Security people also have to be “light on their feet” and “think outside of the box,” because the hacks keep coming, and the hackers are always finding new ways to affect your systems. One can never say that a hacker has found unintended consequences when going after users, because they are always intending to cause issues, steal what they can, etc. The motivations vary, but as technology has evolved, the motivations of hackers have changed. In the early days, it was just plain fun to run a .wav file in a chat room and see all of the other members of the room fall out. Those who could keep from being punted were proud to be able to “ride the wave.” Today, the threat landscape has changed. There are different kinds of players on the field: governments, hactivists, organized criminals, just to name a few. The organized hackers actually have paid vacations! They always did say that crime pays, but they also say “if you can do the crime, you can do the time/pay the fine.”
The Bank of Bangladesh was attacked on multiple levels. It took time to come up with the plan, and to put it into place. Was it successful? Well, $81M isn’t too shabby a pay day for the criminals, but they really were aiming for $951M. The bank was lucky, because a typo is what saved them from losing more than $81M. The hackers mistyped the name(s) of one or more recipients. This is also part of how they got caught. They used the SMART system in order to direct money belonging to the Bank of Bangladesh from the Federal Reserve bank of New York, who was holding it. The request had to come directly from the Bank of Bangladesh in order to have the money transferred. The funds secured by the hackers were then directed to casinos in the Philippines, which laundered the money. The attack has been attributed to two Chinese hackers, but details seem to be constantly coming in with updates.
Details are still emerging, but let’s look at how the Bank of Bangladesh failed in protecting their assets. It is an important case study, because it shows multiple layers of failure, and can be utilized as a checklist of sorts. While budgets are important, keeping your data, customers, employees, and other shareholders safe is of primary concern. At times, budgets are not going to do justice to what is mandatory to conduct business safely and within compliance. Let’s look at items on the checklist.
Do we have a firewall? No.
Firewalls are important for keeping people who you do not want to have on your network out. There are different kinds of firewalls, depending on what they are meant to do. For example, a Next Generation Firewall not only keeps those out who you don’t want in your network, but it also provides packet inspection, application inspection, intrusion prevention and monitoring. A database firewall keeps your stored data safe from access by parties who are not supposed to reach it. Application gateway firewalls serve as proxies for mail, file transfers, and telnet. They determine what permissions applications are allowed to utilize. Web application firewalls determine what HTTP traffic is allowed, and protect against XSS and SQL Injection. The firewall types listed here are just the tip of the iceberg, and one should not rely on just one type of firewall. Firewalls can be software based or hardware based. It is recommended to have multiple layers and types.
The Bank of Bangladesh is reported to not have basic firewall systems in place. It could have been a budgetary decision, but it was an aspect in the catastrophic failure that the bank experienced.
Do we have up to date switches? I am willing to spend $10 each on them…
A $10 switch is a bargain, but they are going to be far from up to date in the technological needs of an organization. Switches connect devices together on a network. They forward data to the appropriate destination. There are different levels of switches, and part of the levels involve whether or not there will be data collision. One can think of the data flowing across a network the same way that you think of driving in a car. If you have multiple channels, it would be the same as having multiple lanes on a road. Some switches are single lane highways, and accidents can happen. The best switches are the ones with the ability to handle more two-way traffic. A $10 switch is not likely to have this type of functionality. What were they thinking? Perhaps, because the switches are not externally facing, the bank did not consider them worthy of the money that it would cost to be up to date on the best switching technology. On a personal level, we each evaluate our automobiles to see if we have the latest safety features to determine whether or not it is time to trade in. The same kind of thinking should apply to all hardware on a network.
Is there appropriate end-point protection in place? Is it up to date?
