[BreachExchange] How Many Times Do We Have to Tell You Not to Open the Cat Video
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Apr 12 19:31:00 EDT 2016
http://www.jdsupra.com/legalnews/how-many-times-do-we-have-to-tell-you-87418/
Everyone has been in a movie theater when one of the actors approaches that
door to the basement behind which strange noises are coming. They reach out
to turn the knob and in unison the audience is thinking “Fool, haven’t you
ever been to the movies? Don’t you know that the zombies or ghouls or some
other equally disgusting creature are waiting for you behind that door.
Don’t do it!” They of course open the door, blissfully unaware of the
grisly fate waiting for them.
I get the same sort of feeling when I read about cybersecurity lapses at
banks. Think about the following:
- “Someone dropped a thumb drive, I think I’ll just plug it into my
computer at work and see what is on it. Surely nothing bad will happen. If
nothing else, I’ll give it to one of my kids, they can use it on the home
computer.”
- “My good friend, the one who sends me those emails asking me to pass them
along to three of my closet friends, just sent me an email with an adorable
cat video. I just love cat videos, I’ll open it on my computer at work and
see what is on it. Surely nothing bad will happen. Doesn’t the FBI monitor
the internet keeping us safe from bad people?”
- “Someone from a small European country that I have never heard of has
sent me an email telling me that I might be the recipient of an
inheritance. I always knew I was destined for better things in life, I’ll
just click on the attachment and follow the instructions. Surely nothing
bad will happen.”
- “My good customer Bob just sent me an email telling me that he is stuck
in jail in South America. He needs me to wire money to post his bail. I
didn’t know that Bob was traveling, I am pretty sure I just saw him in the
bank a couple of days ago. I probably won’t try and call his house or wife
or his cell phone to doublecheck, I’m sure his email is legitimate.”
If you were in the movie theater you’d be yelling out “Don’t do it!” If
this were a movie you would see the green glowing blob patiently waiting to
silently flow into the office computer. The blob just sits there though,
waiting for the bank officer to hit that keystroke that opens the file. Now
we see it watching as the person sits down at the computer and logs in,
types in a password and initiates a wire transfer. The blob silently
memorizes both the log in ID and the password. Weeks can go by as the
suspense builds. The ominous music begins to swell in the background, we
know that something is going to happen when as fast as lightning, the blob
springs to life initiating wire transfers for tens of millions of dollars.
This is exactly what occurred in February of 2016 in Bangladesh. Criminals
were able to place the blob in the form of malware on to the computers for
the central bank of Bangladesh. Reports indicate that part of the malware
included a keylogger which was used to obtain passwords and other login
credentials to the system created by the Society for Worldwide Interbank
Financial Telecommunication (“Swift”) used by banks to initiate funds
transfers. In the end $81 million was wired through the bank’s accounts at
the NY Federal Reserve, apparently to a casino in the Philippines where it
was converted into untraceable gambling chips.
It is not clear yet exactly how the criminals inserted the malware into the
central bank’s computers but the situation underscores what we have been
telling clients about cybersecurity. You are only as strong as your weakest
link and the weakest link is usually someone who clicks on an attachment or
picks up the thumbdrive found on the floor. It is human nature to be
curious and it takes constant training and reminders to personnel to remind
them about appropriate responses. Financial institutions are constantly
hiring new employees and each of them brings their own personal history of
computer hygiene with them. Each of them must be taught immediately about
the importance of not opening suspicious emails or attachments. Spam and
malware filters hopefully block most of the incoming criminally engineered
emails but the criminals are resourceful and continue to innovate.
As we have noted previously, federal banking regulators have higher
expectations concerning preparedness for cyberattacks. The Cybersecurity
Assessment Tool released in 2015 by the FFIEC provides specific standards
by which an institution can be judged when undergoing regulatory
examinations.
No matter how good a company’s security is, data security events are
unavoidable. When a security breach does occur, preventing liability often
means analyzing facts, identifying legal obligations, and taking steps to
prevent or mitigate harm within the first minutes and hours of becoming
aware of a breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160412/f803b44d/attachment-0001.html>
More information about the BreachExchange
mailing list