News recently broke that nearly $1 million USD, or 58 million Rubles, was stolen in a cyber-attack on PIR Bank, a Russian financial institution
News recently broke that nearly $1 million USD, or 58 million Rubles, was stolen in a cyber-attack on PIR Bank, a Russian financial institution.
Group-IB, the Incident Response firm engaged by PIR Bank, confirmed that the attack on PIR Bank started in late May 2018. Group-IB released a statement explaining how the attack on PIR Bank took place:
“The entry point was a compromised router used by one of the bank’s regional branches. The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. On the evening of July 4, when bank employees found unauthorized transactions with large sums, they asked the regulator to block the AWS CBR digital signature keys but failed to stop the financial transfers in time. Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs. The attack technique is a characteristic of the MoneyTaker financial cyber-attack group.
Simultaneously, the attackers used a technique characteristic of MoneyTaker to cover their tracks in the system–they cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation.
Moreover, the criminals left some so-called ‘reverse shells,’ programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response, this was detected by Group-IB employees and removed by the bank’s sysadmins.”
Whether it is the infamous Bangladesh Bank heist in 2016 or the Wannacry ransomware attack that caused havoc around the world in 2017 or several other high-profile incidents that have shaken the Corporate Board Rooms, these incidents in the recent years have time and again proven that many organizations are yet to streamline the fundamentals of information security.
As evident, the root cause for the PIR Bank attack was an out of support router used in a remote branch. It was a Cisco 800 Series Router with IOS 12.4 for which support had ceased in 2016. A simple search shows multiple vulnerabilities in this version. This clearly indicates a lack of weakness in various security processes such as Asset Management, Threat and Vulnerability Management, Hardening and Patch Management, etc. The very fact that the attack started in May 2018 and the fact that the attack was not discovered by the security team until it was discovered by the business on 4th July 2018 shows the weaknesses in the Security Monitoring and Incident Management process, which is another key component in a mature cybersecurity program.
Time and again, such incidents have proven that while security professionals world over have been focussing on cutting edge security technologies, the fundamentals of security are often overlooked.
As Gordon B. Hinckley once said, “You can't build a great building on a weak foundation. You must have a solid foundation if you're going to have a strong superstructure.”. Similarly, to have a mature cybersecurity program that protects your organization from sophisticated attacks, it is very crucial to have a robust implementation of the cyber-security basic hygiene principles, which can be considered as a strong foundation for cybersecurity.
When it comes to the definition of fundamental security requirements, every security professional draws out his own list and often misses on important controls. Fortunately, there is a tried and true set of practices that, since its first release in 2008, has given thousands of organizations a solid cybersecurity foundation: The Center for Internet Security’s Critical Security Controls. They pay particular attention to the first five controls as listed below, whose adoption, according to the CIS, can reduce the risk of cyber attack by a staggering 85%:
• Inventory of Authorized and Unauthorized Devices • Inventory of Authorized and Unauthorized Software • Secure Configurations for Hardware and Software • Continuous Vulnerability Assessment and Remediation • Controlled Use of Administrative PrivilegesOther critical controls from the list such as Boundary Defense, Malware Defenses, Maintenance, Monitoring and Analysis of Audit logs, etc. are equally important. A prioritized strategy should be established to implement the critical controls if not already available or to strengthen them if they already exist in the environment.
Furthermore, the PDCA model should be applied on these controls to continuously assess the adequacy, efficiency, and effectiveness of these controls. Any improvements as required should be implemented on a timely manner.
One important mistake that most organizations often commit is that they look at most of these controls as an implementation of technical products while forgetting the fact that a technical product is no good unless the governance processes around it are established. For instance, when we talk about Access Management, the focus is often on implementing an Identity and Access Management solution without giving adequate attention to the associated key governance processes such as user onboarding and offboarding, access reconciliation and certification, profile review, privilege identity management, orphan account management, generic and service account management etc.
Another important aspect to be considered is that the organizations should move from compliance-driven security to a risk-driven security. In the compliance-driven security model, the focus is always on attaining compliance (is often referred as tick mark security), and once the compliance audit is over, the controls tend to get weaker again until there is another security audit. For instance, all critical systems may be rigorously hardened and patched prior to a regulatory audit. But the moment the audit is over, controls get relaxed, and that results in so-called Ping-Pong trend in security.
It is high time that security professionals world over give adequate priority to the basic security hygiene by implementation and continuous improvement of the fundamental building blocks of cybersecurity and developing robust governance processes associated with these controls. Needless to mention, all stakeholders should be made aware of the importance of these basic cyber-security controls so as to obtain necessary commitment and support in implementing these controls. It certainly takes a lot of time, effort and patience to convince the stakeholders and implement the controls, but as they say ‘Rome was not built in a day,’ similarly cybersecurity maturity will be attained over a period of time.