It’s very much a work in progress as the financial industry finds its way along the information highway – too often, the “misinformation highway” – to keep pace with the “bad guys.”
Hackers and cyber criminals have already passed the highway markers, leaving the milestones and warning signs in their rearview mirrors, like the TV commercial featuring a sullen young man alone in a hallway bouncing a ball, telling us we do not yet appear to have spotted him hacking our IT systems.
He has already invaded, he says, taken what he wants and is long gone – and what are you going to do about it?
Sometimes life imitates art, and in February, cyber thieves invaded the New York Federal Reserve account of Dhaka’s central Bank of Bangladesh, stealing $81 million.
The invaders had tried to grab $951 million, but several of the transfers were blocked, including $20 million to a “Sri Lankan entity,” according to a Reuters news report. Four others, however, passed through the system, landing in the Philippines, where $81 million was laundered through casinos and casino agents.
Most of the money remains missing, and one U.S. Federal Bureau of Investigation agent said the FBI and authorities in Bangladesh, the Philippines and other countries have never officially identified the culprits in one of the biggest computer heists ever.
“They may never make [an arrest],” the agent told Reuters.
BAE (British Aerospace) Systems, a world-leading London-based defense and security agency helping lead the Bangladesh Bank probe, said malware used to erase the tracks of the hackers was similar to computer code used in a 2014 attack on Sony Corp. that compromised studio executives’ information and a handful of feature-film releases.
At the time, the FBI blamed North Korea for the Sony attack. The agent addressing the February bank heist said the thieves were likely either a sophisticated criminal group or a rogue nation, pointing out that both had an interest in making it appear as if the other were responsible.
The unsolved theft and futile pursuit of the hackers has triggered a global alert, including in the Cayman Islands, reputed as the world’s fifth-largest financial center. The alert took on additional urgency after an early June report from the Federal Reserve bank that its cybersecurity had been breached more than 50 times between 2011 and 2015.
A U.S. congressional committee expressed “serious concern” to Federal Reserve Chair Janet Yellen, invoking its authority under a 2014 law creating the National Institute of Standards and Technology, which develops federal cybersecurity standards and guidelines.
Yellen promised a response, while, at the same time, the Cayman Islands Monetary Authority is relying on NIST standards for its own cybersecurity survey of the local financial-services industry.
Cybersecurity ‘a fact of life’
“Cybersecurity is a fact of life in all large businesses, and CIMA recognizes that our licensees are a prime target,” a Cayman Islands Monetary Authority spokesman said.
“Licensees should consider adopting a security standard such as the National Institute of Standards and Technology Cyber Security Framework. This will assist them in identifying their weak spots as they go through the five areas required by the NIST which are: Identify, Protect, Detect, Respond, Recover.
“Licensees prepared with the proper policies, procedures, and practices encapsulated in these five areas will find themselves well protected against threats, but even more important prepared to recover from them,” the spokesman said. A 2014 10-page PwC report titled “Why you should adopt the NIST Cybersecurity Framework” says the scheme “represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards.”
Lead author and PwC Managing Director Jim Guinn acknowledged that “implementation may involve certain challenges,” observing that proactivity “demands a holistic view of the entire risk ecosystem, as well as the ability to be truly objective.”
It is a tall task, he writes, to “segregate management of back office IT systems and networks from their operational technology (OT) assets and process-control networks.”
Translation: “These organizational silos can make it difficult for a single person to assess the entire connected enterprise, since doing so will demand an in-depth understanding of all IT and OT assets,” Guinn says. “It may be more effective to seek assistance from a third party with deep experience across the risk ecosystem specific to your industry.”
Third-party assistance – reaching outside the company for help – creates its own problems, however. CIMA, for example, acknowledges the benefits of third-party vendors, but cautions they are subject to the same regulatory scrutiny as primary financial institutions.
“Many of our licensees do use third-party vendors to perform many of their IT functions,” the authority says. “In many cases, this makes good business sense. However, these vendors must be chosen and reviewed with security forefront in mind. CIMA will expect the same level of preparedness from our licensees whether they are on-premise hosted or third-party provided.” Third-party pitfalls were amply illustrated in 2013 when intruders compromised Target Corp. by stealing one of its third-party vendor’s credentials, gaining access to the company’s entire network of department stores.
In 2016’s second edition of “Cybersecurity for Dummies,” author Lawrence Miller describes what happened: “The retailer’s point-of-sale systems were not properly segmented from other systems (such as industrial systems) on the network, so the attacker was able to move freely from system to system on the network, installing malware on nearly all of Target’s point-of-sales devices in stores across [the United States], and gaining access to more than 70 million customer records and credit card numbers.”
And speaking of malware, Miller goes on to describe a “drive-by download,” which, he says, “delivers advanced malware or an exploit in the background, without the user’s knowledge, usually by taking advantage of a vulnerability in an operating system, web browser, or other third-party application.”
Once third-party software is tricked into running an attacker’s code, advanced malware can be installed and “software exploits” readily practiced.
PwC addresses the five NIST categories recommended by CIMA. “Identify” means to understand management of cybersecurity risks to systems, assets, data, and capabilities; “protect” means to weigh the controls and safeguards necessary to protect or deter cybersecurity threats; “detect” entails “continuous monitoring to provide proactive and real-time alerts of cybersecurity-related events”; “respond” is response planning, communications, analysis, mitigation and improvements; and “recover” requires business-continuity plans “to maintain resilience and recover capabilities after a cyber breach.”
