'Ethical hacking' takes aim at cyber crime

At a time when a nation state can target Sony, and a bored Australian teenager can hack MasterCard from his bedroom, there is a renewed focus on people and their role within the defensive perimeter of financial organisations.

One such idea is 'ethical hacking', part of the growing recognition given to developing people as a point of strength, rather than weakness, in the continuing effort to keep systems secure against cyber threats. Waters spoke to Luke Beeson, vice-president for security UK and global banking and financial markets at BT, about ethical hacking and the arms race at the front lines of cyber security.

"People talk about cyber security as this great, sexy thing, but if you look at a lot of the big incidents, more often than not it boils down to basic human error," Beeson says. He spent three years building BT's cyber defence operation and has worked on the Olympics and security projects in the oil and gas sector. "Our ethical hackers use the basic tricks of the trade to assume the position of a hacker to force their way into a network and find a vulnerability."

Two weeks ago, BT launched its latest cyber security initiative designed to test and verify the systems that can access the network, but perhaps most importantly, check for risks of human failure, by using social engineering to test how employees apply their firms' policies.

Federal Bureau of Investigation (FBI) assistant special agent in charge Richard Jacobs explains how costly basic human errors can be, citing dormant malware in particular as a problem for finance firms. "I can't tell you how many reports I see where an email comes through either spoofing the CEO or where the CEO's account is actually hacked, asking to wire or transfer money," he says. "A large institution received such a request recently for $99 million, and they sent it. We were able to recover about $85 million of that, but $14 million is still a nice payday for a criminal."

Human process

Ethical hacking at BT is a simple process built into the working day. An email is sent by the ethical hacking team, the recipient clicks a link, and a simulated piece of malware is installed. The test is designed not to have any debilitating effects on live services, but does show the entire ladder of human error from how many people opened the email, how many clicked the link, and how many entered their username and password. Beeson says this allows his team to review the security and say hypothetically, "look, this is just a test, but see how far you went? In the real world, this is what would happen."

Speaking at a recent conference hosted by Linedata, Mark Brown, executive director of cyber security and resilience at EY, says cyber crime is "100 percent human. Someone is either deliberately breaking policy, someone is either well-intentioned but misinformed on policy, someone is badly coding software, or someone is badly configuring hardware – there's a single common denominator here."

Richard Gale from Broadgate Consultants says that although no statistics are currently available on just how much avoidable human error is responsible for breaches of security in financial organisations, there's a good barometer for failure in the 459 breaches of the UK Data Protection Act that were reported last year. Ninety-three percent of these were caused by human error.

How to organize the fightback

For Mark Clancy, CEO of Soltra and former CISO at the Depository Trust & Clearing Corporation, despite the increasing sophistication of the attacks, and the level of threats that can range from nation states in the case of Sony, to script-kiddies in the case of MasterCard, humans offer the best genuine resistance in the fight against cyber crime. The trick is when and how you use them.

"It's a question of when can I trust a machine, and when do I need to apply my own expertise. It's a principal split 80/20. Say a firm is exposed to 100 threats in one day. They each get one hundredth of the firm’s time to triage. Probably 80% of those threats would never really cause harm, and 20% of those are worth extra effort. As a firm, I need to aim to spend 80% of my time on the 20% that might hurt me, and 20% of my time on the 80% that really won't."

The defence against cyber crime in the UK has some wonderfully romantic historical connections dating back to the earliest days of cryptography at Bletchley Park, the real-life setting for the 2014 wartime biopic, The Imitation Game. According to Beeson at BT, this is a part of an ever-changing, but continuous struggle and just like during any wartime scenario, the call to arms is a real.

"They'll be reading this article looking at what's published and saying, 'Okay, BT are now doing this, they're on to us. We now need to be do something different,'" says Beeson. "We have teams of intelligence analysts out there monitoring different hacking groups, what tools and techniques are they using. How can we respond as quickly as possible? It's a constant evolution, an arms race."

This article was originally published on sister website WatersTechnology.com.