finance
monthly
Personal Finance. Money. Investing.
Contribute
Newsletter
Corporate

Hackers breached the blockchain-based Poly Network platform, which was launched by the founder of Chinese blockchain project Neo. Poly Network announced the attack on Twitter, urging the hackers to return the assets. 

Blockchain is a system of recording information in a way that makes changing, hacking, or cheating the system incredibly difficult, if not impossible. It is fundamentally a digital ledger of transactions that is duplicated, then distributed, across the whole network of computer systems on the blockchain. Every digital coin has its own blockchain and each is different from the others. Poly Network, a decentralised finance platform, works to connect these different blockchains so that they are able to work together. “DeFi” is the broad term given to financial applications based on blockchain technology that works to cut out intermediaries, such as exchanges and brokerages. Supporters argue that this makes financial applications, such as lending, more affordable. In a tweet, Poly Network stated that the amount of money stolen is the largest in DeFi history. 

Hackers have since sent the stolen money to various other cryptocurrency addresses. Researchers at blockchain ecosystem security company SlowMist have said that over $610 million worth of cryptocurrency was moved to three different addresses. Poly Network has urged crypto exchanges to blacklist tokens coming from these three addresses.

F-Secure’s Cyber ‘Threat Landscape for the Finance Sector shows that the sophistication of adversaries targeting banks, insurance companies, assets managers and similar organizations can range from common script-kiddies to organized criminals and state-sponsored actors. And these attackers have an equally diverse set of motivations for their actions, with many seeing the finance sector as a tempting target due to its importance in national economies.

The report breaks down these motivations into three groups: data theft, data integrity and sabotage, and direct financial theft.

“This is a useful way to think about cyber threats, because it is easy to map attacker motivations across to specific businesses, and subsequently understand to what extent they apply,” says F-Secure Senior Research Analyst George Michael. “Once you understand why various threat actors might target you, then you can more accurately measure your cyber risk, and implement appropriate mitigations.”

Data integrity and sabotage – where systems are tampered with, disrupted or destroyed – is the cyber criminals’ method of choice. Ransomware and distributed denial-of-service attacks (DDoS) are among the more popular techniques used by cyber criminals to perform these attacks.

Similar attacks have been launched by state-sponsored actors in the past. But these are less common and often linked to geopolitical provocations such as public condemnation of foreign regimes, sanctions, or outright warfare.

And while North Korea has the unique distinction of being the only nation-state believed to be responsible for acts of direct financial theft, their tactics, techniques, and procedures (TTPs) have spread to other threat actors.

According to Michael, this is part of larger trend that involves adversaries offering their customizable malware strains or services-for-hire on the dark web, contributing to a rise in the adoption of more modern TTPs by attackers.

“North Korea has been publicly implicated in financially-motivated attacks in over 30 countries within the last three years, so this isn’t really new information,” says Michael, “But their tactics are also being used by cyber criminals, particularly against banks. This is symbolic of a wider trend that we’ve seen in which there is an increasing overlap in the techniques used by state-sponsored groups and cyber criminals.”

In addition, understanding cyber threats relevant to specific organizations is crucial to being able to detect and respond to an attack when it occurs.

“Understanding the threat landscape is expensive and time-consuming,” says Michael. “If you don’t understand the threats to your business, you don’t stand a chance at defending yourself properly. Blindly throwing money at the problem doesn’t solve it either – we continue to see companies suffer from unsophisticated breaches despite having spent millions on security.”

There are new competitive threats. Blockchain and smart contracts are changing the way people procure financial services. At the same time, client expectations are continually rising, a process accelerated by the arrival of new digitally-orientated competitors.

Recruitment is also a challenge, as skills shortages take their toll on the ability of businesses to grow and innovate.

Then there are compliance obligations, which are getting tougher. GDPR and PSD2 will continue to have major effects on financial services, which spend an estimated £5 billion each year on compliance.

Cybersecurity is another pressing concern. Financial services are a prime target for hackers, with large banks of sensitive and lucrative data that can be stolen and sold on.

All of this is happening against a backdrop of economic uncertainty, driven by issues including Brexit, which are forcing financial firms to reconsider where and how they work.

In response, forward-looking firms are reviewing and reshaping established working practices and structures, assisted by technologies that allow for greater flexibility, responsiveness, efficiency and service levels.

New ways of working

Establishing new ways of working depends on equipping key personnel with the tools to be agile, productive and compliant, regardless of where they are working.

CDW is working with Microsoft to demonstrate the potential of the Microsoft Surface family in the professional services sector. Let’s look at how the key capabilities of Microsoft Surface come into play at different levels of the organisation.

