As cybercrime mutates and hackers change gear in their quest to get hold of sensitive data, the challenge facing financial organisations is greater than ever, says Christopher Andrews

Sony may be the most recent high profile hacking case, but it’s hardly the first company, and certainly won’t be the last, to have its network broken into and valuable information pilfered from it. Indeed, if figures published in February through a joint report by BAE Systems Detica and the Cabinet office are to be believed, cybercrime costs the UK economy some £27 billion a year, with the lion’s share of that figure, £9.2 billion, resulting from intellectual property crime (IPC). The findings of this report, particularly around IPC, prompted the government’s special representative to business on cyber security, Baroness Neville-Jones, to rally for a public/private partnership to try and plug the holes. “It is both a national security and commercial priority,” she said. “And both sides need to work together to strengthen our existing resilience.”

For financial institutions, IP probably isn’t as much of an issue as it would be for, say, pharmaceutical companies or engineering firms, though this depends on one’s definition of IP. As Detica’s technical director Henry Harrison says: “Banks are not typically inventing organisations. The key issue is that they hold incredibly sensitive information on behalf of their customers, and there are people out there who find that information extremely valuable.”

Cyber security experts say that the landscape has changed dramatically for cybercrime, with the hacker’s new raison d’être being data siphoning, rather than the more obvious destructive attacks of past. The modern cyber criminal is much more likely to leave as small a footprint as possible to avoid detection, siphoning off the maximum amount of information before their presence is discovered. “(Sensitive data) is the target of choice by cyber criminals, this is absolutely the key thing that organisations should be looking to protect without any shadow of a doubt,” says Raj Samani, CTO at McAfee. “The challenge is that organisations may not even know that they’ve been hacked or that they may have been impacted. So all organisations, including financial organisations, need to take this very seriously, because this is death by a thousand cuts.”
Who those criminals actually are is difficult to say. Samani describes one element of this as a new concept of ‘crimeware as a service’, and much of the activity appears to be very organised, but in many cases we remain in the dark as to who the perpetrators actually are. “You can start to hypothesise, but ultimately we’re speculating,” says Harrison. “We desperately need better intelligence sources about who it really is doing this to us and why. The reality, though, is that we do see organised efforts to steal what is clearly valuable information, and that is really the new frontier for the security industry, trying to deal with those targeted attacks; it’s a constant war.”

For financial institutions, losing that valuable information, which again may not necessarily be considered ‘intellectual property’, could have severe implications. And it’s not just obvious targets like credit card details, but anything which could provide an advantage to the competition. Emails between a chief exec and the board discussing new branch openings or M&A activity, details of strategic plans or investment decisions; this is all game. “You’ve got to try to value the data that you have in terms of its value to a third party,” Samani says. “So even though you may feel it’s not very valuable, if somebody is putting together a map of what a company is doing it could be very valuable.”

Changing times
To get to that information, cyber thieves are using a combination of techniques, including sophisticated technological attacks, as well as less sophisticated social engineering, targeting employees to gain system access. This blended approach makes attacks very difficult to defend against, and as Harrison points out, unlike a virus that can be detected and eliminated, “these attackers will try one thing and if that doesn’t work they’ll try something else.”

“I think what’s changed now is if people want to do it they can do it,” says Frank Coggrave, general manager EMEA at Guidance Software. “If bank A wants to find out what bank B’s plans are in the mortgage space, they can do it. The technology is available and no matter how you try to defend, people will get through. You’ve only got to ask RSA who are in the security space; they were breached and they had an entire range of defences in place.”

This is arguably made easier if an organisation does not have a culture of ‘data awareness’ among its employees, making that social engineering side of things easier for criminals. As a case in point, recent research from data inspection firm LogRythm found that in a survey of 3,000 UK workers, 37 per cent had shared privileged company information outside the company, while 21 per cent had transferred company data to their personal computers.

“And if we’re talking about ‘theft’ of IP, you can find masses of information just by searching through the social network sites,” says Neil Fisher, vice president of global security solutions at Unisys. “Because people talk, and their behaviour outside the corporate envelope is unfortunately much different than it is inside. They will happily Twitter away about what they’ve been doing at work, and if you monitor enough people in a given organisation you can get a very full picture.”
The key to protecting data, then, first comes down to awareness of what employees are getting up to, of activity taking place across the network, and of what data is actually valuable. As Ross Brewer, vice president and managing director, international markets at LogRhythm says: “One of the major weaknesses of organisations today is that they simply do not know enough about what’s happening across their own IT systems to recognise aberrant activity, such as IP theft, when it occurs.”

Samani says that organisations should implement procedures to deal with data theft as part of their standard risk management exercises, and as with those criminals attempting to access their systems, to do this as a blended approach. That means a combination of people, process, “and of course technology, such as data loss prevention,” says Samani. “So five to 10 years ago people were concerned about what was coming into an organisation, and that’s kind of changed now. Data infiltration isn’t the primary concern, it’s now data getting out. The perimeters are well and truly lifted up now.”

“If someone wants to get at it, they probably will,” agrees Coggrave. “The best thing is to accept that something is going to happen, and then ask how you will mitigate those losses, find out where it’s gone, who’s been doing it and remove the people, rather than just protecting the information.”

“Just because someone has got into a company’s network they haven’t lost yet,” adds Harrison. “They’ve lost when the attacker has managed to locate what they came for and stolen it. And that can take quite a long time. You’ve suddenly got access to someone’s network but you don’t just type DIR and a list comes up of the most valuable information that the company holds. It takes a bit of hunting around, and it can take weeks or months to locate what you came for. And what organisations really need to start doing is looking for evidence of behaviour during that period.”

Sharing the pain
What could help with this is increased co-operation between companies, sharing information about attacks, the techniques used to carry them out and how best to defend against them. “The individual attackers can afford to focus on one company, but it’s important for that company to share what’s happening with other companies so you can get a mass defence as well as a mass attack,” says Coggrave.

Julian Heathcote-Hobbins, general counsel at the Federation Against Software Theft (FAST), says that in terms of IP theft, “Perhaps we ought to look closely at having some sort of hub where we can have closer collaboration.” And this could form part of that public/private partnership which Baroness Neville-Jones is keen to establish, though the industry needs to tread carefully if it is going to be effective. As Coggrave says: “The objective is good, so long as it’s focussed on practitioners and not politicians. And there’s got to be a mechanism whereby you can share information without prejudice,” he notes. “And if that goes into the public domain in a public/private partnership, you’ve got to make sure that that information is itself protected.”

How to make this work is the £27 billion pound question, but there is little argument that something needs to be done, as the volume, and the complexity, of attacks is only increasing. “This is not science fiction,” says Harrison. “This is absolutely the state of the world today.”

Share Story: