Information security for banks: The insider threat
The biggest threats for the banking sector come from within. How can banks mitigate the risk from malicious, careless or exploited users?
Published December 23, 2015U.S. law enforcement officials arrested five individuals who reportedly were involved in the high-profile 2014 security breach of JPMorgan. The breach was one of the largest attacks on a US corporation in history.
The perpetrators of that attack stole the login credentials of a JPMorgan employee and used it to access 90 of the company’s servers. Sensitive customer data, including names, email addresses and phone numbers, was severely compromised, forcing customers to have to change their details or abandon the bank altogether.
While a group of Russian hackers was originally blamed for the attack, subsequent investigations ruled out this possibility. Several theories since emerged surrounding the possibility of an insider breach since the attack originated through stolen employee login credentials to access the network.
Whether the breach involved malicious, careless or exploited employee/employees, the case underlines how enhanced access management security can help avoid such credentials-based attacks, even when valid credentials are compromised.
The following is an interview (originally published in Security Buyer) with IS Decisions’ CEO François Amigorena on the 2014 JP Morgan attack, the risks of insider threats and banking security in general.
At IS Decisions, we specialize in insider threats and solutions, so our main focus is on that. When people talk about cyber threats, especially in the banking and finance sector, they tend to focus on external threat, but in reality insiders are often more likely to be the source of any breach. The recent high-profile attacks have given us proof of that.
If you look at the JP Morgan breach last year, millions of pounds were compromised by an attack from, allegedly, Russia. However, I think you have to take any news about breaches like that with a hint of caution. In all likelihood, the breach started with an employee’s credentials being compromised. That’s something that we’re seeing a lot now. It’s something that all organisations should be aware of, but especially in the financial services industry.
Would you say the financial industry is a bit blasé about insider threats compared to other industries?
Banks are obviously a high-profile target. The data they gather about their customers — both individuals and businesses — is extremely valuable to hackers looking to carry out an easy phishing attack, for example. Because their data is so valuable, they have to be aware of the risks and ready to protect it.
The first line of defense is the user login. The first action that should be taken is to monitor, control and secure network access for all employees and sub-contractors — anyone who could be considered an insider.
Do you think it’ll take more breaches like the JP Morgan one for the industry to wake up to the threats?
Definitely. What I hope is that that type of incident will raise awareness of the risks. Breaches like JP Morgan will help companies and security professionals to understand where the real dangers come from.
There are, of course, always going to be external threats, such as malware and viruses, but the most dangerous threat is from insiders. Those people know better than anyone what is most valuable to steal, or where a sabotage should take place to be as destructive as possible.
Of course. It could just be a PC left on overnight. Insider threats can come from malicious users, or just ignorant or forgetful ones.
I think there is definitely a need for legislation, yes. Compliance regulations, such as the BCI for the banking industry, definitely need to help to raise awareness of the risks and motivate people to protect themselves. It’s a shame that it has to come to that — in my opinion you shouldn’t have to regulate people to protect their data, but human beings being what they are, it is probably necessary!
However, if an organisation has to become compliant with regulations such as BCI, that gives the incentive to the IT department to get investment from higher up. If you have a business case that is easy to defend to senior management — we have to do this to meet this law — it’s easier to get the investment you need, compared to just asking for more security because it’s a good thing to do. If you have to do it to become compliant, it is easier to get approval.
Of course. As I said earlier, human beings are fallible. We forget to do things, or do the wrong thing at the wrong time. However, we have to learn to deal with that and minimize the risks. The solutions are, of course, technological, but they are also due to proper training and awareness.
An efficient solution should involve both technology and human input. You have to train people to spot the risks and then encourage them to adopt good practices and safe behavior. However, you have to be aware that sometimes they will neglect something, and that’s what the technology is for.
Sometimes it takes a major incident, like the JP Morgan breach, to open people’s eyes and make them realize the risks they face. In a way, a breach like that is good for the industry in the long run. It’s a shame it happened, but that’s the way it works.
Obviously, education and training is an important part of any insider threat prevention program. Technology, as I said before, is also very important.
In the future, what I see, and what we are working on at IS Decisions, is ways of pushing the boundaries in terms of detecting and alerting on suspicious behavior. You have to find the right balance between being efficient and respecting a certain level of privacy.
This may, of course, differ from country to country or from sector to sector. We are working on ways of identifying patterns. If you are an insider with malicious intent to steal data or perform some sort of sabotage, your behavior is going to be unusual. The future of IT and insider threat security is going to be around identifying and combating those threats as early as possible, and giving the ability to respond as quickly as possible.
To keep user accounts from being compromised and prevent insider threats, the IT team at The Bank of Cyprus identified the need to disable concurrent users’ logins, prevent credentials from being shared and enable any response to security incidents to be both timely and effective.
Read how the Bank of Cyprus achieved this security goal with UserLock.