Out in the field, employees including insurance adjusters and wealth advisors benefit from having the latest productivity and collaboration tools built into a device that enables online connectivity even without Wi-Fi. The Microsoft Surface Go, with advanced LTE capabilities and scope for the insertion of a SIM card, empowers these professionals to work without compromise. They can deliver enhanced customer experiences with on-the-spot insight.

Back at the office, colleagues including corporate legal associates and solicitors could use the Microsoft Surface Pro 6, to draft complex documents, work with colleagues via Teams, bring up information via PixelSense touchscreens and run full-featured desktop and mobile apps.

However, making a case for IT investment requires robust ROI projections that are notoriously difficult to calculate.

What’s the payback?

To establish a robust business case for its Surface devices and associated software, Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI).

The objective was to examine the potential ROI enterprises may realise by implementing Microsoft 365 Enterprise on Microsoft Surface devices. To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed and surveyed hundreds of customers with experience using Microsoft 365 on Microsoft Surface devices.

In the report, ‘Maximizing Your ROI From Microsoft 365 Enterprise

With Microsoft Surface[i], Forrester concluded that organisations using Microsoft Surface devices powered by Microsoft 365 Enterprise have the following three-year financial impact:

Forrester reported: “To rapidly innovate, better serve customers, and engage workers, organisations across the globe are using technology-driven solutions that improve information sharing, enhance teamwork, accelerate decision making and drive process efficiencies. Organisations are leveraging modern devices with next-generation capabilities, including voice recognition, digital pens, and touchscreens, to further empower their digitally-driven workforces. This strategy is working: 62% of information workers agree that using these next-generation technologies help to make them more productive in their jobs.”

Quantified benefits

The following risk-adjusted quantified benefits are representative of those experienced by the companies surveyed and interviewed:

On the job with Microsoft Surface

With advanced devices such as the Surface Laptop 2, Surface Go or Surface Pro 6, running Microsoft 365, finance professionals can:

To help IT leaders in financial and legal services exploit the advantages of the Surface family, CDW provides a range of wrap-around services that add value in important areas. An extensive range of maintenance and support services are offered by CDW, underpinned by tailored SLAs and delivered by accredited engineers with demonstrable technical expertise. Design services, including the build of a main image, are also available alongside pre-delivery asset-tagging, deployment support and delivery.

Download the free guide to Digital Empowerment in Legal & Financial Services: https://bit.ly/2PuRDvQ

 Or you can learn more by calling 020 7791 6000

Website: https://www.uk.cdw.com/

 

[i] https://info.microsoft.com/ww-landing-Forrester-TEI-Surface-M365-Full-Report-Whitepaper.html?lcid=en

[ii] The financial results calculated in the benefits and costs sections of the study were used to determine the ROI, NPV, and payback period for the composite organisation’s investment in Microsoft 365 powered Surface devices. Forrester assumed a yearly discount rate of 10% for this analysis.

 

You’ve seen a lot of content, articles, warning and advice on cybersecurity, with hundreds of firms trying to sell you next level cyber protection. So, before you do anything else, you need to know what exactly it is you’re protecting yourself against. Below Suid Adeyanju, Managing Director of RiverSafe, lists 10 threats you need to be aware of.

In early July IBM Security and the Ponemon Institute released a new report titled ‘Cost of a Data Breach Study’. In this study it was reported that that the global average cost of a data breach and the average cost for lost or stolen information both increased. The former is up 6.4% to £2.94 million while the latter increased by 4.8% year over year to $112.57. This shows that cyberattacks on enterprises continue to rise. In particular over the last two years there has been a continual stream of concerning data security breaches.

One of the ways that organisations can defend against attacks is to ensure staff understand and are educated about the cyber threat landscape.

Understanding Threats to your Business

Getting the right technology, services, and security professionals is only a part of tackling the cyber security problem. It is also important that companies get a clear understanding of the cyber threat landscape. This means knowing where these types of attacks can come from and in turn, who is leading the attack (whether it be an individual or group). Often, knowing the answer to these types of questions leads to an understanding of the motive and makes countering the attacks easier. So, in this article, I wanted to highlight the areas of the cyber threat landscape that enterprises should be aware of.

