Singapore Expats Forum

Hackers Hit 100 Banks

Discuss about any latest news or current affairs in Singapore or globally. Please DO NOT copy and paste news articles from other sources without written permission.
User avatar
maneo
Reporter
Reporter
Posts: 724
Joined: Sat, 15 Mar 2008
Location: Titik Merah Kecil

Re: Hackers Hit 100 Banks

Postby maneo » Tue, 24 Feb 2015 3:13 pm

zzm9980 wrote:All of my replies are based on my career and work experience, being focused on exactly this subject matter.

The system you describe above will break down for two reasons:
1) It is impossible to scan and detect all (or even most) hostile attachments. Current technology sucks at this, it is much easier to evade than detect.

2) All this does is add an extra step between opening and email and opening the attachment. When you do this to every attachment, you train the user to just click through and download whatever looks interesting. Targeted attacks like this are generally using "interesting" looking attachments to some target user-audience, so they *will* click through to download. Hide your attack as a resume and send it to recruiters, invoice and send it to AP, etc. Now you have an expensive system that is an additional layer of complexity to maintain, and you're adding friction to your user's lives for nearly zero gain.

Ah, the do-nothing-because-nothing-is-perfect approach.
:roll:

Those that choose not to remain helpless will apply as many imperfect approaches as are feasible, which should eliminate most of the general opportunistic threats. Failure to do at least that is irresponsible.

User avatar
zzm9980
Governor
Governor
Posts: 6837
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Re: Hackers Hit 100 Banks

Postby zzm9980 » Tue, 24 Feb 2015 10:22 pm

I didn't say to "do nothing". I said the solutions proposed in this thread are very ineffective, cost a lot to maintain (effort and money), and will impose employee productivity burdens (assuming they need to email with external people). You don't do something just to 'make noise' if you're not going to have an appropriate return for your money. Security at its core is Risk Management, not risk elimination. You manage risks by spending a commensurate amount of resources to mitigate them.

Companies will get compromised, even those with the best security groups. Your best hope is to detect it ASAP and contain it. Just to start, I would recommend something like this:

1) Still scan incoming emails (catch low hanging fruit)
2) Locked on desktop tier with aggressive config and patch management. There will be zero-days you can't catch, but better make sure you apply your patches ASAP
3) Holistic network activity monitoring at every layer you can. Agents on the desktops, network firewalls looking at the application layer, DNS activity, netflow collection for *everything*. All of this needs to go into a system which can intelligently process it and make sense of it (This is hard as most off the shelf products fail for any company at scale)
4) More so than anything else, you need intelligent analysts who can keep up with what is going on and understand what they're seeing (This is absolutely the hardest and most expensive part.). Even better if they know how to build their own tools. Off-the-shelf almost never works.

Looks into what companies with cutting edge security teams like Google, Netflix, and Facebook are doing. They publish reports, create open source tools, and share information to help everyone solve these issues. That's the bar. Not cheap vendor email quarantine crap.

User avatar
x9200
Moderator
Moderator
Posts: 9164
Joined: Mon, 07 Sep 2009
Location: Singapore

Re: Hackers Hit 100 Banks

Postby x9200 » Wed, 25 Feb 2015 8:37 am

zzm9980 wrote:I didn't say to "do nothing". I said the solutions proposed in this thread are very ineffective, cost a lot to maintain (effort and money), and will impose employee productivity burdens (assuming they need to email with external people). You don't do something just to 'make noise' if you're not going to have an appropriate return for your money. Security at its core is Risk Management, not risk elimination. You manage risks by spending a commensurate amount of resources to mitigate them.

Companies will get compromised, even those with the best security groups. Your best hope is to detect it ASAP and contain it. Just to start, I would recommend something like this:

1) Still scan incoming emails (catch low hanging fruit)
2) Locked on desktop tier with aggressive config and patch management. There will be zero-days you can't catch, but better make sure you apply your patches ASAP
3) Holistic network activity monitoring at every layer you can. Agents on the desktops, network firewalls looking at the application layer, DNS activity, netflow collection for *everything*. All of this needs to go into a system which can intelligently process it and make sense of it (This is hard as most off the shelf products fail for any company at scale)
4) More so than anything else, you need intelligent analysts who can keep up with what is going on and understand what they're seeing (This is absolutely the hardest and most expensive part.). Even better if they know how to build their own tools. Off-the-shelf almost never works.

