Earlier this month, the WannaCry ransom attack infected more than 300,000 Windows PCs around the world. The strain of ransomware demanded that infected businesses and individuals pay $300 in order to unlock each machine—as well as the data stored on their devices. Although WannaCry was quickly thwarted, there are bigger, scarier, and unknown threats lurking that can do massive damage to your business.
You've probably read dozens of articles on how you can protect your business and yourself, and you've probably enlisted the help of endpoint protection software to keep your company safe. But did you know that even the most inconspicuous devices plugged into your network can allow hackers to do massive damage to your business?
I spoke with Yossi Appleboum, co-CEO of Sepio Systems, about what you need to know about large-scale attacks in the financial services industry, what small financial services companies need to do to stay prepared, and why peripherals like mice and keyboards could be a major threat to your business.
PCMag: What is the worst-case, nightmare scenario in terms of someone or some group hacking into a financial institution?
Yossi Appleboum (YA): Any time data is compromised, it is a nightmare scenario, especially when it comes to financial institutions. Losing control of a stakeholder's proprietary financial information threatens the data's integrity and potentially the livelihood of the stakeholders that have monetary skin in the game, rooted in the assumption that their data will always be secure. More importantly, from a finance standpoint, a leak of this information threatens the organization's overarching fiduciary relationships—past, present, and future.
Data leakage is particularly scary since there is often no immediately clear indicator of the scope of the breach and associated risk. It could be as small as theft of single-account records to a broader theft of complete databases holding enormous amounts of personal data, such as the data breach at a Panamanian law firm in which more than 11 million proprietary documents were leaked.
The Chief Information Security Officers (CISOs) of financial institutions are aware of the dangers of data leakage and will always prioritize it in their endless list of cyber threats. Global financial institutions are spending hundreds of millions of dollars a year in building multi-layered data loss prevention (DLP) systems. Few CISOs are able to build unbreakable systems that protect against even the most common cyber attacks. On the other side of the equation, bad actors are raising the bar in complexity of attacks, leveraging leaked government cyber weapons against civilian targets like banks.
Criminals are using strategic cyber weapons—including manipulated, everyday hardware like keyboards and other Human Interface Devices (HID)—against commercial targets. The problem is that these cyber attack tools can exist in systems completely undetected by existing cyber defense tools. This is perhaps the scariest and most dangerous form of data espionage: the undetectable devices that are extracting information under the radar.
There is no way to "un-spill the beans" once they have been spilled. Once data is leaked, it cannot be retroactively secured. Therefore, data managers and CISOs must remain hyper-vigilant and do everything in their power to ensure all vectors are sealed tight at all times, which includes every potential access point in the system.
PCMag: In terms of what's already happened, what's the worst financial services breach the country has seen and how did it happen?
YA: "The worst" would depend on whom you ask. From the financial institution perspective, major breaches like the 2014 JPMorgan Chase breach come to mind, when a cyber attack affected as many as 76 million households and 7 million small businesses among its large network of stakeholders.
However, from the perspective of an individual customer, the worst breach is the one that permanently changed his or her life and sense of financial security. This is one of the most important things to remember: insufficient protection against cyber attackers can irreversibly ruin the lives of the people who depend on you keeping their data safe, as well as the trust and reputation of the entire institution.
It is also notable to mention that many of the financial breaches we have witnessed are the crises of yesterday. Certainly, many compromising cyber attacks have used some form of malware to access and extract information from a network. But a common denominator to all of the widely publicized breaches is that someone has discovered them. The undiscovered leaks that may be actively extracting data right now are the biggest threat to data security.
One of our customers, an international bank, found a small hardware device connected to its network hidden under a desk. This device was connected to the network; however, the cyber security team could not see it. None of the existing tools sensed it or detected its existence, but it was there nonetheless, sending data to a remote location through a cellular connection. An unknown quantity and type of data was compromised for an unknown period of time and no one knew about it. Today, one year after this shocking discovery, security officers still know almost nothing about who planted the device and how much data was taken.
The next great attack vector will come from ghost hardware devices. This is why we are working diligently to detect and mitigate these attacks.
PCMag: For smaller financial services companies, what should they be on the lookout for in terms of threats, entry points, and common mistakes?
YA: Smaller financial institutions are, in many cases, in greater danger than the big ones. In most cases, they do not have a large security team and their cyber security systems are less sophisticated. We have witnessed, in some cases, small-sized financial service companies that are using a five-year-old firewall and a three-year-old antivirus software for securing their digital assets. This company was managing the investments of some of the largest personal accounts in the United States.