  1. Nation State: This kind of hacking is often government versus government. It is often functionally indistinguishable from cyber terrorism, but the defining trait is that the attack is officially sanctioned by a country’s government. These attacks can involve not only hacking but the use of more traditional spying as well.
  2. Insider Threat: This is one area where many businesses least expect a threat to come from: inside the business itself. A reportfrom A10 Networks revealed that employee negligence is a major cause of cyber attacks. Employees unknowingly allowing hackers into the business through unauthorised apps. And, on the very rare occasion, a disgruntled employee could try and bring the business down in revenge, so it is always important to investigate who could have access because there is every chance that the threat could come from the inside.
  3. Individual Attackers: When you think of the stereotypical hacker most thoughts turn to a hooded youth sitting alone in their room. This is the individual attacker and their motives are often more one of curiosity and learning. They want to see if they can hack a system rather than attempt anything malicious. This is the most neutral cyber threat.
  4. Industrial Espionage: Sometimes an unrelated group and other times a rival business, cyber threats that deal with industrial espionage have the motive of creating problems for your business. The most common reason for industrial espionage is to discover the secrets of a rival business, often through spying. However, it could also involve destroying valuable data or, with some IoT devices, physically breaking the technology. Anything that can push a business over a competitor.
  5. Cybercriminals: Much like the individual attackers, cybercriminals are an all-encompassing cyber threat. Almost all hackers are criminals in some way and the motives can vary from demanding money, to setting up crypto-mining, to damaging company property. Whatever they do it won’t be a good thing.
  6. Phishing and Ransomware: These are some of the most common types of attacks you’ll find cyber criminals performing. These attacks are motivated purely by financials and exist to either scam a business out of money or hold valuable company data at ransom. Sometimes this can be a distraction to hide something more nefarious. Therefore, organisations need to make sure they are prepared for any escalation.
  7. Ethical Hackers: An ethical hacker is the opposite of a cybercriminal, as the term ‘ethical’ implies. These types of threats are often undertaken for the sake of a company, and often have been paid for by the business to see if it can hack into its own servers. These hackers test the security resilience of a business and locate areas that are vulnerable, before an ‘unethical’ hacker comes along.
  8. Hacktivists: A hacktivist is a sub-set of cybercriminals whose motives are more ideological. As the name references, a hacktivist is essentially a cyber activist. They are using hacking purely to push an agenda, whether political, religious, or otherwise, rather than a financial motive. A hacktivist attack can be something as simple as changing the text on a company website to a more nefarious act that interferes with the day to day running of the business.
  9. Cyber Terrorism: While hacktivists don’t always cause damage, a cyber-terrorist will. Just like real terrorism, cyber terrorism exists to bring terror to your business, country and customers. Examples include the attacks on the NHSlast year which aimed to bring systems down in hospitals and cause chaos and fear.

By understanding all the different types of attacks in the cyber threat landscape it can help you build your cyber defence by identifying a motive and being able to trace what kind of opponent your business is facing, as well as if this is an attack aimed primarily at an individual, an organisation or a national-level threat where the solution would be to work with other companies to stop the attack as a team.

Positive Technologies recently released a new report, ‘Bank Attacks 2018’, detailing that banks have built up formidable barriers to prevent external attacks, yet fall short in defending against internal attackers. Whether by puncturing the perimeter with social engineering, vulnerabilities in web applications, or the help of insiders, as soon as attackers access the internal network, they find friendly terrain that is secured no better than companies in other industries.

With access to the internal network of client banks, Positive Technologies testers succeeded in obtaining access to financial applications in 58% of cases. At 25% of banks, they were able to compromise the workstations used for ATM management—in other words, these banks fell prey to techniques similar to ones used by Cobalt and other cybercriminal gangs in actual attacks. Moving money to criminal-controlled accounts via interbank transfers, a favorite method of the Lazarus and MoneyTaker groups, was possible at 17% of tested banks.

Also at 17% of banks, card processing systems were poorly defended, which would enable attackers to manipulate the balance of card accounts. Such attacks were recorded in early 2017 against banks in Eastern Europe. The Carbanak group, notorious for its ability to attack nearly any bank application, would have been able to steal funds from over half of the tested banks. On average, an attacker able to reach a bank's internal network would need only four steps to obtain access to key banking systems.

The new report notes that banks tend to do a better job than other companies of protecting their network perimeter. In the last three years, penetration testers could access the internal network at 58% of all clients, but only 22% of banks. However, this number is still concerning, considering the high financial motivation of attackers and failure of many banks to audit code security during the design and development stages. In all test cases, access was enabled by vulnerabilities in web applications (social engineering techniques were not used). Such methods have been used in the wild by such groups as ATMitch and Lazarus.

Banks are at risk due to remote access, a dangerous feature that often leaves the door open to access by external users. The most common types are the SSH and Telnet protocols, which are present on the network perimeter of over half of banks, as well as protocols for file server access, found at 42% of banks.

However, the weakest link in bank security is the human factor. Attackers can easily bypass the best-protected network perimeter with the help of phishing, which offers a simple time-tested method for delivering malware onto a corporate network. Phishing messages can be sent to bank employees both at their work and personal email addresses. This method for bypassing the network perimeter has been used by almost every criminal group, including Cobalt, Lazarus, Carbanak, Metel, and GCMAN. In tests by Positive Technologies, employees at 75% of banks clicked on links in phishing messages, and those at 25% of banks entered their credentials in a fake authentication form. Also at 25% of banks, at least one employee ran a malicious attachment on their work computer.

