In the firing line
Written by David Adams
The financial sector is at the head of the pack when it comes to combating security threats, but, with global cyber attacks on the rise, companies remain vulnerable. David Adams reports
Physicists estimate that at any given moment about 65 billion neutrino particles, most created by nuclear reactions within the sun, are passing through each square centimetre of our planet, slightly slower than the speed of light. This, I confess, is the sort of scientific fact that I do not really understand. What I do know is that the neutrinos don’t seem to do us any harm. Yet that absolute permeability is an apt metaphor for the true facts about IT security in the internet age. With staff, customers and business partners all interlinked across hundreds of IT networks and devices, the modern business looks as full of holes to a malicious attacker as Earth would appear to an approaching neutrino.
The really bad news is those attackers can do serious harm, leaving companies open to all the financial, regulatory and reputational penalties that can follow a security breach. Barely a week goes by without another embarrassing incident. For example, at the time of writing Sony is still reeling from an attack on its PlayStation Network in April that resulted in the theft of personal information relating to 77 million customers.
There have also been a number of seemingly ‘ironic’ cyber attacks on security technology specialists. In March, EMC’s security division RSA revealed that an attacker had stolen information relating to its widely used SecurID authentication technology. March also saw the CEO at security vendor HBGary resign following a huge leak of company emails. In April, application security vendor Barracuda Networks announced it had been hit by a SQL injection attack that allowed intruders to access confidential information.
The trouble is, attackers can find a way of cracking open pretty much any technology, given time. The financial sector has long been at the forefront of best practice in combating such security threats. At an operational level and, increasingly at senior level too, there is a growing understanding that security strategies must go much deeper than the network perimeter: protecting information throughout the company, with security considerations embedded in the planning and design of IT applications and networks; and in staff training. But that message has not yet reached every corner of the sector, or been converted from theory into practice where it has.
That leaves companies vulnerable to targeted attacks that circumvent existing signature-based security measures. They do so through exploitation of ‘zero day’ software vulnerabilities of which vendors are unaware, alongside spear phishing and/or social engineering. It is all too easy - and social networking, use of the cloud and app-heavy mobile computing have made it even easier - to lure members of a company’s staff onto malicious websites, or to persuade them to download email attachments that appear to have been sent by colleagues, among other ways of tricking them into compromising security.
Such attacks, now often referred to as Advanced Persistent Threats (APT), have been underway for years, but usually conducted by nation states engaged in industrial or state espionage. The same techniques are now being used by organised crime to target financial companies. “The point about APT is the fact that they don’t even bother hitting the network any more,” says Uri Rivner, head of new technologies for identity verification at RSA. “What they do now is spear phishing, targeting employees. It’s almost impossible to protect against, which means that it’s almost inevitable that you will have attackers inside your network, behind the firewall.”
RSA’s own troubles are indicative of a new determination to break through security infrastructures in multiple ways, says Alessandro Moretti, a volunteer member of the International Information Systems Security Certification Consortium (ISC)2 Board of Directors and a senior risk and security executive at a well-known bank. “Once the infrastructure’s compromised it’s much easier to compromise the perimeter,” he says. “RSA provides security infrastructure to internet consumers, including banks.”
APT is certainly not the only threat facing financial companies at the moment, but it is acquiring ever greater importance, suggests Alex Church, CTO at security consultancy Context Information Security. “Hitherto, the majority (of APT attacks) have probably been state-sponsored,” he says. “Over the next couple of years organised crime will be targeting these institutions with those tactics. Organised criminals have targeted the individual to start with, typically through the home PC. They’re now moving up the money chain, to business accounts. The next step up is to target corporates, stealing intellectual property and becoming data brokers.”
One of the most insidious aspects of APT is that the malware deployed is so sophisticated that it may lie unnoticed in networks for months. If it is found it can still be difficult to uncover what it might have done while present. Senior management may never have any idea that a breach has occurred, because even if malware is spotted any notification of the event may only ever reach board level as a statistic. “But just one of those could have been a targeted Trojan that releases your data,” says Church. “A lot of this stuff happens far beneath the radar. Board level people are very good at making risk decisions, but only if they have the data on which to base those decisions. They don’t have that data for targeted attacks.”
He also argues that this lack of information on which to base risk decisions is also the biggest problem relating to using cloud computing securely. Use of the cloud does create more potential network security concerns to a growing list, but while it is rational to have some concerns about its use, the growth in cloud computing may at least help some companies to understand the nature of the networks they now need to secure, says Jon Geater, director of technical strategy at Thales e-Security. “People suddenly realise, once there’s a third party involved, how much they need to think about laptop or USB device usage policies,” he says. “It makes people think harder about information security in a way they should have been doing already.”
The key to effective network security in the information age is to increase knowledge of what is actually happening inside the network. Effective Security Information and Event Manager (SIEM) tools such as those provided by LogRhythm or NitroSecurity, which provide log and security event management, identifying suspicious anomalies in network, application or user behaviour and detecting data loss, can play a useful role.
A growing number of solutions have been designed to detect attacks based on exploitation of zero day vulnerabilities. Lancope’s StealthWatch technology monitors networks looking for unauthorised activities or devices. The system can be used in conjunction with automated mitigation mechanisms that can modify firewall configurations or access controls, or take a computer offline.
“An insurance company in Boston detected an analyst’s laptop that was attempting to create zero-payload HTTP connections to three different internet destinations in Russia,” recalls Lancope CTO, Adam Powers. “The connection attempts were occurring approximately every three minutes and had been underway since the analyst got to work at 8.30am. StealthWatch raised a ‘Beaconing Host’ alarm, emailing notification of the suspicious flows to the security team. The event was escalated quickly because the analyst’s laptop was located within the online Payment Centre Management VLAN.”
“The laptop was quarantined and found to be running the ZeuS botnet toolkit. The analyst did not know how the machine had been (compromised), but the incident resulted in additional safeguards around mobile device presence within the company’s (networks).”
Other useful tools include Context’s Targeted Attack Detection Service (TADS), available as a managed service, on a periodic basis or as part of an incident response service, specifically designed to identify the signs of an APT. FireEye’s Malware Protection System uses network traffic analysis, integrated inbound and outbound filtering across protocols and real-time protection against data removal to try to protect organisations against previously unknown threats including zero day vulnerabilities.
Online security and fraud risk management specialist, TrustDefender, uses device and page fingerprinting technology to detect the source of attempts to compromise an organisation’s online defences - thus providing some defence against staff unwittingly using infected computers or mobile devices. The technology can be deployed both to secure customer interactions and within the company itself.
Dr Paul Judge, chief research officer at Barracuda Networks, believes the important messages about network security are now getting through to senior managers within the financial sector, partly because of the steady stream of cautionary tales finding their way into the public domain. “CIOs are asking their team members ‘can this happen to us?’” he says. “And I believe it will become a competitive differentiator for customers.”
Finally, an increased awareness of security issues can only help to improve an understanding of best practice among staff. “User education is a big part and I think users are getting smarter,” says Lancope’s Powers. “People have more exposure to fake emails and phishing attempts. The problem is that every time we teach a user what not to do, the attacker seems to come up with a new thing to do.”
We always knew an internet-enabled world could create as many business opportunities for criminals as it did for anyone else. Only by constantly reviewing and refining security strategies and policies do financial companies have any hope of making sure every visitor to their networks passes through as harmlessly and unnoticed as a neutrino. A failure to do so could leave a company in the firing line for a more tangible bombardment from customers, business partners and regulatory authority.