In March 2013, the Reserve Bank of Australia confirmed that hackers had penetrated its computers but failed to steal sensitive data or corrupt networks, amid growing alarm that sophisticated cyber attacks may leave banks and other organisations unaware they have been compromised.
There is an industry out there that targets banks, in this way, every single day. Criminals are no longer limited to stealing what cash they can carry from a bank as they can steal far more valuable data by going online. Today’s thieves are robbing banks through customers’ accounts.
According to the Trend Micro 2013 annual threat roundup report released in February, online banking malware more than doubled in Australia from Q1 to Q4 2013, while New Zealand volume increased by 276 per cent over the same period.
One major difficulty for banks is that modern cyber criminals can be almost indistinguishable from genuine employees. Once inside an organisation’s perimeter a cyber criminal will immediately aim to elevate his own authorisation levels to one of a privileged employee and use the clearance to steal data and other assets.
As a result, talking about insider and outside threats to banking security is an increasingly outdated way of thinking. Banks have to assume that they have already been breached and as a result need to act accordingly.
At the same time, however, some hackers have shifted the focus of their attention away from fraud to stealing raw company data which can be even more damaging. A customer’s personal financial information has real value to cyber hackers as it can be sold on to other criminals running sophisticated fraud operations. If a customer’s account is compromised in this way, real damage can be incurred to that institution’s finances and reputation.
So how should banks respond? Some organisations try to identify the tools a hacker is using. This method is flawed as it’s easy to build unidentifiable tools but what can be uncovered is the unusual activity and behaviour a hacker displays. For example, banks should look for an abnormal level of traffic going to a particular area of the bank or data flowing in new ways around the business. Being able to spot and identify these signs gives banks a far greater chance of spotting an attack.
While identifying the irregular signs indicating an intrusion is important, ultimately actions need to be taken to prevent an attacker getting a foothold within the bank to begin with. This comes down to carefully controlling what employees can access and ensuring they can only access the data they need. An individual may move departments and not need the access they previously had, this should be acted upon but in reality many organisations struggle to implement this approach.
Limiting access across an organisation makes it easier to spot hackers masking themselves as employees and better protects resources. Once this is in place it makes it far easier for the IT team to identify the unusual behaviour of a hacker and mitigate their effect.
The final action banks need to take is to put in place a plan of action for when a bad actor is found. What is the response? Who should be informed? Without this in-depth planning which seems obvious to many, organisations can end up struggling to respond effectively, leaving themselves exposed to greater damage.
Banks need to make available the time and resource to manage the access rights of their employees and get back on the front foot in the struggle with cyber criminals. If this is overlooked it will become increasingly difficult for banks to spot irregular behaviour early and mitigate the effects.
Many organisations make the mistake of spending too much time on defence, thinking they’re protected and not enough on detection and response. Cyber attacks aren’t about to go away and banks need to ensure that they have the tools and processes in place to reduce the chances for fraud or a damaging data breach.
Geoff Webb is senior director, solution strategy at NetIQ.