A Look Into Cyber Security

A Look into Cyber Security | 1© G Treasury SS, LLC 2008 -2017
A LOOK INTO
CYBER SECURITY

Network security in cyberspace is never far from the headlines.
When it does reach the headlines, it’s never good news.
Here are just a few famous – or infamous – security breaches
of the not-too-distant past, even though they might seem like
ancient history by now: Target, Adobe, TJX, Home Depot, Sony
Playstation, Heartland, Epsilon.
Hackers and cyber-thieves are, unfortunately, good at what
they do and getting more sophisticated all the time. They take
advantage of gaps and weak spots in information technology
systems. But those gaps and weak spots are there, almost
exclusively, because some human being wasn’t doing his or her
job properly.
We can always improve our hardware and software, and we’ll
discuss a few ways we’re doing that. But it doesn’t matter how
powerful or expensive your system is if you don’t know how
to use it.
A LOOK INTO CYBER SECURITY

SWIFT is a messaging system used by banks and financial companies.
SWIFT messages include, but are not limited to, payment orders.
The SWIFT network itself was not hacked. But the hackers, operating
from Egypt, penetrated the banks’ systems and installed malware.
The malware modified the bank’s Alliance Access software, which
reads and writes the SWIFT messages and records transactions.
The malware altered payment orders, increasing transaction
amounts and changing payment destinations. It also changed the
SWIFT payment confirmation messages back to the original
amounts or deleted them entirely.
A police investigation showed that the Bangladesh Bank had no
firewalls and was using second-hand, ten-dollar switches on its
network. The Philippine bank was using a $25 router and default
passwords. It’s little wonder that the crooks were able to get
into the networks. Anyone who takes security seriously knows
that security demands investment. You can’t expect good results
by picking cheap components off the shelf, plugging them in,
and hoping they’ll work. The components need to be part of a
coherent plan.
OUTDATED TECHNOLOGY & HUMAN ERROR

HOW THE ENEMY WORKS
Spam. Spear phishing. Social engineering. Confederates inside the
target institutions. Black-hat tool kits that are more advanced than
the tools that developers work with when building applications.
They’re all part of the arsenal that hackers use.
Nowadays we don’t hear much from the deposed African prince
who wants to split a hundred million bucks with us. Cyber crime has
gone way beyond such stickups of unwary individuals.
The cyber criminals are working full time and studying your
business. They scan for the open port, look for SSL vulnerabilities,
do automated testing. They seek out the one vulnerable machine
on the network or the one gullible or inattentive person who clicks
on a link and lets malware in.
They also learn who does your payroll, whether you use FedEx,
who’s your ISP. They’ll send you an invoice that says your account
is overdue and you’ll be terminated if you don’t reply. People
click on the invoice link, which can look like a pdf file but which
masks an executable one, without thinking. Even high-credentialed
employees like executives, CFOs, and treasurers get duped. They’re
in a hurry, and they click on links without thinking.

HOW THE ENEMY WORKS (CONT.)
All the hackers need for a response rate is for one percent of their
attempts to succeed, but the percentage of the population that falls
for it is much higher than that.
More than 80% of malware that reaches its target gets distributed
by phishing, or by somebody’s clicking a link on a compromised web
site. This campaign highlights the fact that organizations are only as
strong as their weakest link, and in this case, it’s their employees.
IBM’s 2015 Cyber Security Intelligence Index indicated 95 percent of
all attacks involve some type of human error.
Attackers rely on that factor, counting on someone to open a
fraudulent attachment or link. Wordpress sites are a particular
problem. Many people who use Wordpress do it as a hobby, not in
their full time jobs. They don’t keep security patches up-to-date.
So if some hacker compromises a Wordpress site and adds their
own code, and then you click on one of the site’s links – behind the
scenes there’s a software download to your machine.

A Look into Cyber Security | 6
Think of your business as a castle. Build the walls and dig the
moat. Most attackers are looking for the soft spots and easy
pickings – they prefer to probe for open doors to your system,
and to simply walk in. You can turn these intrusion attempts
aside by having those walls and moat - appropriate policies and
components – in place.
The drawbridge and the great wooden door are the entryway
to the castle. Sometimes that door must be opened, or the
castle can’t function in the world outside. The door should
open only when needed. No other entryways, such as windows or
emergency doors, should be left unlocked.
When the door is opened, be sure you have vigilant, armed,
well-trained sentries on duty. They’ll protect you from almost
every other external threat – the attackers who go beyond casual
probing to methodical intrusion attempts.
With the above measures in place, you’ll be guarding against
about 99% of all forays against your system.
Finally, station hundreds of vigilant guards atop the castle walls
and around the base of the walls. They’ll spot and dispatch the
final one percent of attackers, those lone daredevils who try to
scale the walls or tunnel beneath them.
DEFENDING YOUR CASTLE
© G Treasury SS, LLC 2008 -2017

