CYBER SECURITY CYBER Are you confident your organisations cyber security is up to scratch? It may be time to think again, as Chaucer Consultings Richard Thwaite runs through five cyber scams that have caught defences off-guard R ichard Thwaite, director of technological advisory at Chaucer Consulting, has also worked for UBS and Londons Metropolitan Police service. In a poacher-turned-gamekeeper twist, he advises Chaucer on what CIOs are looking for to enable them to deliver technology more effectively, including security systems. Here he gives us the benefit of his experience on some of the most common and some of the most audacious cyber tricks hes encountered. As Thwaite says: The technology often isnt the issue, however advanced it is. The weak link is, inevitably, human behaviour. 1 2 CLICK NUMBERS TO READ MORE 3 45 A man in a uniform Black trousers, black shirt, baseball cap the uniform of IT engineers everywhere. So when the staff of a branch of a wellknown bank were asked by an IT engineer, sent from head office, to open their server room so he could perform routine maintenance, they did it without question. They may even have made him a coffee. The cyber scammer had all the time he needed to fix the server. Luckily, the banks systems detected the subsequent unusual network activity very quickly and were able to resolve the problem. Trust in the support staff we encounter every day cleaners, engineers, receptionists and so on makes us suspend our normal curiosity. We tend to accept implicitly people who look and talk the part. Working against this tendency takes time and effort, but organisations have to keep at it. Your entire team may be trained in the protocols, and stick to them day in and day out, but all it takes is one new member of staff who hasnt been trained and the door is wide open. As with most tools in the cyber-war armoury, raising awareness and showing why staff must stick to processes is an ongoing requirement. Perhaps only one thing has the potential to make us even more vulnerable than human trust human curiosity The most tempting thing in the world A little leaving present Human curiosity has driven the development of everything that makes our modern lives safer, easier and longer. However, it also drives us to want to uncover whats concealed, suspending our usual caution along the way. Perhaps the only thing more tempting than knowledge is hidden knowledge. Thats why USB bombing is so effective. Hostile governments and commercial competitors drop USB sticks outside company offices or government buildings. Staff pick them up, bring them inside and keen to find out whats on them plug them in. Programmes or viruses depending on the motivation of the attacker are downloaded in an instant. Everything from keyboard strokes to passwords are now in someone elses hands. In practice, governments are proving less vulnerable to this kind of attack than businesses. Their protocols both technical and in terms of staff training are generally more effective than those of their commercial counterparts. The UK governments Home Office lockdown is a particularly strong example. Human beings are the same everywhere, so if government can do it, so can business. While the public sector is often exhorted to learn from the private sector, this is one area where businesses should learn from the best government practice. The risk posed to organisations by well-motivated, secure staff pale in comparison to the damage a disgruntled employee can do. In the US office of a large global bank, an IT administrator saved all his payback for his last day. He programmed a time bomb to eliminate all privileges and access, taking the servers down with him. With no-one able to access the system to restore the servers, the whole US office was down for an entire day, causing material loss and reputational damage that it was impossible to hide. This company subsequently implemented a swift break glass procedure. However, prevention is better than cure, so they went further. Recognising that people know people best, the company now has a global performance training programme for system administrators. This programme also highlights the things to watch in their colleagues behaviour that could sign-post that they were likely to take this kind of action. While not fail-safe, the fact that such a programme exists and that colleagues are keeping an eye on each other tends to act as a disincentive for staff who want to give their employers a leaving present they wont forget. Transferable skills Its tough at the top People working in back-office functions become the real experts in how things work. They know the systems and the processes, and they know how often these are reviewed and changed, if at all. So, when one of the operations staff at a global investment bank moved from backroom to the trading floor, he already knew there was a long, automated time lag between a trade being placed and the changes being made to the invoice. In what became one of the biggest scandals to hit the company, this allowed him to far exceed his authorised trading limits. At one point, his bets exposed the bank to US$12bn in losses, despite his unit only being authorised to risk US$100m intra-day and US$50m overnight. The eventual loss to the bank was US$2.3bn. Bad. However, with such a lax system, it could have been much worse. The trader was sentenced to seven years in prison, but the damage to the banks reputation was even more severe. The Financial Services Authoritys report revealed the cultural, as well as technological, weaknesses that allowed the situation to happen. These included: a failure by the trading desk management to ask how huge revenue rises were being generated; a back office reluctant to challenge traders about discrepancies in their trading books; and a culture of helping clear these discrepancies based purely on traders own explanations. I suspect that people studying for risk qualifications will be taught this case study for decades to come. Its certainly a terrible example of what can happen when you dont put people at the dead centre of your risk management strategy. The last real-life example may confirm what many junior staff suspect that those at the very top of their companies dont always practise what they preach when it comes to cyber safety. Hackers are increasingly targeting the email addresses of CEOs and board members. They then send these senior executives a plausible email with a virus-infected attachment, confident they are more likely to click on them and trigger the virus. The psychology here relies on the fact that senior executives, by and large, have little IT knowledge or experience, whereas more junior staff tend to be more cautious and pay more attention to warnings about cyber scams. Ive lost count of the number of times that virus audits lead back to those at the top and the bigger the organisation, the more likely this seems to be. So, senior execs, please take note: if anything, hackers understanding of behaviour and knowledge at the top of your organisation makes you more likely to be targeted, not less. Surprise them.