Re: Why Kaspersky's Bank Robbery Report Should Scare Us All
The most striking thing to me is actually how mundane this attack is. Yes, it required great tact (for lack of a better word) and specificty on the part of the attackers, but it ran through a patch vulnerability in Microsoft Office and used a social engineering e-mail attachment to get itself running. I didn't even know banks used Microsoft office. They didn't use a sophisticated packet-sniffing tool (or maybe they did at some point), they used monitor capture to physically look at someone's screen, watch what they were doing, and copy it. Like macker490 is saying, these are not new techniques - they're old techniques with new life in them. As you pointed out, Susan, these techniques could work on anyone - all it takes is a hacker that knows what to look for the way these guys knew what to look for in bank software. Maybe that's what makes them most dangerous.
One thing I have to disagree with Mr. Krebbs on is the issue of mitigation vs prevention. Yes, IT security focuses on mitigation and DR rather than prevention. It may sound cool to say that that's because we're not up to the challenge of preventing breaches, but that's just not true. It's when a breach will occur, not if. It's the simple law of diminishing returns. Every amount you secure yourself above, say, the 90th percentile, costs exponentially more. Businesses (especially banks) are about making money. If a breach is unlikely and will cost you less than securing against it, then yes, you're in the right spot. Preparing thoroughly for disaster recovery is not a sign of weakness but a sign of pragmatism, and many actually under-invest here. I will agree that tons of businesses don't get this balance right, though, and not patching your office software defnitely falls on the wrong side.