DEFENDING YOUR CASTLE (CONT.)
To summarize - the walls and the moat are administrator rights to
your system. More precisely, they’re the curtailments, the strict
limitations, of administrator rights. Smart, aggressive control of
administrator rights can neutralize around 85% of malware attacks.
The drawbridge and sentries are password controls. Eliminate stolen
passwords and you’ll turn back almost all of the remaining intrusion
attempts. About 14 percent of them.
But if, somehow, an attacker climbs the wall or digs underneath
it, the vigilant guards that will nab him are the two-factor
authentication brigade. That’s the final one percent of protection.
Let’s carry the castle analogy just a bit further. It will be much
harder to defend the castle if you don’t keep the walls mortared
and if you don’t keep the food and ammunition supplies fresh and
plentiful. That’s your hardware and software. Keep it current, and
keep it patched.
Finally, if your soldiers and sentries are untrained or lazy, it doesn’t
matter how strong your walls are. The human factor has always
posed the biggest risk in cybersecurity. All of your employees have
a part to play. So keep them trained and informed. Whether they
realize it or not, they’re on duty all day, every day in the fight against
cyber-thieves.

AN ATTACK-IN-DEPTH
The “Dyre Wolf” campaign against banks shows just how sophisticated
the hackers have become. Discovered and named by IBM researchers,
it’s an invasion-in-depth, a mirror image of a defense-in depth. Dyre Wolf
has pulled off several million-dollar heists from banks and corporations.
Run by criminals in Eastern Europe, Dyre Wolf uses spear phishing or
spam emails to get a foothold in the system. Then its minions post phony
dialogue boxes about system errors, prompting a phone call to a fake
service center. They lure employees of the target company into revealing
their passwords and authentication codes over the phone. They also post
spoofed web sites, where gullible employees think they’re logging in.
Within seconds, millions of dollars get whisked away through a maze of
foreign banks. The attackers frequently launch a Distributed Denial of
Service (DDoS) attack on the target bank to prevent it from seeing what
just happened.
This is all very scary. But the first, essential break in the target bank’s
defenses came when an employee or some other insider such as a
vendor allowed a download of malware. The enemy made it through
the castle walls and plucked the keys to the castle keep from another
employee. IBM’s 2015 Cyber Security Intelligence Index, which describes
Dyre Wolf in detail, stated that 55 percent of all attacks recorded in 2014
were carried out by those who had inside access to the target company’s
systems. Some of those insiders were malicious; others were unwitting
dupes.
Elsewhere in that report, IBM states that 95% of actual breaches were
caused by human error. So, by now it must be obvious. You’re only as
strong as your weakest link, and that link is almost always an employee.
So what to do?

BUILDING A DEFENSE
Let’s return to the castle and its walls, moat, and sentries. Let’s also
narrow our discussion to the breaches that keep bankers and corporate
treasurers tossing and turning: those that result in unauthorized
transfers of money.
In broad strokes, if you start from a secure base, a system in which
nobody has rights to anything, and then you open it up to people or
processes as necessary, then your solution will be secure and will enable
people to do things that must be done.
On the other hand, if you start with a system that is wide open and
proceed to lock things down, you inevitably will miss locking or closing
certain doors. Moreover, as things change, as people come and go or
acquire new privileges and responsibilities, you’ve got to be especially
vigilant in monitoring everyone and in shutting down additional doors.
It’s far easier to grant as necessary rather than trying to deny access
once some change occurs.
Let’s assume that an attacker has fooled someone into downloading
malware onto his or her computer. How much damage can that do?
Some, of course, but you can limit it substantially if the infected
computer does not have access to administrator rights.
If the user of said computer is a “standard” or “least privilege” user,
then the worst-case damage will be limited to what that user can do. It
can’t change files, install software, change processes, and so on. In other
words, it would not allow the types of changes to the SWIFT messages
that hit the Bangladesh Bank.

BUILDING A DEFENSE (CONT.)
The “2014 Microsoft Vulnerabilities Report” by Avecto, a UK
software firm, states that “97% of critical Microsoft vulnerabilities could
be mitigated by removing admin rights across an enterprise.” One of
the report’s key findings almost reiterated the point: “97% of Critical
Remote Code Execution vulnerabilities could be mitigated by removing
admin rights.” The report explains “mitigation” in stating “a standard
user account either nullifies the vulnerability itself or nullifies the impact
of the vulnerability by preventing the exploit from gaining elevated
privilege throughout the user.”
The Avecto report dealt with Microsoft vulnerabilities. But applications
like Flash and Java can be exploited as well. Granting admins right to
them, or to any other application with known vulnerabilities, is to be
courting disaster.
Privilege management is not a panacea. If you’ve got sturdy castle walls
but the drawbridge is open, the barbarians will storm through the gate.
At that point you’re relying on your guards. But who is verifying the
guard’s activities – the familiar question “Who’s guarding the guards?”
Some guards need access to sensitive areas of the castle. Who is
verifying that they’re doing everything they must be doing, but only
what they must be doing. This is where auditing comes in. Remember
the percentage of attacks that stem from human error. Some errors are
inadvertent; others are deliberate. Does an independent party review
your logs, daily, of who accesses production servers? Do you have
somebody who is independent of the guards’ function reviewing these
accesses? It is similar to the “dual control” of cash practiced by banks,
or the requirement for “four eyes” needed to complete an action.