The “inside man” of the cyber-heist was a Remote Access Trojan. This is malware that sits on a system and allows the robbers to take what they want. Many people remotely access work in today’s world. They go through approved channels. In the case of the Bank of Bangladesh, there was no alerting system (IDS/IPS) to alert the bank that there was something there which shouldn’t be. An IDS will notify you that something isn’t right; an IPS will prevent the infiltrator from going further. It looks at behavior patterns. The end-point protection, also known as anti-malware, anti-spam, anti-virus, was not up to date or was not in place. There are many options, some of which are free, for endpoint protection. It is a best practice to have multiple types and or vendors for endpoint protection, because different vendors will find different types of malware at varying times. The vendors are constantly researching them.
Security Policies and Procedures
There were a number of issues that the Bank of Bangladesh showed us here. First of all, there was a terminal connected to the SMART system left on in a room that was secured with biometric scanning. To enter the room, an employee would have to scan his or her fingerprint into a device which unlocks the door. Next, the employee would sign on to the system using a password and username combination. Both of these actions authenticate the user as being allowed to access the room and the equipment. Authentication means that the person is who he or she says he or she is, and they can prove it. The SMART system is a communications system between banks to transfer funds.
The first issue here is that the terminal was not shutdown properly. There has been speculation that the terminal could have been left on intentionally by an “inside man.” Leaving the terminal on allowed transactions to take place. Anyone could access the terminal and the system that it was connected to – as long as they had access to the room. It is always a best practice to lock a terminal when walking away from it, even for a minute or two. A person who has bad intentions can be very fast.
The second issue is that there was not a policy that would automatically lock the terminal after a specific amount of time has passed. This policy can be put in place through Group Policy on Microsoft machines, and other related policies on Linux machines. Because this basic policy was not being enforced, one wonders what other policies were lacking. For instance, were there basic password policies in place? What about Least Privilege and access rights? One would hope that employee roles were considered in creation of the policies.
It has come to light there may have been issues in the code that the software interfacing with the SMART system. Safe coding is taught in schools, and should always be a standard in business. Safe coding secures software from being manipulated by those who wish to use it differently from the way intended. It is also a factor in building websites, in order to protect access to databases. For instance, when you submit answers on a form, there should be input verification to determine that the user has not typed something into the form that will query a database. This is called a SQL Injection attack. Instead, the visitor to the website should be limited in the types of responses they can make on forms. Many times, businesses who write software are under harsh deadlines, and at times, they work extremely long hours in order to wrap up a project. At times, safe coding is not considered due to the amount of time that it takes, or simply forgotten. It is important to have code reviewed.
Not having been onsite at the Bank of Bangladesh, I do not know if the appropriate security patches were in place. I am of the opinion that with the other issues, there may have been an issue here. Software must be patched when there is an update. Hackers are always looking for vulnerabilities in software, in order to exploit them against their targets. When patching go to the vendor’s site by typing in the URL. Do not click on a flashing icon that says “it is time to update…” There are known vulnerabilities that can give a false alert, so take the long way and patch constantly.
It almost hurts to think of the large number of issues that have come to light from the Bank of Bangladesh hack. The investigations are continuing, and multiple governments are involved. As the investigations continue, we may learn of additional issues. The Bank had a bad posture when we look at layered security, which is a layered approach to protecting a company’s assets. As you can see, there are many things to think about.
I am not a large bank like the Bank of Bangladesh. They aren’t interested in ME!
Here is the bad news. Hackers are targeting anyone who they find to be weak. It is important to have multiple layers of defense. It would be nice if we could take a hammer each time that someone attempts to break in our systems and say “That isn’t nice. Stop that.” Unfortunately, we are only allowed to defend. It is truly tempting, especially for those who are witnessing or experiencing attacks, to want to fight back. It is against the laws in many countries to attack back.
So, how do I protect myself? Are there experts?
Oh, I am so happy that you asked this question! Yes, there are experts who can help you. EthicalHat Security offers health checks, consulting services, penetration testing, hardware and software solutions, installation and implementation of protective systems, and any customized requests. Our Managed Security Services include 24/7 monitoring in our Security and Network Operations Centers. We also offer Security as a Service, and CISO as a Service. Our rates are reasonable, and we employ highly trained, certified engineers.
Enjoy Beer. Leave Your Security On Us!