Here we go again, another company(s) hacked with losses but there are a couple big differences in this case. At this point it looks like the attack was mainly about dollars, or I should say a BILLION dollars and not about gaining information. This was a classic robbery using a high tech hack of a lot of foreign and domestic banks. They kept the amount below $10 million dollars to avoid detection and frankly we have been trained to look for a leak of information and not money.
Outside of the billion dollars that are now gone, the most disturbing part of this attack is how it was carried out. This was an advanced persistent threat that penetrated the banks networks as malware, dug for information and took action. It appears that employees at these banks inadvertently downloaded malware when they clicked on emails sent by the cybercriminals. This access allowed them to program ATMs machines to spit out money and transfer money into accounts.
Even though they were not the target of this attack, customers need to be vigilant in making sure nothing is missing from their accounts and their personnel information isn’t being used. Customers should check with their banks to see if their accounts or information was accessed and demand that the banks pay for credit monitoring service.
You may be thinking what makes this more disturbing than usual? Let’s look at how access was achieved in these case, an employee opened an email and clicked on a link that granted the hackers access to the network. I’m sure the employee had no idea of the problems they were creating and that is a big problem.
We haven’t taught our end users enough about the dangers of what’s out there and how to stop them. They are treated solely as problems when they could be part of the solution. We need to educate and train our end users as they are our frontline against these types of attacks. What if those users stopped to think before opening the email or clicking on the link? What if their employer had taught them the basics of what to look for? What if they verified the identity of the sender? Questioned why it was sent to them? What if they looked at every email as a possible attack?
We can’t just drop money into next generation firewalls, web gateways, IPS devices, forensics tools and the tool of tomorrow. We also need to educate everyone on what to look for, when not to click and when to call the security office. We need to empower the end users with information that will allow them to become part of the solution instead of the problem. Frankly education needs to extend beyond the corporate world into our homes were we need to educate all our families and friends so we can help slow down these attacks.
I’m not saying that education will stop all attacks as there are plenty of attacks that don’t rely on an end user opening the door but if we can stop even one attack with education it may just be worth a billion dollars.