Opportunistic hackers are routinely stealing so much data from SMBs that cyber criminals can’t even exploit it all, as their soft perimeters and lack of appropriate network security make them easier targets than “well run, well resourced” banks, security consultant Keith Price has warned.
Among the presenters at the FST Media Future of Banking & Financial Services conference, Price – a former information-security manager with Westpac, Telstra and the Sydney Olympics who is now director and principal consultant of security consultancy Black Swan Group – said that while banks still occasionally copped DDoS attacks from outside hacktivists, profit-focused Eastern European cyber-criminals were “going after the money” and had shifted their attention to “mom and pop” operations with minimal, outdated or non-existent security controls.
“It’s not the banks being attacked,” he told CSO Australia. “It’s the banks’ customers being attacked. How many of those mom-and-pop shops spend the $99 a year to get updates from their endpoint protection security vendors? They’re easy to compromise, put keyloggers on their computers and steal login IDs and credit card details.”
“It takes the cyber criminals a long time to get through [the data] because they have so many compromised computers.”
A recent report from Trend Micro found that 91% of targeted attacks start with a spear-phishing email, to which SMBs are particularly vulnerable as they generally have no anti-phishing protections in place.
While banks may also be susceptible to such attacks when employees click on emails they shouldn’t, their ability to invest in more-sophisticated tools – heuristic scanners, traffic monitors, back-to-base bot signal detection, and the like – makes them better equipped to detect and respond to potential breaches. Indeed, Price said, banks have generally invested enough in information security that they are seen by opportunistic hackers as being too difficult to bother with.
Yet the rules of the game change when it comes to state-sponsored attacks, whose perpetrators are less interested in personal financial gain than in accessing privileged information around national infrastructure or even future projections around the value of the Australian dollar; such information is invaluable during large-scale commercial negotiations or in compromising intellectual property protections.
“Hacktivists don’t steal money, which is against their code,” Price explained. “They want to punish decadent capitalists in an Occupy Wall Street sort of way, and they might steal your customer database to punish you. And the Chinese government isn’t going to attack your company to steal your money – but they might attack to steal your intellectual property. Your patent information, pharmaceutical designs and such are what they want to take home.”
Since even generally well-protected companies can miss subtle and well-executed advanced persistent threats (APTs) these days, Price said businesses could take inspiration from the strategy of King Leonidas I during the battle of Thermopylae, when several hundred vastly outnumbered Greek soldiers fiercely fought off an army of over 100,000 Persian soldiers for several days by blocking the only pass through which they could advance.
The Greek soldiers ultimately lost that battle, but the strategic basis of their defence can be applied to a ‘cyber kill chain’ security approach – burying the most important corporate information assets at the end of a long string of well-delineated and carefully-protected network segments linked with connections that can be instantly cut to block or strand cybercriminals’ attacks.
“The steady flow of breaches shows that you cannot protect everything – so give up on the idea that you can protect everything,” said Price, who has recently conducted an audit of dozens of third-party breach reports and concluded that the spectre of APT-driven cyber-attacks is only getting worse. “If that’s the case, you have to identify and put your crown jewels in a special subzone that, like an onion, has many layers and takes a lot of effort to be able to compromise.”
“If you apply this concept to a security architecture, you have choke points and controls to interject yourself into the cyber-attacker’s methodology,” he continued, “and you either stop them, or force them to start all over again. Done properly, it’s a lot of effort to hack – but it’s the fundamental thing we can’t get people to do properly. And that’s why they keep getting hacked.”