Cyber-Defenses Never Enough

By Richard Stiennon

(Back to article)

Security is a matter of economics. It is an attempt to push the costs of executing a successful attack higher than the rewards. As the rewards grow for the attackers they are willing to invest more and more in the attack. And that is where cyber security starts to fall down.

The attackers are thwarted from simply hacking in from the Internet so they turn to a frontal assault that may catch an organization completely off guard. For instance, you may end up spending millions to defend bank account information only to suffer a loss of critical account records to someone who bribed a bank teller for little more than a weekly salary.

Other Articles by Richard Stiennon
Network Admission Control is a Blind Alley

Evaluating Security Startups

The Best Defense Against Social Engineering

Web Application Firewalls: The First Layer of Protection

FREE Tech Newsletters

It has taken recent events to once again highlight the fact that when there is value in information there are criminals that will stop at nothing to steal that information. Like most things it is a matter of economics.

I don’t know how long I will be writing about Sumitomo but this is the classic case of infiltration and its lessons should be learned by everyone in the banking industry or any industry for that matter.

A gang masquerades as cleaning staff to get in to the Sumitomo bank branch in central London. They install hardware keystroke loggers on the PCs of support staff and proceed to the point where they transfer over $400 million to accounts at other banks around the world before their heist is shut down.

Have you examined your procedures for hiring contracted cleaning staff? Or the people who water the plants? Or temporary clerical help? Or your security guards for that matter? Do you ask them for ID’s when they show up for work? Do you have security cameras to check up on them? Can the security guards access the camera system?

Also in London, within the “square mile” which is the financial district, there have been warnings from the British Bankers' Association that nefarious types are accosting bank employees on their way to and from work with the purpose of recruiting them to steal bank account information and sell it for probably paltry sums.

You have security guards, you have cameras, you have firewalls, IPS, and leak prevention systems, but your employees can still walk out the door with gigabytes of data stored on a thumb drive, CD, iPod, or that storage medium made out of wood pulp (paper). Background checks will not identify an employee that may be turned by the right proposal. Improving employee relations and better communication with them would be a good start.

I don’t mean to single out London here. Last year Wachovia, Bank of America, PNC Financial Services Group, and Commerce Bancorp were all the victims of a crime ring in New Jersey where bank employees and, in one case, a state employee were bribed into giving up account records. They would print out specific accounts that were later sold to collection agencies and law firms that were targeting people for past due payments. The price paid by the ring leader was ten dollars per account. According to reports at the time he reaped millions on the re-sale of over 500,000 accounts.

What to do?

Look at the other forms of insider defense organizations have already deployed in situations where trust alone fails. In particular, look at cash handling.

At a Starbucks each associate swipes an ID card in the point of sale terminal every time they handle cash. At a bank, where the sums are greater, there are surveillance cameras looking over the shoulder of every teller. No, those are not to catch armed robbers on camera, those are meant to ensure the good behavior of the tellers.

How do these defenses translate to information handling such as account records? First of all, require better authentication to access information. In this way, everyone knows there is a log of all the information they access. If it ends up stolen they could be suspect.

This ensures better behavior. Activity monitoring is another way to alert on suspicious behavior. If someone is accessing more than the usual number of records, alarms will be set off and their actions can be investigated.

Background checks on temporary personnel should focus on establishing their true identities. You should have a process in place for checking those identities for all contract personnel including cleaning staff, security guards, and clerical staff. They should sign in every day and sign out. Security guards should not have access to the equipment that controls security cameras or to the back up video data.

Finally, there are several technologies that could be employed to reduce the risk of data loss. Leak prevention solutions classify data and monitor the networks to make sure it does not leave the premises. Device management solutions can monitor and control the use of USB devices such as thumb drives or MP3 players.

Thanks to the rise in value and the creation of a market for identities and other information it has become necessary to look beyond typical cyber-defenses. Infiltration, the invasion of your organization by individuals targeting your information, needs to be countered. But, most importantly, the cost to the attackers must be raised in order to reduce the likelihood of attack.

Richard Stiennon is the former vice president of Threat Research at Webroot Software and now the founder of IT Harvest, an IT security research firm. He is a holder of Gartner's Thought Leadership award for 2003 and was named "One of the 50 Most Powerful People in Networking" by Network World Magazine.