Looks into what companies with cutting edge security teams like Google, Netflix, and Facebook are doing. They publish reports, create open source tools, and share information to help everyone solve these issues. That's the bar. Not cheap vendor email quarantine crap.
Now you sound like an academic. Some questions to consider: Is it the solution implementable for mid or even large banks? Will it really be cheaper (by any dimension) to what was earlier proposed? How is it realistically going to be implemented, given massive cross-system complexity and distribution, if a single, relatively simple add-on solution at the state of the system development you found as something that would not happen in reality? Is it really the way Google, Netflix, and Facebook handle security applicable to the banking industry? Are respective expectation of the customers for these 2 groups similar? Would the marketing impact of going open-source for the banks internal software be the same as of the mentioned 3 companies? Would there be enough interest to have it thoroughly tested (yes, rewards systems, but still)? Should the banks take an additional and serious risk for zero-days exploits discovered this way?

User avatar
zzm9980
Governor
Governor
Posts: 6837
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Re: Hackers Hit 100 Banks

Postby zzm9980 » Wed, 25 Feb 2015 10:27 am

x9200 wrote:
zzm9980 wrote:I didn't say to "do nothing". I said the solutions proposed in this thread are very ineffective, cost a lot to maintain (effort and money), and will impose employee productivity burdens (assuming they need to email with external people). You don't do something just to 'make noise' if you're not going to have an appropriate return for your money. Security at its core is Risk Management, not risk elimination. You manage risks by spending a commensurate amount of resources to mitigate them.

Companies will get compromised, even those with the best security groups. Your best hope is to detect it ASAP and contain it. Just to start, I would recommend something like this:

1) Still scan incoming emails (catch low hanging fruit)
2) Locked on desktop tier with aggressive config and patch management. There will be zero-days you can't catch, but better make sure you apply your patches ASAP
3) Holistic network activity monitoring at every layer you can. Agents on the desktops, network firewalls looking at the application layer, DNS activity, netflow collection for *everything*. All of this needs to go into a system which can intelligently process it and make sense of it (This is hard as most off the shelf products fail for any company at scale)
4) More so than anything else, you need intelligent analysts who can keep up with what is going on and understand what they're seeing (This is absolutely the hardest and most expensive part.). Even better if they know how to build their own tools. Off-the-shelf almost never works.

Looks into what companies with cutting edge security teams like Google, Netflix, and Facebook are doing. They publish reports, create open source tools, and share information to help everyone solve these issues. That's the bar. Not cheap vendor email quarantine crap.
Now you sound like an academic. Some questions to consider: Is it the solution implementable for mid or even large banks? Will it really be cheaper (by any dimension) to what was earlier proposed? How is it realistically going to be implemented, given massive cross-system complexity and distribution, if a single, relatively simple add-on solution at the state of the system development you found as something that would not happen in reality? Is it really the way Google, Netflix, and Facebook handle security applicable to the banking industry? Are respective expectation of the customers for these 2 groups similar? Would the marketing impact of going open-source for the banks internal software be the same as of the mentioned 3 companies? Would there be enough interest to have it thoroughly tested (yes, rewards systems, but still)? Should the banks take an additional and serious risk for zero-days exploits discovered this way?


1) This isn't a 'solution' but general processes.
2) I don't even understand this question. Did you write it with a Dilbert phrase generator?
3) Maybe not 100% the same, but yes the generalities in what they do should be the same.
4) How is this relevant? Do you think some companies say "Eh, our customers don't give a shit if we're hacked so we don't either!". Besides, you're focusing too much on the companies' names and markets.
5) How is this relevant? My point was that they're creating their own software solutions because commercially available ones are not effective.
6) Have what tested?
7) What additional and serious risk "this way"? What is "this way"? You're implying some "this way" is a safer/less risky alternative, and what I'm saying is there is no better alternative.

I can't tell if you're trolling or not at this point. We can have this discussion in person one of these days if you like, because it's not productive to have it here.

User avatar
x9200
Moderator
Moderator
Posts: 9164
Joined: Mon, 07 Sep 2009
Location: Singapore

Re: Hackers Hit 100 Banks

Postby x9200 » Wed, 25 Feb 2015 11:17 am

Zzm, I think you are more than sufficiently intelligent to understand my questions but if you think trying to ridicule me is the right way, fine, be my guest, you don't prove any point this way though, and I am not on a mission.

