Experts have suggested that the cyber attack on Tesco Bank could be an inside job. Cyber criminals managed to steal money from more than 20,000 accounts at nearly the same time in automated fashion. IT security experts from Lieberman Software and Institution of Engineering and Technology’s (IET) commented below.
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“The shape and scale of the attack on Tesco’s customers does seem to suggest that there was an element of someone – or something – on the inside. The bad guys’ favorite weapon, malware, can look and act like an insider because it lands on the insider’s laptop and essentially pretends to be them to get bad stuff done. If this particular incident was done from the outside, it represents a huge amount of patience and planning. The baddie would have collected data on many customers through some vulnerability for a long time and waited until they extracted everything they could to then launch this massive attack all at once overnight. However, an inside job or malware with an inside perch could have gotten all the information to deal this blow all at once.
It’s odd to me that some are focusing on the lack of the word “hack” in the bank’s communications. I myself avoid using the words “hack” and “hacker” as I think they are words that are used to simply mean a cool trick and someone cool enough to pull it off which have been co-opted to mean something more sinister. That’s why I talk about bad guys and not hackers.”
Professor Roy Isbell at Institution of Engineering and Technology’s (IET):
“While it’s inevitable that everyone will now point the finger at Tesco’s leadership for this security breach, it’s worth bearing in mind that most organisations in the UK could find themselves in a similar position.
“Any organisation is at risk of being hacked today, however good their security measures. This is mainly because, while most have plans for how to cope with a hacking incident, few actually practice those plans or give sufficient thought to how to continually educate and train their staff – starting with the induction process.
“It’s not uncommon for organisations to invest millions in cyber security technology countermeasures and protection, to only have this technology bypassed by an unwitting insider who succumbs to a Social Engineering attack. All staff have to be trained in how to recognise these attacks. There is a tendency to forget that even the most sophisticated cyber security plans can easily unravel if people at all levels of the organisation, including its leadership, are not fully aware of the latest trends and threats.
“Another common mistake is that access to information within companies tends to be based on two or three levels, reflecting the internal company hierarchy, rather than individuals’ ‘need to know’. The result is that far more people can have access to information than is necessary or ‘safe’.
“Ultimately, organisations and their management need to prioritise understanding their own cyber security risks and requirements, and then develop an effective strategy. Cyber security risks today come in many guises. The most common are criminal in nature by hacking customers’ information and finances. But all organisations that use technology are at risk from hacking. For example, for manufacturers with automated processes hacking could result in a significant loss of production or intellectual property for the organisation – and ultimately its customers.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.