Last updated: 17 June 2016
Bank Cyber-resilience through layered security
We’ve been writing for a while now about the criticality of layered security in banks, and, sadly, the recent breach at Bangladesh Bank has served to illustrate just how critical this effort is—and how costly a failure to act may be.
For those unfamiliar with the news, the large-scale breach first made headlines back in March. Through an attack at the Bangladesh Bank’s environment, criminals were able to gain access to the bank’s credentials.
Following are a few of the most salient aspects of this attack:
- The scale is massive. Some reports indicate this is one of the largest bank robberies in history. Through a single compromise, criminals were able to move and steal $81 million, and BankInfoSecurity reported that just $6.9 million might still be recoverable. Even scarier is this: The attackers attempted to steal $1 billion, and it appears they would have succeeded were it not for a spelling mistake in one of the orders, which flagged the follow up and investigation that thwarted the remaining transfers.
- The attack was sophisticated. Once inside the bank’s network, sophisticated malware was able to surreptitiously alter the Oracle database, so the attackers could start sending the messages needed to initiate money transfers. In addition, it established a way to eliminate the printing of associated confirmation messages that would have helped to alert staff members that the breach had occurred.
- Other banks have been—and will be—targeted. Given the size of the prize won through the Bangladesh Bank hack, it seems clear other criminals will be lured to wage similar attacks on other banks and financial institutions.
Reports show that many banks’ defenses aren’t what they need to be. One BBC report even indicated that Bangladesh Bank’s infrastructure was employing second-hand, $10 routers and lacked a firewall.
Attacks Underscore the Importance of Layered Security
Ultimately, the lesson from these revelations is that bank security teams need to take a rigorous approach and establish multi-layered defenses. By combining multiple, complementary security measures, banks can begin to establish protections that are comprehensive, strong, and reliable.
This multi-layered approach is vital to enabling banks to become cyber resilient—meaning even if one defense is circumvented, others will be in place to ensure the integrity of the overall ecosystem is preserved. A comprehensive multi-layer security approach needs to encompass the following four layers:
- End-point protection. It is essential for banks to establish safeguards across all user devices, including smartphones, tablets, and laptops. Controls need to be in place to establish the authenticity and integrity of devices before sensitive data is accessed or transactions are conducted.
- Authentication and transaction signing. In order to establish a secure and cyber-resilient infrastructure, it is vital for banks to implement strong authentication capabilities that validate the identities of users and computing devices that request access to the bank’s systems and networks. Security teams should take a flexible approach that supports different authentication methods, so techniques can be aligned with different risk levels. This will help ensure a robust, yet efficient and cost-effective implementation.
- Fraud management. In order to establish strong protections for bank customers and back-end systems, security teams should look to employ fraud management capabilities that offer end-to-end transaction monitoring and seamless integration with other security layers. Through sound fraud management, security professionals can track transactions, analyze trends, and identify and prevent fraudulent activities. In this effort, it is important to leverage data from various areas, including transaction details, device details, authentication information, and cyber intelligence sources.
- Encryption and key management. Encryption represents a means for establishing security in the core of the banking infrastructure, and can be applied directly to sensitive data, wherever it resides. Through encrypting data at rest and in transit, banks can ensure that, even if several other defenses are bypassed, sensitive assets will not be exposed.
What did we learn about muli-layered security?
In the wake of the revelations coming from the Bangladesh Bank events, a lot of solutions and remedies have been proposed. If banks are to stay ahead of increasingly innovative cyber criminals, however, any one security measure simply won’t cut it. Often well-funded, and lured by massive profit potential, these attackers will not be stopped by any single defense. However, through strong, multi-tiered defenses, banks can erect the barriers that stymie these attacks. If you’re interested in learning more about establishing strong, multi-layer security in your digital banking environments, be sure to visit our layered security in banking site.