As banks face increasingly sophisticated cybercriminals intent on penetrating complex layered security defenses, it may help to approach the issue by breaking down such crimes into understandable components.
Chris Pogue, director, Trustwave, in an interview with ABA Banking Journal, says such crimes can be segmented into what he calls the “breach quadrilateral. These are infiltration, propagation, aggregation, and exfiltration.”
“Think in terms of a bank robbery,” he says. “What does a bank robber have to do to successfully rob a bank? He has to break in. He has to move from the point of entry to the point where the money resides. He has to somehow encapsulate the money in a bag or some other mechanism that he can then use for exfiltration, to get it out of the bank.”
The conceptual key to thwarting the bank robber—and by extension, the cybercriminal—is to disrupt at least one part of this equation, he says. “We’re looking at each one of those individually as a focal point to say, how do we stop them from getting in? How do we stop them from moving around? How do we stop them from gathering data? How do we stop them from exfiltrating? Each one has a different solution.”
A crucial difference in the analogy between digital crime and on-premises robberies is the timing. In a physical crime, the elapsed time from entry to escape can range from a few minutes to much longer in an off-hours break-in. With a cyber crime, the heist can take place in less than a second in some cases. But the realization by the bank that, first, a crime was committed, and, second, recovering from it, could take months.
“The speeds are fast. From the time it takes an attacker to perform reconnaissance, identifying a potential target, from the time it takes to breach that target, it’s a very short period of time. Once a target has been identified, it’s literally measured in seconds,” Pogue says.
Such reconnaissance usually means finding lapses in security, which often can be quite simple—the use of administrative credentials, weak or default passwords, or faulty firewalls, for example.
Pogue says his company—which has been endorsed by ABA for network security and data protection resources—deals with hundreds of cyberfraud cases a year. From the bank’s side, he says, reaction and response time is often long. “We see the average time from the point when an organization is breached to the point of time when they contain the breach as being 210 days,” he says.
Pogue recommends banks partner with security firms whose core competency matches what the organization deems its most pressing need—identifying breaches, securing data, or providing associated technology solutions for processes or procedures. He points out that even financial institutions with robust and well-experienced cyber security staffs likely can benefit from working with dedicated security firms.