The robbery of Bangladesh’s Central Bank was a true 21st-century bank heist. In April, thieves made off with $81 million after hacking into the bank’s secure messaging system. A shroud of mystery still surrounds the crime, with evidence in the past week suggesting that North Korean hackers may be responsible. The most incredible finding from the investigation: The failure may have come down to a simple stolen password.
And now Facebook CEO Mark Zuckerberg has suffered a similar, if less-expensive, fate — over the weekend, hackers stole his password to break into his official Twitter and Pinterest accounts.
Nothing captures the crux of our cyber-security crisis like the Bangladesh bank heist. Companies and countries spend millions to build up cyber-security walls, but have no one keeping watch. Meanwhile, thousands of potential keys to the castle are for sale online in the form of stolen usernames and passwords.
For years, we’ve imagined a boundary between locked-down corporate systems and consumer emails and websites that suffer from frequent vulnerabilities. Now, it’s becoming undeniable that the two are unavoidably linked. A hacker’s detailed chronicle of a successful breach sheds new light on the way criminals exploit technology to get into nearly any system at will.
Stolen keys, not battering rams
Much of our effort in cyber security has gone towards building high, strong walls. In response, hackers have gotten extremely good at sneaking through the gates. Despite all our progress in building secure software to keep out malicious attacks, hackers repeatedly break into companies’ networks with stolen keys. The keys are compromised credentials or stolen passwords that end up in the hands of cybercriminals.
Too often, a single password is the only line of defense. The SWIFT messaging system connects federal banks around the world — one of the most valuable and sensitive technology bridges in the world. Hacking into the software may be near-impossible, but cybercriminals did not try the near-impossible. Instead they signed in with a stolen employee password.
Stolen passwords pose extensive security risks because attacks using stolen passwords often do not set off any alarms.
Stolen passwords pose extensive security risks because attacks using stolen passwords often do not set off any alarms. The risk is by no means limited to high-value targets like federal bank employees. One in 10 employees have a stolen corporate password in hacker’s hands, representing 92 percent of large companies. In fact, the majority (63 percent) of all confirmed data breaches involved leaked passwords. A steady pipeline of stolen credentials supply hackers’ efforts; another 272 million stolen credentials hit the market last week. No software or computer system can be secure if it depends on passwords that can be stolen.
We long considered the inferior security of consumer technology a nonfactor for corporate cyber security. However the common link between consumer technology and the corporate world is the employee. When an employee reuses her consumer password for her corporate account, she inadvertently makes her corporate system as weak as her weakest consumer interaction. Research has found that people — even Mark Zuckerberg! — reuse passwords 31 percent of the time. With the proliferation of cloud, personal devices in the workplace, and online business, every company needs to treat online safety as a core part of cyber security, whether it means educating employees about common threats or updating old technology.
Barbarians at every door
Even if one were to set aside the stolen-password problem, our current systems are less like a fortress wall with a single giant gate and more like a maze of hundreds of doors with varying locks and degrees of security developed over time, and whose overall security is as weak as the weakest door and lock. This is a much more accurate diagram of a large corporation’s cyber security. In a spy-versus-spy-esque incident, a hacker infiltrated the Italian surveillance company Hacking Team, a squad of information security experts. In a detailed report, the hacker divulges the step-by-step process of accessing Hacker Team’s secretive technology, hopping from one vulnerability to the next.
In his description, the attacker offers multiple instances where hacking a large company would be much simpler. He points out that a Fortune 500 company’s huge network almost guarantees that hackers have an existing point of access from stolen email addresses or vulnerable technology. New research from Verizon highlights companies’ connections with the internet as the greatest risks, with 40 percent of successful data breaches coming from this vector. In our analogy, you can see that the giant gate we imagine is not much more than a row of turnstiles that invaders can jump over when no one is watching.
No one on watch
Whether there is an impregnable fortress wall or a maze of doors and locks, a vigilant surveillance team should, in theory, catch any intrusion. The absence of effective surveillance gives hackers the upper hand before, during and in the aftermath of a cyber attack.
Research has found that people — even Mark Zuckerberg! — reuse passwords 31 percent of the time.
Companies apply complex statistical analysis to find patterns in business data. The same technology exists for detecting cyber-security threats. These tools do not simply look for large uploads of data or access to blatantly malicious websites; they detect when an employee’s behavior differs from the way the employee normally uses work tools. Every large company with sensitive data should have some form of activity monitoring, and it can be seen as a huge failure that the $80 million transfers from the Bangladesh bank’s account weren’t detected, delayed or blocked, especially given the dubiousness of the destination accounts. Automated monitoring can cover humans’ shortcomings by analyzing huge amounts of information and never taking time off — which played a crucial role in the Bangladesh theft.
Perhaps this failure owes to the fallacy of the impermeable system, the impregnable fortress wall. A “secure” banking messenger is only as safe as the keys. New revelations show that the Bangladesh bank had only minimal security around the password, not even separating access to separate systems on the bank’s network. There was no multifactor authentication, or “step-up” authentication, which requires additional verification for high-value transactions. Given today’s IT environments of mazes of interconnected doors and locks, one has to assume that one or more of the doors have been compromised, and so not only do the systems need to be isolated, but the surveillance has to extend to every door, every interconnection, and every system both entry into and also behavior once within.
In the information security industry, we use the phrase “defense in depth” to describe the strategy of relying on many layers of security rather than a single line of defense. A combination of prevention, detection and remediation is not necessarily guaranteed to prevent every cyber attack, but it is the best way to avert the type of disastrous breach that puts an organization in the headlines.
As we’ve seen from a hacker’s own account, there is essentially no foolproof technology or password. However, it is table stakes to ensure that a single password is not the only thing standing between a hacker and hundreds of millions of dollars.