Hackers need insiders, so it's time to protect staff from themselves

Register now

With the hyper-cybersecurity regulations, and the nearly nearly $10 billion spend on cybersecurity during this decade, it wouldn't be out of place to ask — how could a financial institution or payment card firm ever get hacked?

Yet they do, and it happens seemingly all the time.

Clearly, it's not “script kiddies” or aggressive password cracking techniques that are enabling hackers to invade banking IT systems, establish a presence (by installing malware or other compromised code), and either stealing data on customers, compromise its ATMs, or mess with mobile apps to cheat users out of their cash.
Cybersecurity systems today are very sophisticated, to the extent that they can even predict what new malware will look like before it is even created. Sandboxes, firewalls and advanced anti-virus protection ensure a hacker attack aimed at depositing a cyber “booby prize” is interdicted before it gets within a mile of a financial institution's IT system.

But those tools are only effective if they are facing the enemy dead-on. Hackers who tried to break into a network and install malware have their work cut out for them. But if they could recruit an insider to do it for them, such as an employee or other individual with access to the network, then they wouldn't have to worry about anti-malware systems, firewalls, sandboxes, or any of the other defenses designed to keep them out. Their agent will make sure they get in. And once they're in, all bets are off.

While in former days, hackers might have bribed someone to compromise their organization's cyber-safety, they have gotten sophisticated enough to be able to do that without having to lay out a nickel, by using socially engineered phishing email techniques that are the vehicles of choice for hackers to infiltrate networks.

As many as 95% of security breaches have origins in phishing attacks, which feature sophisticated messages designed to practically force the recipient to open up an attached document that could be carrying malware. A message purportedly from a worker's manager with a stern title (“open now, urgent, top priority!”), sent from a spoofed account, would be more than enough to get an employee to read the message and open any “urgent” attachment inside.

That attachment could contain an infected malware macro that would pass the muster of any security system. Some of these macros could contain fileless malware — code that by itself doesn't include anything that looks like an anomaly that would be caught by a security system. Fileless malware sits in a computer's RAM, and is injected into and run by various combinations of legitimate processes such as Windows PowerShell, JavaScript, WMI (and other administrative/generally nonmalicious software) and penetration tools such as Meterpreter, Mimikatz.

Thus, the finance industry's Achilles heel. For all the thousands of regulations and safety procedures, the millions of lines of cybersecurity code that institutions use to defend themselves, and the billions they spend on cybersecurity, hackers can still penetrate IT systems.

Is there any way for organizations to defend themselves? If the weak point in an organization's defense is its employees, and their tendency to fall for phishing schemes, then the answer may be to obviate the possibility of an employee being tempted by them, by keeping them away from employees in the first place. Systems that can detect anomalies as sophisticated as fileless malware are needed in order for institutions to defend themselves.

Such systems would remove the offending code and then pass the email and attachment on to the recipient, who could then feel free to respond to the phishing message's pitch — because there will be nothing in that message to compromise the recipient's computer or the institution's network. By installing systems like these, banks can defend themselves against what be their weakest cybersecurity link — the people who work for them.

For reprint and licensing requests for this article, click here.
Data breaches Phishing Financial services industry Payment processing Retailers ISO and agent