Just one comment: the technology and approach has to be suitable for specific industry which is a bit more than hardware and software alone. I'm not focusing on the company names, but specificity of the product they offer. Without this, the discussion is purely academic.

User avatar
zzm9980
Governor
Governor
Posts: 6837
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Re: Hackers Hit 100 Banks

Postby zzm9980 » Wed, 25 Feb 2015 1:59 pm

x9200 wrote:Zzm, I think you are more than sufficiently intelligent to understand my questions but if you think trying to ridicule me is the right way, fine, be my guest, you don't prove any point this way though, and I am not on a mission.

Just one comment: the technology and approach has to be suitable for specific industry which is a bit more than hardware and software alone. I'm not focusing on the company names, but specificity of the product they offer. Without this, the discussion is purely academic.


I'm not insulting you, but feel that way myself by your questions.

"Just one comment: the technology and approach has to be suitable for specific industry which is a bit more than hardware and software alone. I'm not focusing on the company names, but specificity of the product they offer. Without this, the discussion is purely academic."

Between financials and technology companies protecting digital IP (as we're discussing here) the differences are not that significant. You'll have added regulatory or compliance requirements in some cases, but you rarely change your security architecture around them. They're more just checkboxes of things you do in addition to your real strategy.

User avatar
x9200
Moderator
Moderator
Posts: 9164
Joined: Mon, 07 Sep 2009
Location: Singapore

Re: Hackers Hit 100 Banks

Postby x9200 » Wed, 25 Feb 2015 3:29 pm

Sorry to hear it zzm because no insult intention was on my side neither. I think we are missing the non-verbal layer in this discussion. Let's finish it indeed over a beer at the next possible gathering we both will attend. We still have a thumb drive journaling FS challenge to do too.

User avatar
maneo
Reporter
Reporter
Posts: 724
Joined: Sat, 15 Mar 2008
Location: Titik Merah Kecil

Re: Hackers Hit 100 Banks

Postby maneo » Thu, 26 Feb 2015 12:14 pm

zzm9980 wrote:I didn't say to "do nothing". I said the solutions proposed in this thread are very ineffective, cost a lot to maintain (effort and money), and will impose employee productivity burdens (assuming they need to email with external people). You don't do something just to 'make noise' if you're not going to have an appropriate return for your money. Security at its core is Risk Management, not risk elimination. You manage risks by spending a commensurate amount of resources to mitigate them.

Companies will get compromised, even those with the best security groups. Your best hope is to detect it ASAP and contain it. Just to start, I would recommend something like this:

1) Still scan incoming emails (catch low hanging fruit)
2) Locked on desktop tier with aggressive config and patch management. There will be zero-days you can't catch, but better make sure you apply your patches ASAP
3) Holistic network activity monitoring at every layer you can. Agents on the desktops, network firewalls looking at the application layer, DNS activity, netflow collection for *everything*. All of this needs to go into a system which can intelligently process it and make sense of it (This is hard as most off the shelf products fail for any company at scale)
4) More so than anything else, you need intelligent analysts who can keep up with what is going on and understand what they're seeing (This is absolutely the hardest and most expensive part.). Even better if they know how to build their own tools. Off-the-shelf almost never works.

Looks into what companies with cutting edge security teams like Google, Netflix, and Facebook are doing. They publish reports, create open source tools, and share information to help everyone solve these issues. That's the bar. Not cheap vendor email quarantine crap.

:)
Thank you for explaining how it could (and should) be done better.

Agree that commercial, "off-the-shelf" quarantining products are not sufficient -- they are essentially just doing step 1 ("Still scan incoming emails" to "catch low hanging fruit").
At best, it's merely coarse filtering for the obvious stuff.

Also agree that IT security is "a process" and that there is no such thing as "risk elimination."
The challenge is not static.
Each effective solution developed is just another challenge to the most clever hackers to circumvent it.
IT administrators must never become complacent.

No single approach will be sufficient.
The more layers, the greater the risk mitigation.
Distributing the monitoring makes sense as a pragmatic way to deal with the scale issue.

Unfortunately, for all this there really is no return for money spent.
It is all just "insurance" premium -- hopefully, they get better coverage when they spend more on monitoring and analysis.


  • Similar Topics
    Replies
    Views
    Last post

Return to “Latest News & Current Affairs”

Who is online

Users browsing this forum: No registered users and 6 guests