The assumption that a small-sized financial institution equals smaller risk is completely backwards. A hedge fund managing several billion dollars is usually a very small company. A family office managing large personal monetary accounts is similarly small, as is true for the law firm in Panama that held financial secrets of high-profile world leaders. All of the above have been breached, and most were not aware of the breach for a very long time; some are still not aware of it.
The managers of these smaller companies in many cases do not understand the risk they are taking, the potential damage to their companies, and, most importantly, the potential damage to their customers. Many companies believe that their top-of-the-line software defense solutions can provide a watertight seal of the system through real-time monitoring and predictive analytics. This may be true on the software side, but what the typical CISO might fail to recognize is that a bad actor has built a drain directly into the hardware infrastructure where data has been pouring out for years. Any data manager or cyber security professional will tell you the most important place to start protecting yourself against vulnerabilities is [by] understanding your existing infrastructure. This means getting a firm grip on what is connected to your network.
The most important thing to remember is that any route to data is a potential liability. No matter what size the financial services company, taking the necessary precautions and taking inventory of the devices in a system can help limit your exposure to keep your data secure.
PCMag: You don't typically associate keyboards, mice, and other peripherals as entry points for these kinds of attacks. Why should we be concerned about these kinds of devices?
YA: Think about this: Can you install software that you have downloaded from the internet on your corporate computer? Probably not. But can you bring a keyboard from outside to your office and connect it? Probably yes.
People are right to assume unknown software is a risk. This is why there are many security tools to monitor and prevent installation of software in a corporate computer by anyone other than the IT personnel. But, for some reason, hardware devices are not held to the same standard.
Cyber attacks originated by software are, in most cases, limited by the existing cyber defense tools, meaning that all of the tools from the endpoint security suite to the perimeter security and forensic tools are tuned in to detect the entry point and block it. However, a single keyboard can do more damage than most of the malware in the world, exfiltrating data for long periods of time.
Imagine your organization's IT professional sends an email to the whole company saying the organization will be receiving brand-new keyboards tomorrow. What percentage of your employees would see a new keyboard on their desk the next day and plug it in? 20 percent? 50 percent? 100 percent? The answer is, it's closer to 100 percent than anyone wants to admit. It would only take one person to install one of these devices, which was manipulated to extract information, to compromise the entire system.
We now know that many of the tools being used to infiltrate and hack global financial centers were actually stolen from government prototypes in nations across the world. For example, keyboards originally developed by the US National Security Agency (NSA) to track keystrokes and collect data from networks through a connected computer's USB port are now being used by malicious hackers to acquire data for blackmail and ransomware attacks.
Additionally, with the growth of nefarious hacking tools being sold on the dark web, the most cutting-edge technologies for malicious data gathering can now end up in the hands of a hacker in a matter of days, with no clear way for authorities to track the buyer, seller, or location of the devices. This means that the most sophisticated, undetectable data collection devices may now exist in countless data systems, without CISOs even knowing about them.
These devices are comparable to parasitic bugs like ticks or lice. They are seemingly commonplace and harmless when floating around in your general vicinity. However, they are hard to sense when they install themselves into your system and can exist there unnoticed for a long period of time. Moreover, they are a major liability and can do irreversible damage to the data and your stakeholders.
PCMag: Without touting your services specifically, how can companies ensure that they're safe, especially if they are relying heavily on connected devices to do their jobs?
YA: There are a lot of elements that cannot be controlled. As I have discussed, the dark web's limitless digital market is nearly impossible to stop. Due to the anonymity of buyers and sellers, the free-for-all trading of hardware devices presents the unprecedented challenge of staying attuned to the hacking threats that affect systems from the outside.
However, data managers must control the hacking threats that originate from the hardware. This starts with having comprehensive awareness of all the hardware devices that interact with your system. Traditionally, organizations' technology officers establish that they have X number of endpoints that connect to Y number of servers and external devices. In a modern cyber defense warzone, it is critical that they go deeper, to the peripheral level.
Network wires that send information between two devices should be completely inspected, between every two edges, through all connection points. There are devices that can intercept data at these points and exfiltrate it through to a remote location without being recognized.
To save systems from these types of extortions, device-heavy networks need to be sorted through with a fine-tooth comb. CISOs need to do everything in their power to ensure the integrity of their system devices. Assuring that your devices are truly yours—and not maliciously disguised hardware—is the best way to defend against cyber hardware threats.
Start with awareness. Do not ignore the potential risk of these innocent-looking hardware devices. The threat is real and relevant to all of us.