Wednesday, October 19, 2016

Cyber-security in a non-linear world.

I was mulling over a tweet this morning where I read about how Canada was going to be helping in financial cyber security with other G7 nations (Link).  I found this a bit ironic as the financial security in Canada is usually quite atrocious.  I’ve spent a while now, collecting proof of how bad it is, and there are definite trends I've noticed.

I’ve been trying to work out for a while as to what the root cause of the problem is.  Usually, I can simply correlate a symptom to a cause; Yesterday, for instance, I pointed out to ScotiaBank that they’re allowing customers to be phished again.  

This is a problem I’d previously reported to the CCIRC.

Whilst that’s the symptom, the underlying cause is one of these three things:
* The bank doesn’t check for this.
* The bank does check for this, but failed to check properly.
* The bank did test properly, but someone thought it was OK to publish regardless.

The problem is simply that the aforementioned symptom is just the tip of the iceberg.  Elsewhere, I see way bigger issues.  My thoughts turned to trying to work out why the bank security keeps failing - something I usually blame on policy, because if the people writing the rules for “what to check” know what they’re doing, and other people following those procedures do it properly, you wouldn’t have these problems.

And then the idea occurred to me today that there’s a bigger fundamental issue…  

Anyone that has followed military tactics will know how the current Russian/Surkov non-linear warfare model is bamboozling lots of people, well, basically the bank’s face a similar problem and it’s bamboozling them, too.  In the old days, you had the bank and the bank robber.  The linear aim was for the robber to get the money in the vault - so it was the bank’s job to stop that happening.

Fast forward to 2016 and we have this triangle, where if you compromise one side of the triangle, you can get to the other two.  

In this model, we have:
1) The bank.  This is the bank and it’s infrastructure like online banking, virtual vaults, payment messaging systems, etc.
2) The customer.  This is your average Joe on the street.  He/She can be socially engineered.
3) The shared environment.  This is where the bank interacts with customer’s hardware.  

In a non-linear attack, an attacker can go for any side of this triangle, any combination of two sides, or the hat-trick of all three sides.  That means the bank cannot easily anticipate how to out-fox a would be attacker - and sometimes the attack on the bank means the bank isn't directly attacked in any detectable way.  

The modern bank has to be on guard on all three sides and protect itself from a non-linear threat, and that simply doesn’t always happen.  Any bank that gets sloppy with it’s procedures, or allows customer phishing on it’s own site is going to be inviting trouble.  If a bank leaks data, has incomplete security procedures or leaks source code, then it’s going to invite really big trouble.

I’m not a security expert by trade, but I am observant and I track what I see.  When I see banks suffering these symptoms, I see the potential for really big trouble.