Just last week, on July 29, the Basel-based Committee on Payments and Market Infrastructures, a global central bank panel, and the International Organization of Securities Commissions, a 100-nation, Madrid-based group of securities and futures regulators, issued their first global financial-sector “resilience and recover” anti-hacking guidelines.
By June 2017, the unit said, exchanges, banks, brokers and other institutions must be able to restore clearing houses, payment systems, trade repositories, and clearing and settlement houses within two hours of a cyberattack.
The guidelines also say institutions should plan for scenarios in which the two-hour resumption is not achieved, while identifying the status of all transactions and positions of members at the time of a disruption.
The Cayman Islands Monetary Authority is nonetheless determined: “We, as have other regulators, have become concerned over the rapid increase in cyber breaches being reported worldwide, both within our industry and others … As regulators, it is our responsibility to ensure that the customers of our industry are as well protected as they can be.”
The authority is “drafting an inspection questionnaire” to be distributed during CIMA’s annual review of “certain sectors of our industry,” although the document, according to officials “is not yet complete or ready for circulation.” CIMA conducts reviews throughout the year depending on the category of licensee.
“CIMA considers our licensees to be at risk from both ‘hacktivists’ and criminals,” a spokesman said. “The first are interested in making a statement by exposing confidential information or impacting the operation of the licensee. The second are interested in rerouting funds, or performing some activity for which they can charge a ransom. We consider that all levels of licensee should take both types of threat equally as seriously.”
The spokesman named a handful of immediate threats, pointing to Russia and the Middle East as particular regions of worry, but said “with the ability to control attacks from previously compromised systems, we see an equal number of threats coming out of the USA. It is not simply a matter of blocking a region.”
He raised particular worries about the growing threat from ransomware, in which data is essentially “kidnapped,” then returned to its owner after a payment: “Due to the success of this threat with hospitals and large companies publicly admitting that they have recently paid to recover their data, we expect to see this particular attack increase in both complexity and frequency.
“We encourage our licensees to take this threat particularly seriously and to ensure immediately they have backup and recovery procedures that are both workable and complete.”
He continued, “Too many times we have seen backup procedures put in place, but never tested. In most cases, the above ransom payouts were necessitated by the lack of recoverable data.”
Another growing concern, the spokesman said, is mobile devices, which he described simply as “definitely here to stay – and must always be considered in any threat mitigation plan.”
“Dummies” author Miller indicates the topic is of top concern because the devices exist outside the perimeter of a computer network, boosting the security challenge.
“Users simply expect to be able to connect and work from any location, whether at an airport, at a coffee shop, in a hotel room, or at home,” he writes. “Increasingly, organizations are accepting this new reality with permissive bring-your-own-device and bring-your-own-app policies.
“This change means that more and more workers and data may be beyond the physical perimeter of the organization, and thus also beyond the protections of traditional perimeter security solutions,” he says.
“The key is to build a security architecture that doesn’t treat these mobile or remote users as exceptions; they need the same application, user and content protections when they’re outside the perimeter that they would receive when they’re inside.”
The key, he says, is consistency in network architecture, and that requires “careful planning – and is a must for any security policy to address the realities of modern computing.” CIMA declined to say when its cybersecurity recommendations might be ready or, beyond that, if they would form part of licensing requirements for member institutions.
The authority did indicate, however, that strong emphasis would be placed on staffing, training and individual awareness.
“All institutions should pay particular attention to each of [the cybersecurity recommendations],” the spokeswoman said, “and not only have controls in place, but also procedures to test those controls on a regular basis to ensure that they are performing.
“Staff awareness and training should be an ongoing exercise. Ninety-one percent of all reported cyber breaches in 2015 originated with an email. Staff awareness is key.”
The consequences of failure may prove far greater than a compromise to any single institution, CIMA warned, rippling outward like a stone in still water.
“It is hard to quantify what level of impact a cyber breach can have,” the spokesman said. “However, it is easy to imagine the loss of capital through cyber theft that could leave an institution in a precarious financial position, or the loss of data that could result in a lack of confidence in the institution itself.”
Much graver would be a “widespread breach within our industry,” making it “very easy to consider reputational damage to the Cayman Islands as a whole.”
Speaking precisely to CIMA’s efforts, writes “Dummies” Miller: “Today’s cyber criminals are highly motivated professionals – often well-funded by criminal organizations or nation-states – who are far more patient and persistent in their efforts to break through an organization’s defenses.
“More and more attacks are increasingly coming to fruition, producing a steady stream of high-profile, sophisticated breaches and intrusions.”
While “a kid in a basement,” fueled by his own notoriety and “oversized cans of energy drinks” may represent one level of trouble, Miller says, he “doesn’t necessarily know what to do with, say, RSA source code.
“On the other hand, a rogue nation-state or criminal organization knows exactly what to do or [to whom] to sell stolen intellectual property on the gray or black market. “[C]riminal organizations and nation-states have far greater financial resources than independent individuals. Many criminal hacking operations have been discovered, complete with all the standard appearance of a legitimate business with offices, receptionists and cubicles full of dutiful cyber criminals.
“These are criminal enterprises in the truest sense, and their reach extends far beyond that of an individual. Not only do we face more sophisticated adversaries today, but the types of information of value to them are continually expanding as well. These groups can do interesting things with the most seemingly innocuous bits of information.”