As I am attending the Cyber Security Event (http://www.cybersecuritysummit.com.br/) running in Sao Paulo Brazil in July 2018 with a presentation entitled ‘Dark Matter’, given the number of recent insecurity debacles which have occurred in the Financial Sector, from Experian to Equifax, from RBS to TSB, and of course not forgetting the high-impact outages which implicated the Bank of England’s (BoE) Chaps Infrastructure in 2017, halting the transactional processing of part of the £277bn which passes through the wired tentacles of the system each day, when it went down for around 10 hours during peak trading hours:
Thus I saw a natural link. Conjoin this to the age of an always-on, always-connected society which, like it or not, the public are being forced down the route of on-line banking, and this linked to the devolution of Banks, morphing into Technology Companies, without necessarily possessing the prerequisite skill, one may ponder ‘do I (we) have reason to worry? – the answer to which is a resounding YES!
One other observation is, if you look back over some of the organisations CIO Executives have passed through, where, without any depth, or even modicum of Cyber Security knowledge they claimed have been presiding over deploying Cyber Security resilience, it is worrying. However, with a little research, in such cases, one may look back and find that there is a sad trail of insecurity present at each one of those organisations such people have passed through – ranging from:
- Open Zone Transfers leaving internal servers and data exposed to exploitation
- Hard Coded User ID and Password inside poorly engineered applications
- Compromised routers connected into a Chinese Domain (.cn) located servers (unknown to the owner organisation)
- Insecure use of Insecure protocols (e.g. SAMBA)
- Servers storing critical information with no enabled authentication or logging
- The loss of complete and unencrypted 35,000 Banking Records – a matter which was never reported in accord the regulations or even to the owner bank
- And not forgetting the Vehicle Finance Database of High Profile Individuals the likes of Sir Elton John which was based on a fixed user id and password – meaning even when the employee left the business, they still had extant access to ther system and its data!
And many, many more other examples….
When I look back at my time and experiences in the world of Computer Security, I seem to remember the days when security, was very robust – served up by those big unfriendly giant mainframes which did a good job of securing data, by employing centralized isolation, linked with complex routing (unrouteable) communications which, on occasions required to support of an LU6.2 from IBM to enable a little more friendliness. And these machines certainly did not allow any facilitation of Input/output other than in a printed or visual sense – and even then, only under the watchful eye of the Audit Log. But then with the onset of Client Server opportunities, and the Internet we saw ther scramble to save money and create cheap-and-cheerful, quick-to-market apps based on COTS (Commercial off the Shelf) – which were sold to clients, on occasions, even before they had actually been developed!
Given we now live in the age of OSINT (Open Sourece Intelligence) we can see the wired criminal fraternity go mining on a regular basis for isolated snippets of meaningless information (Intel) which, when extrapolated can paint a picture of opportunistic adverse opportunities, and related vectors which may represent a surface of attack – from mapping, through to following through an extracting a depth of metadata – or what I call OoII (Objects of Intelligence Interest) – below an example of what can be a simple pre-attack mapping stage (sanitized).
Simple Pre-Attack Mapping Stage
There is no doubt now that with those bigger banking organisations who have moved by circumstance into Technology Companies, with an associated and proven track record of insecurity, and an inability to manage their assets and data as expected, the genie is well and truly out of the bottle, and I don’t see him moving back into that residence any time soon. That said, and one call out here I would make is regarding those new start up Micro Banks – who in my experience seem to have learned from the mistakes of their banking forefathers and are not replicating those very same chaotic profiles – in fact in many of these Micro Bank cases they are first Technology oriented, and secondly a Bank – they would seem to know what they are doing in all domains, and progress with care.
The state of the nation as we stand today is, as I said in an interview on BBC Radio 4 – expect to see more of the same. And as for the big silver bullet of GDPR, will that make a difference? – unlike all those previous compliance fixes like Data Protection, and PCI-DSS to name but two – don’t hold your breath!
In conclusion, maybe it is time to rethink what we understand Cyber Security to really mean, and possibly, by implication of all those insecurities and failures that have gone before us both the banks, and those incumbent regulators such as the Bank of England should take a much closer look at regulations and above all governance over, what seems to have become far to regular slip-shod industry – most of which seem to be related to generating higher returns at a much reduced running cost. And above all, and by no means least, maybe it is time we look to all those expensive executives and CIO’s who seem to talk-a-good-talk, but in real implementation terms can’t do ther walk – with a subject matter so very critical as Cyber now is, we don’t need words from empty vessels, but direction from real expertise to secure the organisation, the nation, and professionals who may contribute to the global race to secure the wired planet against the very real threat of potential electronic darkness.
If you happen to be attending the event in Brazil, I promise to carry on from here and give you the depth of reality of the threats we face today – so see you there.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.