Why Kaspersky's Bank Robbery Report Should Scare Us All - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Why Kaspersky’s Bank Robbery Report Should Scare Us All
Oldest First  |  Newest First  |  Threaded View
Page 1 / 3   >   >>
Stratustician
100%
0%
Stratustician,
User Rank: Ninja
2/18/2015 | 1:23:14 PM
Fun with security
Definitely not alone when it comes to the reality of current IT and the risks that come from it.  We've seen social engineering mixed with malware for awhile now, and the fact that these things just seem to find larger holes to exploit makes it so much worse.  Security training can definitely help, but the reality is that these types of attacks work phenomenally well when it comes to exploiting human behavior, and sadly, even with the right tools in place, these holes are destined to exist.
macker490
100%
0%
macker490,
User Rank: Strategist
2/18/2015 | 2:44:41 PM
Re: Fun with security
"the hackers got around our most advanced security systems"

hardly

the problem is they didn't have any security systems: ( short list )

1. use an O/S that cannot be modified by the activity of an application program

2. use public key encryption to authenticate transmittals: transactions, e/mails, software updates, forms, ...

3. use named spaces to isolate the activity of application programs

 

if we continue doing business as we have in recent years hacking will continue to get worse.   have you had enough yet or is this still just "part of the cost of doing business " ?     the whole mess stinks.
zerox203
100%
0%
zerox203,
User Rank: Ninja
2/19/2015 | 6:45:26 AM
Re: Why Kaspersky's Bank Robbery Report Should Scare Us All
The most striking thing to me is actually how mundane this attack is. Yes, it required great tact (for lack of a better word) and specificty on the part of the attackers, but it ran through a patch vulnerability in Microsoft Office and used a social engineering e-mail attachment to get itself running. I didn't even know banks used Microsoft office. They didn't use a sophisticated packet-sniffing tool (or maybe they did at some point), they used monitor capture to physically look at someone's screen, watch what they were doing, and copy it. Like macker490 is saying, these are not new techniques - they're old techniques with new life in them. As you pointed out, Susan, these techniques could work on anyone - all it takes is a hacker that knows what to look for the way these guys knew what to look for in bank software. Maybe that's what makes them most dangerous.

One thing I have to disagree with Mr. Krebbs on is the issue of mitigation vs prevention. Yes, IT security focuses on mitigation and DR rather than prevention. It may sound cool to say that that's because we're not up to the challenge of preventing breaches, but that's just not true. It's when a breach will occur, not if. It's the simple law of diminishing returns. Every amount you secure yourself above, say, the 90th percentile, costs exponentially more. Businesses (especially banks) are about making money. If a breach is unlikely and will cost you less than securing against it, then yes, you're in the right spot. Preparing thoroughly for disaster recovery is not a sign of weakness but a sign of pragmatism, and many actually under-invest here. I will agree that tons of businesses don't get this balance right, though, and not patching your office software defnitely falls on the wrong side.
bwjustice
IW Pick
100%
0%
bwjustice,
User Rank: Apprentice
2/19/2015 | 9:51:20 AM
Brian Krebs
The part that reads "security blogger David Krebbs" should refer to Brian Krebs instead. He's written a very good book lately, SPAM Nation. You should read it. That will probably scare the pants off you too.
impactnow
100%
0%
impactnow,
User Rank: Author
2/19/2015 | 11:35:14 AM
Keeping up with the Hackers

Susan yes very scary and it makes the point for multiple levels of authorization required when money is moves in large quantities and tracking of actions as related to money movement. The vulnerabilities still exist in so many places its type for cyber security to start catching up with the hackers.

Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:23:02 PM
Re: Fun with security
@Stratustician: What perplexes me most is how corporations of such size and scope can have such a hard time keeping one step ahead of bad actors. I suspect, more than anything, that the problem is one of deciding where to invest $$--in security & trainng, or in stockholder pockets. Until the equation shifts and breaches become so crippling that they affect stockholder dividends, I suspect we'll just see attacks like this becoming so commonplace they won't even scare us anymore.
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:25:56 PM
Re: Fun with security
@macker490: So what's the deal then? Is it just more cost effective for corporations to allow themselves to get hacked like this than to invest in the resources required to protect themselves? Are they so well covered by insurance policies, and making so much $$, that even this level of money walking out the door is small change to them?
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:32:22 PM
Re: Why Kaspersky's Bank Robbery Report Should Scare Us All
@Zerox203: As the Anthem breach also showed, it all comes down to how these organizations make money. Anthem didn't encrypt its data because it wasn't required to do so by law. The cost, or inconvenicence, of encryption was enough of a deterrent for them, because they faced no hefty fines if they didn't do it. Like banks, health insurance providers are for-profit organizations whose main goal is to keep their shareholders happy.

That said, you make a good point about playing the odds and finding the right balance between investing in prevention and leaving yourself open to a breach. In the case of what the Kaspersky report revealed, though, it's hard to believe that patch updating would have impacted the bototm line of the banks involved. It seems a bigger issue -- not enough employees in IT? sloppy governance -- than just an accouting problem.
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:41:39 PM
Re: Brian Krebs
@bwjustice: Thank you for noticing that error, it's been corrected. I am clearly living proof of how sloppy humans can be, especially when working in haste and multi-tasking. If Mr. Krebs happens to have read this, I hope he accepts my apology!

I'll be picking up SPAM Nation for my weekend reading list. And if you never hear from me again, you'll know why.

:)
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:44:31 PM
Re: Keeping up with the Hackers
@impactnow: What will finally have to happen for corporations to invest where they need to? How big do the breaches have to get? How much damage has to be done to individuals? Or will this keep on escalating endlessly?
Page 1 / 3   >   >>


State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Commentary
Augmented Analytics Drives Next Wave of AI, Machine Learning, BI
Jessica Davis, Senior Editor, Enterprise Apps,  3/19/2020
Slideshows
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll