$45 Million ATM heist turns focus again on insider threats, controlling privileged access!
New wave of cyber-attacks on banks lend credence to the belief that insider threat is getting complex and cyber-criminals are increasingly targeting to siphon-off the login credentials of employees and administrative passwords of IT resources.
May 27, 2013 4:59 by anila
It is termed as the ‘massive 21st century bank heist’. A worldwide gang of cyber-criminals in multiple cities drained ATMs to the tune of $45 million in a matter of few hours. While federal investigation is going on, cyber-security experts generally feel that the crime of such a magnitude could not have been committed without deep insider knowledge and meticulous planning for several months. Some analysts even suspect that the hacks might have been inside jobs.
The modus-operandi adopted by the hackers in this fraud is yet to be firmly established. But, preliminary assumptions point out two things:
- Hackers infiltrated/gained access to network, downloaded prepaid debit card data and erased their withdrawal limits.
- The stolen data had been passed on to numerous “cashers” in multiple cities across the globe, who withdrew millions of dollars from ATMs.
The episode of erasing of withdrawal limit on cards gives rise to two suspicion on two things:
Either an insider might have acted hand-in-glove with the hackers or the hackers might have stolen the credentials of an insider to gain access to the network.
Financial Institutions – The Evergreen Targets of Hackers
This incident apart, the banking institutions across the globe are now witnessing perhaps the biggest crisis. A series of cyber-attacks have affected 15 of the largest U.S. banks so much that they had gone offline for a total of 249 hours during a period of six weeks. Reports suggest that since September 2012, cyber-attacks on bank networks have exploded.
Actually, banking and other financial institutions had always been the top target of hackers. During the past few years, renowned banking organizations across the globe have fallen prey to criminal hacks. Beyond huge financial losses, the victims suffer irreparable damage to their trust and credibility, the hallmarks of financial institutions. Tech-savvy criminals are becoming more creative with every passing day and 2013 is turning out to be the ‘year of cyber-attacks’.
The hackers’ predominant activities include spreading malware infections, siphoning of login credentials and denial of service attacks that disrupt service to legitimate users. The traditional security attack channels include viruses, keylogger trojans and cross-site scripting. The Trojans monitor keystrokes, log them to a file and send them to remote attackers. Scripting, on the other hand, enables malicious attackers to inject client-side script into web pages viewed by other users and exploit the information to bypass access controls.
Evolving Threat Landscape
Perimeter security software and traffic analysis solutions help in combating traditional attack vectors. However, hackers are starting to change their modus operandi. Cyber-criminals are now siphoning off login credentials of employees and administrative passwords of IT resources, using techniques that include spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT).
Once the login credentials of an employee or an administrative password of a sensitive IT resource is compromised, the institution will become a paradise for the hacker. The criminal is then able to initiate unauthorised wire transfers, view the transactions of customers, download customer information or carry out sabotage.
However, the situation becomes much graver if a stolen password has also been used to access a variety of applications and websites. Nowadays, it is quite common for employees to use the same login credentials for multiple sites – social media, banking, brokerage and other business accounts. If the password gets exposed in any of the sites, in all probability, hackers would be able to easily gain access to all your other accounts too.
That is why online businesses that have fallen prey to hacks immediately advise their clientele to reset passwords across other unconnected applications.
Another emerging threat is an undeniable reality – the sabotage caused by the insiders of commercial enterprises and financial institutions. Disgruntled staff, greedy techies and ex-employees were behind many of the cyber security incidents reported last year, and this reveals a fundamental home truth about enterprise security – breach of trust could occur anywhere, leading to dire consequences.
In both cases – internal and external attacks – unauthorised access and misuse of privileged passwords, which are aptly referred to as the ‘key to the kingdom’, are often the primary targets. Administrative passwords, system default accounts and hard-coded credentials in scripts and applications have all found themselves in the cyber criminal’s sights.
Overlooking Privileged Passwords
While it is becoming increasingly clear that hackers are seeking to exploit administrative passwords, many organizations and financial institutions are continuing to neglect the crucial aspect of privileged password management.
The passwords of enterprise IT resources are often insecurely stored in volatile sources like spreadsheets, text files, and internally developed systems. However, it is also not unheard of to find passwords stored on paper or even in physical vaults. If any of these were to reach the hands of a malicious user, data security and business reputation would be thrown to wind.
In addition, and especially in the financial services industry, IT departments have to deal with thousands of privileged passwords, the majority of which are used in a ‘shared’ environment. That means, a group of administrators use the common privileged account to access the resource.
Apart from the ‘officially shared’ passwords, users often tend to reveal administrative passwords to their colleagues. For example, it is fairly standard practice for an IT manager to reveal passwords to other senior staff members when absent from the office.
Generally speaking, developers, help desk technicians and even some third party vendors who require access to privileged passwords on a temporary basis are supplied these sensitive details either verbally or over email. In the majority of cases there is no formal company procedure for revoking temporary access and resetting user passwords after, leaving a gaping hole in the company’s security defences.
Negligence often proves costly. This haphazard style of password management makes the enterprise a paradise for both internal and external hackers. Many security breaches already stem from lack of adequate password management policies, access restrictions and internal controls – and this figure is likely to rise throughout 2013.
Tightening internal controls
Combating sophisticated cyber-attacks demands a multi-pronged strategy incorporating a complex set of activities. These include deploying security devices, enforcing security policies, controlling access to resources, monitoring events, analysing logs, detecting vulnerabilities, managing patches, tracking changes, meeting compliance regulations, monitoring traffic and more.
Of all the combat measures, bolstering internal controls should be prioritized in light of recent high profile attacks. Access to IT resources and digital company assets should align with an employee’s position and needs. A one-size-fits-all approach to access controls just doesn’t cut it in this day and age. In addition, there should be a clear trail identifying ‘who’ accessed ‘what’ and when’. Password sharing needs to be regulated and a well-established company policy should be in place for releasing passwords which grant access to sensitive resources. Standard password management policies, including usage of strong passwords and frequent rotation should be enforced.
An effective way to bolster internal controls is automating the entire life cycle of Privileged Access Management (PAM) which enforces company-wide best practice. Privileged Password Managers replace manual administration tasks and assists in securely storing the privileged identities in a centralized vault, selectively sharing passwords, enforcing policies and above all restricting access to the identities. Enterprise class password managers offer advanced protection to IT resources by helping to establish access controls to IT infrastructure, this enables seamless recording and monitoring all user actions during privileged sessions, to provide complete visibility of privileged access.
Password Managers also eliminate the problem of ‘password reuse’. Users can protect their online identities by using a unique password to every application or website, without the need to remember every one.
Bolstering internal controls as detailed above will ensure that even if a hacker manages to penetrate the perimeter, privileged identities will not be compromised. Similarly, the threat from malicious insiders is also significantly reduced.
Keep an eye on activities, Stay vigilant
Once internal controls have been tightened, financial institutions must remain vigilant and keep an eye on activities going on inside and around them. Logs from critical systems carry vital information that could prove effective in preventing security incidents.
For instance, monitoring activities like user logons, failed logins, password access, password changes, attempts to delete records and other suspicious activities could help identify hacking attempts, malicious attacks, DoS attacks, policy violations and other incidents. Monitoring network activity to establish real-time situational awareness is essential to enterprise security. SIEM solutions would be of immense help in achieving real-time situational awareness.
Of course, not all security incidents can be prevented or avoided. Nor can privileged password management thwart all cyber security incidents. However, too many security incidents occur as a result of lax internal controls — poor password management, in particular — and those violations can certainly be prevented. It’s time for IT organizations to take the bull’s eye off of the financial community networks and data and enforce some enterprise-class password protection.