The Open Bank Project - a bridge too far for Australasian banks?
Posted by Matt Weston - 25 October 2016
Everybody has weaknesses. Knowing this you’re one step ahead of the masses - most people deny they have any. They put in a few firewall policies and password complexity requirements and call it job done. I call it Security Theatre. But you are different. You know that keeping yourself secure requires more attention than lip service. Maybe you saw the latest episode of Mr Robot and now you’re not sure what’s fact, and what’s fiction.
Where hackers really excel is in exploiting your people.
Very close to what you’ve seen. Hacking is in part a technical endeavour - the right hardware, the right software, the right team, the right opportunity. But where hackers really excel is in exploiting your people. I will convince your team to give me the keys to the castle. I’ll do this through trickery, through deceit - sometimes I’ll simply ask. They’ll never see me coming, and they won’t know that I’ve been.
We’ve gone too far ahead. I’ve started telling you how - but we’ve missed the important question. Why?
Why you specifically? What do I have to gain? Why not someone else?
Maybe you’ve wronged me in some way. Every day you do business with hundreds, maybe even thousands of people. Is every single one of them happy?
Or maybe I disagree with your business model, your customers business model. Are you knowingly aiding other organisations who have done something notable? What about unknowingly?
Maybe I stand to gain something. Do I hold shares in a competitor? Could I set myself up to short-sell your shares? Am I your competitor?
Maybe I intend to hold you to ransom, hoping for a big payday.
Maybe I’m just interested, and hold no malice. Maybe I’m just bored, and you’re just there.
Sometimes the why is obvious. Often it is unknowable. The examples I’ve chosen are all real - these things have happened in the past.
Ransomware is on the rise - software that will take control of your data, and coerce you to pay up to get it back. Earlier this year, Europol warned that Ransomware is taking over from traditional Trojans or other means of cybercrime. Read the Executive Summary at Europol.
Recently St. Jude Medical’s pacemakers were hacked - but in a new and different way. The hackers teamed up with a hedge fund to short their stock - the hedge fund and the hackers stood to make millions. This is the first attack of its kind - at least, the first we know about. Read more on Bloomberg.
There are millions of targets. The whole world is connected. Humans aren’t wired to comprehend the connectedness we have today. We’re wired to see the threats in front of our faces.
Learn what a phishing attack looks like.
Any two-bit hacker can set up a machine to automatically identify targets. You’re probably already on their list. Automatic scans can be done to identify potential vulnerabilities. They could hack you from right next door, or from a world away. This is the internet - every shady character on the planet is right on your doorstep.
Now you’re concerned. What can you do? What can you do right now to deal with it? Surely there is something you can do immediately?
Be vigilant. Remember that I am coming. I will use your own trust against you. Learn what a phishing attack looks like - and remember that you are my target. I’ll pretend to be someone you know. Maybe a friend, maybe a coworker - more likely, your hardware vendor. I will find out who makes your servers, and who your sales contact is. I’ll send you a document from a “seems plausible” domain, with some incredible deal on the next generation hardware. I’ll make it look like I’ve sent it to the wrong person - that I’ve given you a leg up in our next negotiation. Treat chance encounters with caution.
Security is a moving target. Yesterday’s military grade security is today’s wet paper bag.
If you do this, and do it well, I’ll have to change my strategy. People are easier to exploit, but if you’re expecting me there, I can always change my method. I can go for the technical attack. I’d start by looking at you from the outside. Your website. Your apps. I’d establish a perimeter: everything I can see. I’d start gathering intel. Chances are you have this pretty well locked down - web application firewalls have been common for years, everyone knows about this vector. But maybe there’s a mistake. Maybe I can exploit one of your applications.
But your team is smart. They’ve built everything well. They were thinking of me when they wrote your app - they made sure my common tricks are mitigated. Unfortunately for them, and for you, security is a moving target. Yesterday’s military grade security is today’s wet paper bag. New vulnerabilities are constantly discovered. Apps and machines are forgotten, and left behind. Maybe I’ll find something old, something uncared for, and exploit it. Maybe someone made a mistake.
But what if I fail? Game over? No. The game is just beginning.
Need some help with your cyber security? We’re not your typical pointy headed auditors. Give us a call, and we’ll help you to look holistically at your organisation - your exposure to risk, a real risk profile.