- Two legs of the security stool’s people, process and technology equation are routinely underserved.
- Progress toward more relevant and actionable threat intelligence sharing is inching forward.
Cyber thieves continue to improve their game, bringing great creativity, technical skills, good organization, communication and financial backing to their illicit endeavors. In a fine example of life imitating art, an Ocean’s 12-style gang robbed the UK’s Barclays bank last April, blending a creative mix of system compromise with social engineering in the flesh and technical skills to make off with about $2 million. As reported in CSO Magazine, the gang sent one of its members into a Barclay’s branch, posing as an IT guy to fix a computer problem. While there, he installed a KVM switch linked to a router, which in turn was attached to a computer at the branch. The installation allowed the gang to transfer money from the bank to other accounts under their control. When they tried a similar heist at another London bank not six months later, they were caught.
The incidents highlight the underserved process and people part of the security equation. All too often, IT security relies on technology as a silver bullet to protect assets and does not pay enough attention to people and process. In this case, developing a well-thought-out process for verifying that people are who they say they are would have allowed the bank to avoid the theft. Raising the security awareness of employees through ongoing and periodic training may help to avert breaches that all too often employ social engineering. I’ve heard CISOs dismiss end-user training and education as not cost-effective, but I’m not sure the CISO at Barclay’s bank would agree with that sentiment now.
The incidents also demonstrate that some progress is being made toward better threat intelligence sharing. The second bank was aware that the gang was targeting it and was prepared when the gang sent in its fake IT guy. Even without the explicit sharing of threat information between criminal investigators and targets, progress toward broader threat intelligence sharing is moving forward. Recently, Kathleen Moriarty, Global Lead Security Architect in EMC’s Office of the CTO, called on the industry to disseminate “threat intelligence (that) is relevant and actionable.” With the launch of its new Threat Central, HP designed a threat intelligence sharing platform created with the goal of enabling faster sharing of threat intelligence that is more relevant and actionable. It reduces the number of manual steps a security analyst must perform to investigate a potential threat.
While better and more actionable threat intelligence sharing among a community that shares a common objective is a small step in the right direction, the cat and mouse game will continue. It is not unusual for cyber criminals to recycle old and somewhat forgotten exploits when they think people have stopped looking for them. I’d place a bet that some other well-organized and talented gang in another part of the world will take the Ocean’s 12 idea, put a creative spin on it, and try it again.