From hacks and attacks to guarding your back: Eight actions security-savvy banks need to take
An employee in the human resources department received an email that looked like it was from the boss and opened the attached word file.
Only it wasn’t from the boss.
And the attachment was what cybersecurity experts call malware, a virus that in this case gave the sender of the email access to the bank’s automated teller machines.
The incident, which took place two years ago at a small community bank, is just one example of the challenges banks and other financial institutions face from cybercriminals. And it’s one that is avoidable, said Doug Johnson, senior vice president, payments and cybersecurity policy for the American Bankers Association.
There were two mistakes made by the bank, which Johnson would not name.
One was the common human error of not noticing that the email address of the sender was what’s called a doppelganger—a fake, but close enough to the real one to fool busy recipients. The other is more systemic.
“There’s no reason at all that the HR system needs to be connected to the ATM system,” he says.
The bank in question is far from unique. In an age where even toasters and closed-circuit cameras are connected to the Internet, nearly everything we rely on to get information, manage funds and even measure the air in our car tires is connected to the Internet, too—and thus vulnerable.
Unlike the attack several weeks ago that shut down social media sites such as Airbnb and Twitter for hours, many banks hacks are more easily preventable, cybersecurity experts say.
The attack on the server Dyn, a company that hosts websites, took place via difficult-to-secure devices. Banks, on the other hand, are mostly dealing with attacks they can help protect themselves against, say the experts.
One example involves what the FBI calls “Business E-Mail Compromise” attacks, which have cost businesses more than $3 billion worldwide. They are a version of what’s known as “spearphishing”: emails from those doppelgangers that lead to widespread compromises.
Banks around the world have fallen victim to many other often-preventable cybercrimes, says Phil DuMas, who owns Bellcurve Technology and serves as director of research and curriculum development for the National Cyber Partnership.
Bangladesh Bank, the nation’s central bank. lost more than $80 million to cybercriminals earlier this year because it was using an inexpensive router, says DuMas.
“The bank is responsible for securing hundreds of billions of dollars and they used a $50 firewall,” says DuMas. “I’d like to say it is atypical, but unfortunately it is incredibly typical.”
While some institutions see information security as an expensive cost center, many banks have realized that they need to invest to protect themselves and their customers.
JPMorgan Chase chairman Jamie Dimon, for instance, has overseen the investment of more than $600 million in cybersecurity measures, says Sri Sridharan, CEO of the Florida Center for Cybersecurity at the University of South Florida in Tampa.
“They are hiring 10,000 people, just to make sure that infrastructure and applications are well-protected,” says Sridharan.
But not every company has the wherewithal of a major bank like JPMorgan Chase.
And like any other business in a very connected web in the age of the Internet of Things, when even toasters and refrigerators are online, banks have to realize that the weakest link in the chain of security can take them down, Sridharan points out.
“Banks do a lot of business with vendors,” says Sridharan. “The bad guys can go and access a vendor’s system and infect it with malware. And then that can infect the banks.”
Cybercrime has become so prevalent that there are places in the so-called dark web where those with bad intent can purchase everything from stolen credit card numbers, social security numbers and even all manner of viruses like ransomwares that encrypt a target’s data, making the owner cough up a large fee to get their information back.
And more sophisticated hackers, like the Russian mafia, will routinely spend half a million dollars to research and develop new ways to break into systems, says the National Cyber Partnership’s DuMas.
So what can be done?
One big takeaway from experts is this: Share information about the threats and ways to stop them.
Back in 1999 the Financial Services Information Sharing and Analysis Center was launched as the “global financial industry’s go to resource for cyber and physical threat intelligence analysis and sharing,” according to its website.
FS-ISAC, as it is called, was created so that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure.
Spokesman Andrew Hoerner likens it to people in a neighborhood reacting to a crime wave.
“It’s kind of like a corporate version of a neighborhood watch program,” he says.
But more than just sharing information about an attack, the organization also shares best practices and strategizes cybersecurity defense, says Hoerner. And interest in the organization has been growing rapidly, he says. Especially because a few years back, the board of directors opted to open membership up beyond the U .S.
“The board realized that cyberattacks don’t stop at the border,” he says. So, with added scope and the growing realization that when you are under attack there is strength in numbers, membership has more than doubled in the past three years, up to nearly 7,000, says Hoerner.
Asked by BAI what advice his organization can offer banks to establish and maintain what the cybersecurity industry calls “cyber hygiene,” Hoerner provided eight steps banks should follow.
1) Keep your company’s information security policy up to date. Review it regularly to make sure it aligns with a ‘risk based approach’ to the business.
2) Align employee training with the security policy. Create security awareness training. Update training so employees are prepared to deal with emerging threats.
3) Prioritize patching of critical systems and report vulnerabilities to vendors.
4) Share information using an ISAC or ISAO in order to participate in a community defense model
5) Conduct or participate in cyberattack simulations or table-top exercises to test your responses, identify gaps and fix those gaps
6) Review/update corporate data backup/ retention/ recovery policies (and make sure business critical data is identified and included).
7) Test data recovery procedures PRIOR to an incident.
8) Have a cyber incident playbook and also a communications plan in place in case of incident and review processes regularly.
The experts contacted by BAI.org offered one more suggestion.
The National Cyber Partnership’s DuMas suggests that banks follow the military by drastically reducing the number of web-facing entry points.
“Take things off the web,” he says, suggesting that like the military, banks establish the equivalent of the Secret Internet Protocol Router Network, or SIPRNET for short. The SIPRNET does not touch the Internet, and thus isn’t nearly as vulnerable to the kinds of attacks faced by banks.
But even the SIPRNET isn’t impenetrable. In 2013, Chelsea Manning (formerly Bradley Manning) was sentenced to 35 years in prison after being convicted at military court martial of illegally accessing the SIPRNET and giving Wikileaks nearly 750,000 classified or sensitive military and diplomatic documents.
Thus it isn’t just the loss of financial information, but sensitive banking information that informs the opinion of USF’s Sridharan: “I think cybersecurity should be a huge concern.”
And while you may not hear about it in an email from the boss, you might experience it in a bogus “email from the boss”—first hand.
Howard Altman covers the military and national security for the Tampa Bay Times. He has won more than 50 journalism awards.