Think about what kinds of applications your employees need in order
to do their jobs. Do they need Flash installed? Or Java? Perhaps you
should consider having application whitelist, to specify what can be
installed on company machines, and what will be blocked by default.
Most applications installed by users have little to do with their jobs.
They may go onto Facebook. They may have a Google Dropbox. They
will install things to do at lunchtime.
If a company does not know what applications its employees have
installed, or how they are using them, then the company will have no
control over the information that is flowing through users’ machines
on the network.
LIMITATIONS

In the case of the Philippine Bank breach mentioned above,
the bank was using a $25, second-hand router. It also had no
firewalls and used default passwords. Human error, anyone?
By now, it should be obvious to any user of IT that their
passwords should be in a format that is hard to guess or to
discover through algorithms. Passwords should also be changed
frequently. Company policies should mandate such approaches.
It is a very easy thing to enforce password complexity.
Companies should also routinely test passwords to see if they
can be broken easily.
The whole issue is so familiar that we needn’t go through it
here. Still, there’s a distressing proportion of computer users
whose password is “password” or “123456.”
POLICIES & PASSWORDS

SINGLE SIGN-ON
Single Sign-On (SSO) is another effective countermeasure. With SSO,
a session and user authentication service permits a user to use one
set of login credentials (e.g., name and password) to access multiple
applications. It is easy to set up and manage. There are many third-party
products, including Microsoft Active Directory Federated Service (ADFS)
that work well. They balance out the tradeoff between ease of access
for the end user and tight, documented security for the auditors and
internal security team.
With SSO, mandated password changes are easy. You only have to
change the password in one place to update if for every application that
supports SSO. You don’t have to go into every system and individual
application. Managing multiple passwords, and having to remember
them for every system, causes a great deal of user frustration and
password-related errors.
Because SSO is authentication by a trusted server within the company
network, third-party applications like GTreasury do not have to make
their own determination that a given user’s credentials are valid. Then,
third parties can use the same trusted source that the company is using
for its users’ identification and validation.

Multi-factor Authentication (MFA) combines “something you know” –
a password – with “something you have.” The “something you
have” portion might be a physical token with a distinct, encrypted
security code. It might also be a message sent to a mobile phone or a
laptop computer. Even if some hacker penetrates your network
and steals your password, he can’t make off with the goods unless he
also gets hold of the other authenticating factor.
MFA does not just need to be on login. It could also come into
play at any functional point of using an application – such as
approving a payment.
The Dyre Wolf guys scored despite MFA because they succeeded in
getting both pieces of the puzzle. With faked phone calls and spoofed
web sites, they tricked the victims into revealing or entering essential
information like security codes or passwords. Again, this shows that
no technology is foolproof if humans mishandle it. It also shows the
need to layer security, rather than to rely on any one method or
solution component.
MULTI-FACTOR AUTHENTICATION

MOBILITY & THE CLOUD
If you do a good job of restricting administrator rights, of
managing identities and passwords, and of implementing
two-factor authentication, you’re showing that you’re serious
about cyber-security. Your auditors will approve; so too should
your lawyers and law-enforcement authorities.
Data breaches are a real threat nowadays, even for companies
that are diligent about security. If your company’s systems
are breached, your legal liability may be much less if you have
followed a strategy of defense-in-depth than if you were oblivious
to best security practices. In the event of the latter, there could be
additional or punitive damages assessed.

If you’re a corporate treasurer, be very careful about using
your home computer or your mobile device. If you’re in an airport,
for instance, you might inadvertently login onto a
Wi-Fi that looks legitimate – named something like “Lagardia”
or “Heatrow” – and send critical data to a hacker for a
man-in-the-middle attack.
Again, going back to the human element, remember that
terminated employees aren’t fully terminated until they no longer
have access to any of your systems. When you dismiss someone,
you shut off access to the internal network. But do you use one or
more cloud-based services?
If so, someone has to go out and delete the departed individual
from every one. It takes some extra work and doesn’t happen
automatically unless your cloud provider’s web services offer to
disable terminated users’ accounts.
CAUTIONARY TALES

CONCLUSION
Once more to our castle analogy, we find that cloud computing might
just allow potential invaders to glide right over the castle walls and drop
in from the sky. You still need vigilant sentries to spot them. You’ll need
to give the sentries some accurate, long-range crossbows to nail them
even before they land.
Or maybe we’ve had enough comparisons with the Middle Ages. Let’s
move into modern times and sum it up by thinking of cyber-security as
we think of that great American game, football.
They say that offense wins games but defense wins championships. And
what do you need to build a champion defense?
• A well-thought-out game plan – your security policies and procedures.
• A defense-in-depth consisting of big strong linemen, heady and agile
linebackers, and fleet defensive backs – your tightly controlled admin
rights, robust passwords and identity management, and two-factor
authentication.
• And most importantly, your players – talented, well prepared, and
thoroughly drilled. The entire squad, from the highest-paid starters to
the least-used substitutes. Your employees. They’re the ones who do
the work; they’re the ones on whom you rely

A Look Into Cyber Security

Related slideshows

More Related Content

A Look Into Cyber Security