The report also describes the organizational arrangements of these groups, with examples of announcements on hacker forums offering the services of bank insiders. Experts state that in some cases, the privileges of an employee with mere physical access to network jacks (such as a janitor or security guard) are enough for a successful attack. Another method for infecting banks is to hack their business partners and contractors, who may poorly secure their networks, and place malware on sites known to be visited by bank employees, as seen with Lazarus and Lurk.

After criminals obtain access to the bank's internal network, they need to obtain local administrator privileges on servers and employee computers. To continue their attack, the criminals rely on two key "helpers": weak password policies and poor protection against recovery of passwords from OS memory.

Almost half of banks used dictionary passwords on the network perimeter, but every bank had a weak password policy on its internal network. Weak passwords are set by users on roughly half of systems. In an even larger number of cases, testers encounter default accounts left behind after use for administrative tasks, including installation of databases, web servers, and operating systems. A quarter of banks used the password "P@ssw0rd". Other common passwords include "admin", keyboard combinations resembling "Qwerty123", blank passwords, and default passwords (such as "sa" and "postgres").

Once inside the network, attackers can freely roam about by using known vulnerabilities and legitimate software that does not raise red flags among administrators. By taking advantage of flaws in protection of the corporate network, attackers quickly obtain full control of the bank's entire digital infrastructure.

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies outlined recommendations for banks: "The good news is that it's possible to stop an attack and prevent loss of funds at any stage, as long as the attack is detected in time and appropriate measures are taken. Attachments should be scanned in a sandbox, without depending on endpoint antivirus solutions. It's critical to receive and immediately react to alerts with the help of an in-house or contracted 24/7 security operations center. In addition, SIEM solutions substantially simplify and improve the effectiveness of incident management."

(Source: Positive Technologies)

Forget about high-tech espionage. Many of the headline-grabbing hacks from the past few months hinged on low-tech social engineering—the use of deception to manipulate users into giving up their passwords and other data, writes LeClairRyan attorney David Z. Seide in a new post on the national law firm's "Information Counts" blog.

"This kind of hack takes many forms—examples include security alerts from what appear to be trusted websites to update passwords, and phishing emails from what appear to be known, trusted contacts asking to download files or click on provided links," writes Seide, a partner on LeClairRyan's Compliance, Investigations and White Collar team, based in the national law firm's Alexandria, Va., and Washington offices.

In the Feb. 27 post ("Cyber Security and Social Engineering: A Big Low Tech Problem"), Seide notes that the consequences of computer network penetration through social engineering have been dire for victims. He cites a prime example: the hack of Hillary Clinton's 2016 presidential campaign.

"There, the campaign chair received what appeared to be a genuine email from Google's 'Gmail Team' informing him that a Ukrainian computer had just used his password to try to sign in to his Gmail account," Seide explains in the piece. "The email went on to say that Google had stopped the attempt, advised the chair to change his password immediately, and provided a 'Change Password' link. Believing the email to be authentic, the chair clicked on the link and changed his password."

As the world now knows, of course, the new password went straight to hackers, who promptly downloaded 30,000-plus emails in the account and sent them to WikiLeaks for publication. "This hack succeeded only because hackers used social engineering techniques to trick the unwitting user into effectively giving a secure password to what appeared to be a trusted source," writes Seide, an experienced litigator and internal investigator, who led multiple high-profile internal and financial investigations for several federal agencies prior to joining LeClairRyan last month. Those roles included leading the Department of State Office of Inspector General team that reviewed and published multiple reports in 2016 concerning the use of personal email for official business by Hillary Clinton and four other Secretaries of State.

For the foreseeable future, he notes, low-tech social engineering hacking will continue to be a dominant cyber risk. "If anything, it is likely to proliferate across growing and emerging technology platforms—mobile and other Internet-enabled devices (Internet of Things) and social media," he explains.

This is precisely why defending against such hacks requires more and better "cyber hygiene," which Seide describes as "no different than regularly washing hands to prevent infection." Toward that end, he offers a set of best practices for guarding against social engineering. They include ramping up education about social engineering; closely monitoring the level of security-protocol compliance within your organizations; maintaining vigilance and skepticism, and engaging in timely reporting of hacks or potential hacks.

"Cyber security is an ongoing process that changes as fast as technology changes. And technology changes fast," the attorney writes in the conclusion to the piece. "These suggestions are by no means cure-alls. But they will reduce social engineering risk and may demonstrate a prudent effort to address a serious problem we all regularly face."

(Source: LeClairRyan)

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free monthly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every month.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram