Overcoming threats posed by falsified credentials
Harshul Joshi, Senior Vice President of Cyber Governance, Risk and Compliance at DarkMatter sheds light on global hacks committed through falsified credentials and how banks in the Middle East are at risk.
At the beginning of December 2016 and following a hack of its Central Bank, Russia is believed to have lost $31 million, which is an amount less than the hackers initially targeted, according to media reports.
In echoes of the SWIFT (Society for Worldwide Interbank Telecommunication) system hack earlier this year, where criminals stole $81 million of a targeted $1 billion plus using the Bangladesh Central Bank, the latest incident in Russia saw cyberthreat actors attempt steal a total of the equivalent of approximately $78 million.
According to reports, the hack was carried out using falsified client credentials, though the bank has provided few further details regarding the hackers’ methodologies. As a result of the attack, Russia says that it is now fortifying its defences as far as cybersecurity goes, particularly in light of a potential increase in what may be described as state sponsored incidents in the face of accusations levelled at Russia that it may be using cyberattacks itself as a political tool abroad.
Since 2015, Ecuador, the Philippines, Bangladesh, and Vietnam have suffered similar breaches of their central banks, and it would appear that the trend is only becoming more rampant as hackers grow bolder (and security measures remain relatively stagnant). The International Monetary Fund has warned that emerging market economies are at higher risk partly due complications with correspondent banking relationships.
Interconnectivity—be it with digital networks in general or banking systems specifically—need to take into consideration the cascading effects of a breach and mitigate against them. Given that the latest incident in Russia was likely orchestrated using falsified client credentials, which has become a preferred method of bank system hacking, the use of multi-factor authentication for accounts is advised, so that even if a password is stolen and access to a system gained, the hackers are not able to access any accounts or transactions without the corresponding token or biometric for the account.
This way unauthorised transactions cannot occur without the complicity of an insider (i.e. the account administrator). We believe that the use of multi-factor authentication in combination with diligent asset management of authentication tokens is a compelling approach to minimising cyberbreaches in a financial services environment.
It is also recommended that institutions adopt a proactive approach to cybersecurity in which they assume a state of breach in order for them to have the defences and mitigation mechanisms in place minimise possible disruption caused by any cybersecurity incident, before it happens rather than after, as is the case with the Russian Central Bank.
This is an area in which financial institutions across the Middle East could look to improve, as assuming a proactive cybersecurity position is often a wiser and more cost-effective than looking patch or recover once a cyberincident has occurred.
The banking and finance sector is of strategic significance to the Middle East, but is clearly an economic area heavily targeted by cybercriminals looking to steal, extort, or corrupt digital information with the view of benefiting financially. Recent examples of attempted and successful breaches bear testament to this trend.
Across the region, cybersecurity generally remains an area of concern with Norton Cyber Security Insights Report estimating that the financial cost of cybercrime in the UAE alone has reached $1.4 billion to date this year, an increase of 4.9 per cent year-on-year.
Globally, the financial cost decreased by 16 per cent to $125.9 billion during the same period, the report estimates, highlighting that in the UAE, and indeed other markets across the region, financial institutions need to take proactive steps to defend and secure their digital assets from internal and external cyberthreats.
This is best achieved through a cyberthreat management and mitigation programme, which can be established in a three-part process encompassing visibility, intelligence and integration.
Visibility means the financial institution truly understands the configuration of its network and most importantly who has access to it. Large institutions in particular, often maintain networks patched together over decades, running different generations of software. It’s a simple truth that one cannot protect what one doesn’t understand; a thorough audit is vital at the start of any mitigation process. Sophisticated mapping software can certainly accelerate this process, but ultimately a comprehensive audit requires people on the ground to ask the right questions and find the location of servers and access rights.
Intelligence relates to an individual system’s characteristics to the known threats and a network’s vulnerabilities in relation them; it takes the threat intelligence gathered in the risk assessment process and relates it the specifics of the organisation’s system.
Integration aggregates the information found in the first two phases, and displays it in a format that can be readily understood by decision makers to enable them to act quickly. In particular, attacks should be logged and diagnosed in a systematic fashion. Armed with a complete picture, a financial institution should then be able to create a continuous monitoring and mitigation capability supported by intelligence and securely integrated technology, which working together can help reduce the number of successful breach attempts.