BreachExchange mailing list archives
How Many Times Do We Have to Tell You Not to Open the Cat Video
From: audrey () riskbasedsecurity com (Audrey McNeil)
Date: Tue, 12 Apr 2016 17:31:00 -0600
http://www.jdsupra.com/legalnews/how-many-times-do-we-have-to-tell-you-87418/ Everyone has been in a movie theater when one of the actors approaches that door to the basement behind which strange noises are coming. They reach out to turn the knob and in unison the audience is thinking âFool, havenât you ever been to the movies? Donât you know that the zombies or ghouls or some other equally disgusting creature are waiting for you behind that door. Donât do it!â They of course open the door, blissfully unaware of the grisly fate waiting for them. I get the same sort of feeling when I read about cybersecurity lapses at banks. Think about the following: - âSomeone dropped a thumb drive, I think Iâll just plug it into my computer at work and see what is on it. Surely nothing bad will happen. If nothing else, Iâll give it to one of my kids, they can use it on the home computer.â - âMy good friend, the one who sends me those emails asking me to pass them along to three of my closet friends, just sent me an email with an adorable cat video. I just love cat videos, Iâll open it on my computer at work and see what is on it. Surely nothing bad will happen. Doesnât the FBI monitor the internet keeping us safe from bad people?â - âSomeone from a small European country that I have never heard of has sent me an email telling me that I might be the recipient of an inheritance. I always knew I was destined for better things in life, Iâll just click on the attachment and follow the instructions. Surely nothing bad will happen.â - âMy good customer Bob just sent me an email telling me that he is stuck in jail in South America. He needs me to wire money to post his bail. I didnât know that Bob was traveling, I am pretty sure I just saw him in the bank a couple of days ago. I probably wonât try and call his house or wife or his cell phone to doublecheck, Iâm sure his email is legitimate.â If you were in the movie theater youâd be yelling out âDonât do it!â If this were a movie you would see the green glowing blob patiently waiting to silently flow into the office computer. The blob just sits there though, waiting for the bank officer to hit that keystroke that opens the file. Now we see it watching as the person sits down at the computer and logs in, types in a password and initiates a wire transfer. The blob silently memorizes both the log in ID and the password. Weeks can go by as the suspense builds. The ominous music begins to swell in the background, we know that something is going to happen when as fast as lightning, the blob springs to life initiating wire transfers for tens of millions of dollars. This is exactly what occurred in February of 2016 in Bangladesh. Criminals were able to place the blob in the form of malware on to the computers for the central bank of Bangladesh. Reports indicate that part of the malware included a keylogger which was used to obtain passwords and other login credentials to the system created by the Society for Worldwide Interbank Financial Telecommunication (âSwiftâ) used by banks to initiate funds transfers. In the end $81 million was wired through the bankâs accounts at the NY Federal Reserve, apparently to a casino in the Philippines where it was converted into untraceable gambling chips. It is not clear yet exactly how the criminals inserted the malware into the central bankâs computers but the situation underscores what we have been telling clients about cybersecurity. You are only as strong as your weakest link and the weakest link is usually someone who clicks on an attachment or picks up the thumbdrive found on the floor. It is human nature to be curious and it takes constant training and reminders to personnel to remind them about appropriate responses. Financial institutions are constantly hiring new employees and each of them brings their own personal history of computer hygiene with them. Each of them must be taught immediately about the importance of not opening suspicious emails or attachments. Spam and malware filters hopefully block most of the incoming criminally engineered emails but the criminals are resourceful and continue to innovate. As we have noted previously, federal banking regulators have higher expectations concerning preparedness for cyberattacks. The Cybersecurity Assessment Tool released in 2015 by the FFIEC provides specific standards by which an institution can be judged when undergoing regulatory examinations. No matter how good a companyâs security is, data security events are unavoidable. When a security breach does occur, preventing liability often means analyzing facts, identifying legal obligations, and taking steps to prevent or mitigate harm within the first minutes and hours of becoming aware of a breach. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160412/f803b44d/attachment-0001.html>
Current thread:
- How Many Times Do We Have to Tell You Not to Open the Cat Video Audrey McNeil (Apr 12)