The risk of cost savings on IT security



The risk of cost savings on IT security 7th December 2016

Recent data breaches and hacking incidents show companies must adapt to an evolving threat landscape and stop using cheap security. IT risk management requires a combination of security awareness and security products.

Earlier this year hackers were able to break into Bangladesh’s central bank because of a lack of basic security measures [1]. The criminals attempted to syphon off nearly $1 billion using the bank’s credentials for SWIFT, the global payment network which banks use to transfer money worldwide.

They only managed to get away with $81 million, all because of a typo!

IT risk management is not just a question about technology, it’s a mindset. You don’t buy security, you think security.

According to reports, it was something as basic as firewalls that were missing. Other cost reduction efforts meant that second-hand $10 switches were used in the internal network to connect to the SWIFT system. Investigators were surprised that the SWIFT network was not separated from the bank´s internal network in a secure manner.

Now, most companies and enterprises will (hopefully) have much better security measures in place in order to protect mission-critical systems, but there are still plenty of lessons to be learned from this and other hacks; such as the recent hack against Tesco Bank where £2.5 million were stolen from 9000 customers [2].

Monitor user activity and privileges

The inconvenient truth these days is that companies can’t expect to have a 100 percent secure perimeter around their systems and data. There’s simply too many vulnerabilities and the very notion of a perimeter around your systems and data is long gone as employees expect to have access to systems and data from anywhere.

At the same time, systems and data are increasingly being put in the cloud. This means we have to rethink the approach to security.

As I have written previously, Identity and Access Management(IAM) systems such as Microsoft Identity Manager is a good tool to ensure that users only have access to the systems and data necessary to carry out their job. Keep an eye on suddenly escalating user privileges.

But IT risk management is not just a question about technology, it’s a mindset. You don’t buy security, you think security.

A security-aware organisation

We all too often see that attacks begin with the targeting of one or more employees. The attackers collect enough information about the employee from company websites and social networks to know the target´s role and responsibilities.

The attackers can then craft a seemingly genuine personal email, a spear-phishing email, with an innocent-looking attachment that delivers the malware. Once the malware has been activated, it is inside the company´s network and can begin to target the mission critical systems; such as a bank’s ATM machines.

Allegedly phishing emails purporting to be from the ATM manufacturer Diebold Nixdorf were sent to some bank employees who activated the malware. Once inside the network, the attackers gained access to domain controllers, which manage authentication credentials and network access.

From there, they could reach – and control – the ATMs where accomplices were collecting money from the “jackpot”-ATMs [3]. Around 90 percent of ATMs run a stripped down version of the very old Microsoft XP. Why haven’t they been upgraded? Because it´s costly.

Most companies do not have ATMs that can be turned into jackpot-machines, but other threats such as ransomware – where the company’s data is encrypted by criminals and only decrypted if the company pays a ransom – are on the rise [4].

The same approach, starting with spear-fishing, can be used to gain access to any company’s mission critical systems. So it is important that all employees are aware of security – and not only the very day they get the security briefing or training. They have to be vigilant all year round; which of course is easy to write, but much harder to actually do.

Holistic view on security – Humans and technology

We have to accept at some point there will be malevolent software or users on our network. Microsoft’s Advanced Threat Analytics [5] can play a role in identifying malicious behaviour. But technology is not enough; security-aware employees are also a key ingredient in safeguarding systems and data.

To ensure you don’t miss future interviews, reports and blog articles, please sign-up to the Curo Bulletin below.

LINKS:

[1] Bangladesh Bank exposed to hackers by cheap switches, no firewall
https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know
[2] Tesco cyber-raid raises serious questions over UK banks’ security
https://www.theguardian.com/business/2016/nov/12/tesco-cyber-theft-serious-questions-bank-security
[3] Report: European Banks Struck by ATM Jackpotting Attacks
http://www.databreachtoday.com/report-european-banks-struck-by-atm-jackpotting-attacks-a-9556
[4] Pay up or your data gets it. Ransomware highwaymen’s attacks on small biz Octuple
http://www.theregister.co.uk/2016/11/14/ransomware_sme
[5] Microsoft Advanced Threat Analysis
https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics
https://blogs.technet.microsoft.com/enterprisemobility/2016/11/07/uncover-insider-threats-blind-spots-in-your-network-with-advanced-threat-analytics

Dan Mygind

Author: Dan Mygind

Dan Mygind is a Journalist and Computer Scientist with a strong interest in technology, technology-related businesses, and the transforming effect source code can have on society.
He has worked for startups, SMEs and global IT-organisations such as IBM as a developer, consultant, and IT-architect. With a solid technology background, he has written extensively for a wide variety of publications such as Computerworld as well as writing technical white papers for Microsoft and other companies.

Contact Dan Mygind: mygind{at}writeit{dot}dk

The views expressed are those of the author and do not necessarily reflect the view and opinion of Curo Talent.

Your opinion is valuable. Please comment below.

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>