United States

What do Baby Face Nelson and today's cybercriminals have in common?


It was 84 years ago this week that our little town of Sioux Falls, South Dakota made national headlines.  As I look out of our office windows, I can see where it happened, just a couple blocks down the street.  John Dillinger, Baby Face Nelson and their gang robbed the Security National Bank.  They pulled up in their green 1934 Packard Super 8 and stormed the bank, firing off their Tommy guns to show that they meant business.  Once inside, they easily overpowered the staff and made their way to the $49,500 in cash they stole.

In the eight decades since John Dillinger and Baby Face Nelson, things have changed significantly.  Unless it is in the movies, rarely do we hear of well-dressed, heavily armed gangs who go from town to town robbing banks.  Today’s bank robbers dress in pajamas or sweatpants and never pick up a gun; keyboards and high-speed internet are their weapons of choice.  They often don’t bother to leave their basement, much less get within 1,000 miles of their target.  Today, our most prevalent threat has it much easier than the likes of Dillinger’s gang.  Cybercrime is far more successful than the old brute-force, Tommy gun style robberies.

It often feels as though we are fighting an uphill battle against the cybercriminals.  The news is full of stories of major data breaches and cyber heists.  We are scrambling to protect our valuable resources, but the cybercriminals continue to be several steps ahead of our best efforts.  Honestly, many financial institutions are no better protected against the pajama-wearing hackers than our small-town bank was against the Dillinger gang.  But why?  Year over year we are spending more on protecting our assets.  We are buying the latest firewalls and the best anti-virus software.  We are forcing our employees to watch social engineering training videos.  We perform vulnerability scans and penetration tests almost nonstop.  We feel like we are doing everything we can, yet we still are losing to the bad guys.  Why?

If we analyze the recent trends in cybercrime and look at the high-profile attacks that have taken place, almost all breaches could have been stopped if a few simple, basic concepts had been adhered to.  Instead of the constant race to mediocrity that we are in against the hackers, if we focus on five core tenets of cyber hygiene, it will protect us much better than all the bullet-proof glass, armed guards and steel safes in the world could have protected our banking ancestors.  The five principals I’m referring to are: patching, minimum privilege, encryption, segmentation and multifactor authentication.  If we do a good job in these five areas, our risk of a successful cyberattack drops to an almost negligible number.

Let’s start with patching.  Almost three-fourths of cyberattacks are perpetrated because the attacker is able to exploit a vulnerability in a piece of software or an operating system.  Interestingly, the percentage of times when these attacks are against vulnerabilities that are newly discovered (zero-day attacks) is on the decline.  Almost all of the vulnerability exploits occur against systems that have unpatched software or an operating system where the patch has been available for some time.  In fact, most successful attacks are against vulnerable systems where the patch has been available for over one year.  So effective, proactively managed patching is crucial to maintaining good cyber hygiene.

A good patching program does not mean relying on the built-in patching functions within the software.  It does not mean installing a Microsoft WSUS server and calling it sufficient.  A good patching program needs to account for all software in use and needs to include regular reports (that are reviewed and acted upon) that show the patch status of all systems in the organization.  Good patching also means that any system for which patches are no longer available needs to be relegated to the scrap heap.

The second tenet of good cyber hygiene is minimum privilege.  Since the beginning of digital systems, we have operated under the principle that users should have full access to everything, except the few items (sensitive records, payroll, human resources info, etc.) that need to be restricted.  Minimum privilege turns that concept upside down.  With minimum privilege, all users should start with zero privilege.  Only when we start with absolutely nothing, can we start to carefully analyze and give the user the minimum privilege to the minimum set of resources they need to do their job.  For example, why give a user full permission to an entire folder of information, if they only need read permission for one document?

Attackers typically make their way through a network using the credentials they are able to steal from the user or system they compromise.  Automated attacks such as ransomware operate in a similar fashion; they rely on the permissions of the user who is initially attacked.  If all users (including management and information technology personnel) have a minimum set of permissions to a minimum set of resources, attacks are stopped before they become widespread.

 Next up is encryption.  In a recent attack, an organization had implemented some basic data at rest encryption and had even enforced data in transit encryption rules.  However, they didn’t realize that the company that had written and supported their core system had configured their core database to perform hourly flat file backups.  From a support and recoverability perspective, this is a great safeguard.  However, these backups of their entire core database were written to clear text files, completely unencrypted.  The attackers quickly found and exfiltrated this data.

All data in our network should be encrypted while at rest, within backups and while in transit.  We need to encrypt all of our endpoints (PCs, laptops, etc.), and any other system that holds bank data.  With the tools that are available to us, encryption is fairly easy to implement.  Where many organizations go wrong is not thoroughly identifying where vulnerable data resides and where the holes in their encryption program exist.

The fourth area of cyber hygiene is segmentation.  When an attacker gains access to the first system in a network, their primary objective is to hop around the network, from system to system, until they are able to find better and better information.  They are making these lateral movements in an attempt to steal higher-level credentials or to locate and exfiltrate information that can be monetized.

The process of segmentation breaks up the network so these lateral movements are impossible.  Normal traffic on the network is identified, and specific rules are set up on switches and firewalls to only allow this expected traffic.  All other communications between devices is blocked.

The last principle is multifactor authentication.  Again, one of the main goals of our pajama-wearing attacker is to steal the credentials of a user and exploit those credentials to gain access to additional systems and data on the network.  This is far too easy when the credentials consist of a simple username and password.

Multifactor authentication looks at three aspects of users: something the user knows, something the user has and something the user is.  When authentication requires at least two of these factors, the risk of compromise drops significantly. Our traditional username and password combination only requires one factor—something the user knows (their password).  But, if we were to also require the user to supply a second factor, we have greatly increased our security.  A second factor can be something the user has (for example, a keycard, an RSA token or their personal cell phone), or something the user is (for example, a finger print or an iris scan, etc.).  The technology exists to add multifactor authentication to almost every system we use; it is just a matter of implementing it and enforcing it.

I wonder how long it was after the taillights of Dillinger’s Packard disappeared into the distance that the 1934 bank leadership started thinking about how to prevent that kind of thing from happening again.  I bet it wasn’t long.  No doubt the same feeling is shared by the countless bank leaders who have suffered a recent cyberattack.  But, you don’t need to be a victim to implement safeguards.  As the cliché goes, an ounce of prevention is worth a pound of cure.  In cybersecurity, that ounce of prevention comes from five basic principles of cyber hygiene.  By implementing effective patching, minimum privilege, encryption, segmentation and multifactor authentication, you may never have to know what it feels like to suffer an attack and wonder what you could do better next time.

To learn about RSM’s technology, security and regulatory compliance package designed just for financial institutions, read FIT as a Service.  For information about how RSM industry experts can help mitigate cybersecurity risks, please contact us.