penetration testing.
Once more to our castle analogy, we find that cloud computing might just allow potential invaders to glide right over the castle walls and drop in from the sky. You still need vigilant sentries to spot them. You’ll need to give the sentries some accurate, long-range crossbows to nail them even before they land.
So Get into the Game!
Maybe we’ve had enough comparisons with the Middle Ages. Let’s move into modern times and sum it up by thinking of cyber-security as we think of that great American game, football.
They say that offense wins games but defense wins championships. And what do you need to build a champion defense?
- A well-thought-out game plan – your security policies and procedures.
- A defense-in-depth consisting of big strong linemen, heady and agile linebackers, and fleet defensive backs all playing with the latest gear – your tightly controlled admin rights, robust passwords and identity management, and two-factor authentication, all put into action in a robust and up-to-date hardware and software platform.
- And most importantly, your players – talented, well prepared, and thoroughly drilled. The entire squad, from the highest-paid starters to the least-used substitutes. Your employees. They’re the ones who do the work; they’re the ones on whom you rely.