Kaspersky Lab's revelation that cyber thieves were able to pull off one of the biggest heists in history armed with nothing more than booby-trapped email documents, shows that the banking industry has failed to learn from past mistakes. We have known how to prevent this attack for many years.
Back in 2003, at NatWest bank I led the first team to successfully respond to a phishing attack on a UK bank. Just three weeks earlier, one of our main rivals had been hit by a phishing attack and they shared their experience with us over lunch so that we were better prepared. We used to hold a London Security Managers’ Forum every six weeks where a small group of trusted managers responsible for information security in different industries would meet on an informal but confidential basis to exchange information over lunch. These informal lunches could be described as an early model of the information-sharing hubs President Obama recently mandated in the US.
This collaborative model has now been embraced across the UK financial sector; British banks circulate vital cyber security updates amongst their rivals in a spirit of collaboration, creating a mutually-beneficial information pool that helps the sector grow collectively stronger from each new setback.
Together, we learned how to mitigate the harm from phishing attacks, key logging intrusions and other new threats as they appeared. The key was to transform not just the technology but the people and the processes so that security was embedded vertically and horizontally across the organisation. Key to the whole process was learning from the experience of others.
We know that there is no security in secrecy; no matter how well hidden a banks proprietary security technology is, someone will eventually leak the details and all systems become known over time. We know that the strength of a bank’s security system is not in the secrecy of the system design but in the process that is being used; most people know how cryptography works but if the key length is strong enough and safely secured, then hackers won’t be able to break it.
The details of the 'Carbanak' attacks indicates that these vital lessons are still going unheeded at the international level. The lack of transparency that enabled criminals to plunder around 100 banks over the course of two years without anyone even raising the alarm shows that the bad guys are still sharing information a lot better than information security professionals. The fact that a spear-phishing attack was successfully used to dupe employees at multiple leading banks indicates that banks are still not recognising that cyber security expertise must be taught to the rank and file and that bank employees must not only know what to look for in suspect emails but also how to deal with them.
This is something that needs to be reinforced time and time again not only verbally but by undertaking exercises that expose employees to simulated attacks so that they know what to expect. If this is not done then every untrained employee becomes a potential gateway for hackers to get into the rest of the organisation.
Crucially, the fact that the Carbanak hackers were able to find vulnerabilities through spying on the
bank’s systems and then exploiting them indicates that banks are still attempting to secure themselves through secrecy rather than through smart processes. It shouldn't matter that an attacker knows what software programmes a bank is running as long as they have been properly secured.
Professionals in other industries, such as engineering, share information so that they collectively learn from previous errors and avoid repeating them; it is rare for new bridges to suffer the same design flaws today as they did 20 years ago. If the cyber security industry is to adopt a similar model, it needs to lift the veil of secrecy and get better at sharing information among rivals and across sectors.
John Colley, (ISC)2 professional head