The Cipher Brief sat down with Steven Grossman, VP of Strategy and Enablement at Bay Dynamics, to discuss the current cyber threat landscape facing the financial sector. According to Grossman, insider threats pose the greatest risk to the global banking industry and that “being able to track, manage, and understand unusual behavior, both on the financial side as well as on the cyber side, is going to be key” moving forward.
The Cipher Brief: What is your assessment of the global banking industry’s current cyber security posture. On average, how well are banks doing at protecting themselves from cyber threats?
Steven Grossman: I think it’s a real challenge, especially for the smaller organizations. The larger organizations are buried under a deluge of alerts and incidents and have very complex infrastructures that were brought together from a lot of mergers and acquisitions. It’s very hard to manage those kinds of infrastructures and prioritize vulnerabilities and threats. Threats change every day. You need to stay on top of them, but you need to do it in a way that’s going to minimize the impact to your business. Smaller regional banks face even greater challenges, because they don’t have the same amount of resources as larger banks. They’re sharing the same networks as those global banks and provide a weak entry point that’s easily exploitable for criminals to access those networks.
TCB: With that in mind, what would you say is the greatest threat to the global banking industry right now in terms of cyber?
SG: It’s really the insider threat or the credentialed based threat. Once these hackers get inside the firewall, they’re free to roam around. At that point, they have free rein inside the institution, as well as potentially being able to get onto the larger networks, like the SWIFT network. In the case of the Bangladesh heist, the Bangladesh bank’s security was woefully lacking, especially its connection between internal networks and the overall institutional networks that go across institutions globally. Being able to track, manage, and understand unusual behavior, both on the financial side as well as on the cyber side, is going to be key.
TCB: Do you think nation states might pose a threat to global banking? If a state is particularly cash poor, they might be tempted to try and pull off a heist if they can. So are nation states a threat in this area?
SG: I think nation states are a threat across the board, both from the perspective of being able to increase their own financial stability by stealing money in these ways, as well as being able to introduce instability into other countries by affecting their financial systems. If you think about the instability introduced just by the DNC hack, which could potentially affect a U.S. presidential race, these nation state attacks really have far reaching implications.
TCB: Jumping to the criminal element, are there any trends as to how they go about these attacks? You mentioned that once they’re in, they’re in, but how do they make that initial jump? Is it spear phishing? Is it someone plugging a USB in where they shouldn’t? How do they do it?
SG: We’ve seen quite a variety of entry points. It could be stolen credentials from an unsecured Wi-Fi. It could be phishing and spear phishing attacks. We’re seeing a rise in spear phishing in general in the industry. But I think whichever way criminals get into the network, once they get in, companies need to do better at locking them down.
There are too many ways to get in. I don’t think any large bank would tell you its perimeter is 100 percent solid, that there’s no way anybody could break in through the perimeter with a stolen credential or by installing malware on machines. Again, going back to the Bangladesh heist, you see that was an element. I mean criminals are becoming increasingly sophisticated in their methods of attack. In the Bangladesh heist, they actually modified the printouts of the transaction confirmations in order to line up with the fraudulent transactions. That’s a pretty specific, detailed hack to facilitate what they were trying to do. They got away with 81 million dollars, so it was worthwhile for them. But it was a pretty specific hack, and I think we’re going to see more and more of those kind of things.
TCB: Are there other things that cyber criminals try to do within these financial institutions, I’m thinking money laundering or messing around with identities such that they can move around assets? Are you seeing any one set of criminal activities being more or less prevalent and is it changing at all?
SG: I think the fraudulent activity overall ends up with different results but the methods are all similar, being able to manipulate transactions, falsify identities and transactions, and then laundering money. Again, if you look at the way SWIFT, SWIFT says one of the ways the criminals laundered the stolen money was to transfer it to a Manila based casino and then cash it out in chips. Their methods are getting more diverse and devious. Once criminals are able to get into a system and falsify transactions, the sky’s the limit, whether it’s laundering money, stealing money, or creating instability in the system.
Imagine somebody hacking in and just creating general instability in that bank’s banking system where transactions change. It would create incredible instability for that bank and probably create ripple effects across the industry. It’s important for both the individual bank and the industry’s well-being for each bank to protect itself.
TCB: So what can banks do to protect themselves better?
SG: Banks need to improve security awareness so that the phishing attacks are less prevalent, and people aren’t taking USB sticks from trade shows and putting them into their laptops. They need technical controls to be able to lock down the endpoints and get rid of administrator controls on machines so that software can’t be installed on those machines. And they need to be doing a better job of tracking credentials and transactions across both the financial transactional network, as well as on the cyber side, data going in and out, that would allow criminals to falsify things.
What we’ve been told by some of our clients is very often the cyber insider threats they have detected have very often only been the tip of the iceberg in that, yes, they found bad cyber activities, but often, once they start investigating them, they’re much larger in scope, and actually much greater in scope in terms of financial wrongdoing that were related to the same person. There’s a lot of connection between that in the financial world, and they need to be watched in each area as well as correlated between the two areas.
TCB: In a similar vein, what is the role of the government in all of this? Should it be providing support? Is there legislation that might be useful? What can the U.S. government do to try and support better cyber defenses in the financial industry?
SG: It’s a tricky challenge. If you look at any regulation, whether it’s from the FFIEC Cybersecurity Assessment tool or the PCI DSS, whatever they’re regulating are not exactly futuristic controls. These are basic blocking and tackling controls that the company should be using to protect itself. In some cases, regulations could actually have a negative effect, because the institutions become so worried about checking the box for the regulators that they lose sight of the actual protective nature of what they’re doing and look to just make sure they’re satisfying the audits.
The government is doing a great job in supporting banks in terms of things like intelligence sharing; you have regional intelligence sharing hubs that allow financial institutions to share that information. FS-ISAC has a lot of cooperation that goes on between the institutions, and I think that cooperation as an industry is going to be key to making sure that these bad guys are detected and blocked. They’re not usually going to one bank and stopping. Usually they are transactions between multiple banks, and if everyone works together to make sure they are sharing attack information in a transparent way—albeit nobody wants to admit when they’re being attacked—but if they cooperate in a transparent yet confidential way, it’ll help the industry overall stop these guys.
TCB: Are you optimistic for the future? Ambivalent? Do you think things are going to get worse for a bit? What’s your prediction?
SG: It’s hard to predict the future, but I think that things are going to become more challenging, because threats are getting more and more sophisticated. The banks are having difficulty resourcing the defense of those threats. Automation in many cases is going to help the matter—but using automation to optimize the human resources that they already have applied. Humans are the only ones who can really pick up the business context of what’s going on in the environment. Very often they are the only ones who can really spot the things that are truly out of the ordinary for their business. Use automation, use humans, bring them together and optimize it all. And hopefully banks will be able to stay ahead of the criminals.
TCB: What about the fact of proactively getting everyone in the organization involved in cyber risk management and not just the security team?
SG: Something that we talk about often in the context of our clients and everything we do is making security everybody’s business. You know, it’s all about security awareness and risk awareness, understanding what’s really important to the business, whether that’s the guy sitting at the keyboard sending out social security numbers or whether it’s the board of directors understanding how to invest their money in security tools. Understanding that context and making it everybody’s business across the board.
Just like we say in the physical world, if you see something say something. It’s kind of the same in the cyber world. Make sure that everybody is on top of their game, watching out for security and understanding the risk associated with that, what’s important, what’s not important. Making sure to not click on that link or open that email, even though it may be the easy way to do your job, it’s not the right way to do your job. So making sure you build that culture both in the bank and in the industry at large.