As recent hacks into crypto exchanges have shown, the methods of cyber criminals change rapidly, and firms require constant vigilance and planning to defend against their attacks. Rob Dartnall, Director of Intelligence at cyber security consultancy Security Alliance – one of eight organisations regulated by the Bank of England, the UK Government and CREST – offers his opinion on cyber resiliency in banking, financial services and fintech, highlighting where improvements should be made.
Nations, fintechs, and organisations big and small share very important common ground: a heavy dependence on cyberspace, coupled with a need for databases and communications systems that are resilient to cyber attacks. Cyber resilience is increasingly being considered an inherent property that needs to be engineered into organisations. As such, we are seeing an increase in demand by institutions such as banks, especially in Europe and Asia, for cyber resiliency frameworks.
The classic cyber security surveillance models monitor types of attacks and their sources. These are useful, but do not go far enough. One of the key features of a cyber resiliency framework is its ability to record and analyse threat-actor activity, answering questions such as the ‘Who, what, where, when, how and why?’. These findings are then applied by ethical hackers against the bank to see if they are resilient to these types of attacks, should they ever occur. And if they are not, then at least this is determined by a team of ethical hackers who can then help remediate the problems.
In the same vein, crypto, fintech and banking firms are waking up to the realisation that cyber attack simulations are no longer just for governments. In order to identify actual vulnerabilities and cultivate authentic cyber resilience, sophisticated simulated attacks and penetration tasks have fast become a necessity for everyone. This increased interest is a welcome sign as it means people are no longer making assumptions about their threat and their resiliency to attack, but actually rehearsing these attacks based on qualified intelligence.
Resiliency to attacks is an important consideration in cyber security, but of equal importance is for firms to understand the environment in which they operate – especially in fintech, where there is a recurring theme of not knowing or misunderstanding what threat actors are doing. Companies that don’t yet understand their identity as an organization and how much they appeal to different people are at particular risk. It’s often the last thought on their agenda, pushed further down the priority list by the pressure to deliver new products and to create equity.
Mature organisations will tend to not fall into this sort of trap because they’ve learned the importance of building security in from the beginning and they implement it religiously – particularly in new products and apps. They have come to learn that it improves security and, ultimately, is cheaper to implement at the beginning of a build than to build it in at the end.
Companies don’t always understand the complexity of the wider Cyber Threat Landscape and their position in it. This does then mean they make assumptions when building their security strategy, rather than basing it on intelligence. This can lead to improper security controls being implemented, meaning their defenses may not be, ‘appropriate and proportionate’, and/or improper use of limited security budgets.
Firms are sometimes lulled into a false sense of security by the level of technology used, but in reality nothing beats practice. The military is a perfect example of this. The civilian world mostly assumes they operate entirely on natural skills ‘in the moment’, but their teams never launch an operation without multiple rehearsals back at base. What goes for the military should go for mature companies too. Companies must start to test their ability to prevent, detect and respond to attacks through simulated attacks.
Companies should be looking for their weak areas, but are sometimes reluctant to, because such probing invariably leads to finding larger problems or being blamed for any issues that are discovered.
There is a big focus on innovation in Asia, where blockchain, cryptocurrencies and virtual banking are all being well researched (and even implemented). However, as we have seen, security is not being implemented by design. There is a race to a proof of concept, and then this.
There has been much coverage and debate about the vulnerabilities of developing cryptocurrency technologies. They are not inherently fragile structures, but their appeal to the threat landscape and organized crime groups makes them favoured targets. They know most cryptocurrency companies are fairly young and immature, and that, due to pressures to deliver, they won’t have put strong security in place. They also know that cryptocurrency firms have access to cash that can be manipulated out of the organisation anonymously.
If you led an organised crime group, what would you do? Attack a global bank with a multi-million cyber security spend to attempt to pull off a swift attack for $50 million (optimistically), or will you target a new cryptocurrency fund with $50 million to $100 million worth of tokens, but which spends a fraction of the necessary cost on security?
Each crypto exchange looting has been linked to a ‘hot wallet’ left on a network – I have to say this is hardly surprising. Hot wallets are, by definition, a requirement for all exchanges to be able to process their clients’ orders and to manage day-to-day payments. They are going to be the prime target for any attacker going after an exchange, offering the quickest route to monetisation. But it is also frustrating, as exchanges know this is a weak point and the likely target of threat actors, yet don’t seem to implement the required security controls, or at least test them.
Ideally, one would need to make sure that the private cryptographic material associated with the wallet is exposed as little as possible, minimising the exposed attack surface. Any systems (or individuals) holding or accessing this information should be subject to the highest level of security testing. My advice would be to study the
threat actors targeting exchanges, work out how they are doing it and then test these same methods against your own networks and applications – work out how resilient you are to these use cases. You must build a comprehensive testing program of your solution to constantly identify new vulnerabilities.
Exchanges can look to reduce potential losses through keeping only the minimum required for day-to-day handling and processing of payments. Keeping the majority of crypto assets in cold storage, such as paper printouts, and carefully logging the movement between them is probably the way to go. There have also been some experiments with multi-signature wallets, which should definitely be an option to consider, as well as the use of custody services.
Exchanges need to look at the issues that have been affecting their peers and testing whether such attacks would be feasible against them. This allows them to address security issues before they become a crisis.