Security is a matter of economics. It is an attempt to push the costs of executing a successful attack higher than the rewards. As the rewards grow for the attackers they are willing to invest more and more in the attack. And that is where cyber security starts to fall down.
The attackers are thwarted from simply hacking in from the Internet so they turn to a frontal assault that may catch an organization completely off guard. For instance, you may end up spending millions to defend bank account information only to suffer a loss of critical account records to someone who bribed a bank teller for little more than a weekly salary.
|Other Articles by Richard Stiennon|
Network Admission Control is a Blind Alley
The Best Defense Against Social Engineering
It has taken recent events to once again highlight the fact that when there is value in information there are criminals that will stop at nothing to steal that information. Like most things it is a matter of economics.
I don’t know how long I will be writing about Sumitomo but this is the classic case of infiltration and its lessons should be learned by everyone in the banking industry or any industry for that matter.
A gang masquerades as cleaning staff to get in to the Sumitomo bank branch in central London. They install hardware keystroke loggers on the PCs of support staff and proceed to the point where they transfer over $400 million to accounts at other banks around the world before their heist is shut down.
Have you examined your procedures for hiring contracted cleaning staff? Or the people who water the plants? Or temporary clerical help? Or your security guards for that matter? Do you ask them for ID’s when they show up for work? Do you have security cameras to check up on them? Can the security guards access the camera system?
Also in London, within the “square mile” which is the financial district, there have been warnings from the British Bankers’ Association that nefarious types are accosting bank employees on their way to and from work with the purpose of recruiting them to steal bank account information and sell it for probably paltry sums.
You have security guards, you have cameras, you have firewalls, IPS, and leak prevention systems, but your employees can still walk out the door with gigabytes of data stored on a thumb drive, CD, iPod, or that storage medium made out of wood pulp (paper). Background checks will not identify an employee that may be turned by the right proposal. Improving employee relations and better communication with them would be a good start.