Why Kaspersky's Bank Robbery Report Should Scare Us All - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // IT Strategy
Commentary
2/18/2015
09:15 AM
Susan Nunziata
Susan Nunziata
Commentary
100%
0%

Why Kaspersky’s Bank Robbery Report Should Scare Us All

So, you don't work for a financial institution? Don't think you're off the hook for the kind of theft discussed by Kaspersky. Banks are certainly not the only organizations moving around massive amounts of money every day.

be fired for embezzlement before anyone ever caught on that we weren't the guilty parties? That scares me. And I think it should scare you, too.

There's nothing new about the fact that the exploit involved an old Microsoft Office vulnerability for which a patch had long since been issued. We already know many organizations are sloppy when it comes to patch updates.

But the level of targeting – heck, let's call it stalking – that was involved in this attack seems pretty sophisticated to my untrained eye. The Kaspersky report noted that, as part of an automated reconnaissance phase, "the Carbanak malware checked victim systems for the presence of specialized and specific banking software. Only after the presence of these banking systems was confirmed were victims further exploited."

[ What did the Anthem breach teach us? Read Anthem Hack: Lessons For IT Leaders. ]

So, where does that leave enterprise IT, and others in your organization? Well, for starters, whatever education we're giving employees about how to identify potential malware can't possibly account for this kind of advanced persistent threat (APT). As Kaspersky stated in its report:

We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through customers. APTs are not only for stealing information anymore.

Here's some advice from Kaspersky on the early warning signs that Carbanak has hacked you:

(Image: Courtesy of Kaspersky Lab)

(Image: Courtesy of Kaspersky Lab)

Sure, at the moment, the targets were financial institutions. It's really a high-tech version of cooking the books. Once the hackers were inside, according to Kasperksy, they were able to set up fake accounts, or add dollar amounts to real accounts, and then authorize the transfer of those sums out of the bank, either to ATM machines or to external accounts, without anybody catching on.

So, you don't work for a financial institution? Don't think you're off the hook. Banks are certainly not the only organizations moving around massive amounts of money every day. All major multinational corporations and government agencies could, potentially, have their finance and accounting systems fall prey to a similar attack.

According to Krebs:

Most organizations — even many financial institutions — aren't set up to defeat skilled attackers; their network security is built around ease-of-use, compliance, and/or defeating auditors and regulators. Organizations architected around security (particularly banks) are expecting these sorts of attacks, assuming that attackers are going to get in, and focusing their non-compliance efforts on breach response.

Have I scared you yet? If not, tell me why. And, if you are as terrified as I am, tell me how you plan to address this in your organization. Let's discuss in the comments section below.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Susan Nunziata leads the site's content team and contributors to guide topics, direct strategies, and pursue new ideas, all in the interest of sharing practicable insights with our community.Nunziata was most recently Director of Editorial for EnterpriseEfficiency.com, a UBM ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
impactnow
50%
50%
impactnow,
User Rank: Author
2/25/2015 | 11:41:44 AM
Re: Keeping up with the Hackers

Susan I completely agree. It's getting to a point that people expect breaches it's very sad. I hate to over regulate but I think if fines were levied against companies for security breaches that were a result of their negligence it might speed up security efforts at some organizations.

Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
2/20/2015 | 6:27:28 PM
Stalking the intruder
Yes, this example of sly and persistent intrusion is alarming. I think we need behavior analytics that learn from routine system ops and recognize an activity that is out of line. Once it spots such a thing, it raises an alarm or shuts it down. I also agree with TerryB. Security was such a concern on the IBM mainframe when it first came out that the MVS operating system, when asked by an application process to do something, would query, Who is  your owner? If no clear answer came back, it killed the process. With Windows, it's more like welcome the next visitor, check his credentials later.
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:44:31 PM
Re: Keeping up with the Hackers
@impactnow: What will finally have to happen for corporations to invest where they need to? How big do the breaches have to get? How much damage has to be done to individuals? Or will this keep on escalating endlessly?
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:41:39 PM
Re: Brian Krebs
@bwjustice: Thank you for noticing that error, it's been corrected. I am clearly living proof of how sloppy humans can be, especially when working in haste and multi-tasking. If Mr. Krebs happens to have read this, I hope he accepts my apology!

I'll be picking up SPAM Nation for my weekend reading list. And if you never hear from me again, you'll know why.

:)
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:32:22 PM
Re: Why Kaspersky's Bank Robbery Report Should Scare Us All
@Zerox203: As the Anthem breach also showed, it all comes down to how these organizations make money. Anthem didn't encrypt its data because it wasn't required to do so by law. The cost, or inconvenicence, of encryption was enough of a deterrent for them, because they faced no hefty fines if they didn't do it. Like banks, health insurance providers are for-profit organizations whose main goal is to keep their shareholders happy.

That said, you make a good point about playing the odds and finding the right balance between investing in prevention and leaving yourself open to a breach. In the case of what the Kaspersky report revealed, though, it's hard to believe that patch updating would have impacted the bototm line of the banks involved. It seems a bigger issue -- not enough employees in IT? sloppy governance -- than just an accouting problem.
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:25:56 PM
Re: Fun with security
@macker490: So what's the deal then? Is it just more cost effective for corporations to allow themselves to get hacked like this than to invest in the resources required to protect themselves? Are they so well covered by insurance policies, and making so much $$, that even this level of money walking out the door is small change to them?
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:23:02 PM
Re: Fun with security
@Stratustician: What perplexes me most is how corporations of such size and scope can have such a hard time keeping one step ahead of bad actors. I suspect, more than anything, that the problem is one of deciding where to invest $$--in security & trainng, or in stockholder pockets. Until the equation shifts and breaches become so crippling that they affect stockholder dividends, I suspect we'll just see attacks like this becoming so commonplace they won't even scare us anymore.
impactnow
100%
0%
impactnow,
User Rank: Author
2/19/2015 | 11:35:14 AM
Keeping up with the Hackers

Susan yes very scary and it makes the point for multiple levels of authorization required when money is moves in large quantities and tracking of actions as related to money movement. The vulnerabilities still exist in so many places its type for cyber security to start catching up with the hackers.

InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
Commentary
A Strategy to Aid Underserved Communities and Fill Tech Jobs
Joao-Pierre S. Ruth, Senior Writer,  7/9/2021
Slideshows
10 Ways AI and ML Are Evolving
Lisa Morgan, Freelance Writer,  6/28/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Slideshows
Flash Poll