Baseball may be America’s favorite pastime, but from the Black Sox scandal to Pete Rose to the “Steroid Era,” cheating schemes have long tarnished the game. Sadly, it was only a matter of time before cheating went high-tech. Former St. Louis Cardinals executive Chris Correa has been sentenced to 46 months in prison for violating federal hacking laws after breaching the Houston Astros’ database and stealing proprietary information such as scouting reports and trade negotiation notes. Although the MLB claims that it appears Correa acted alone in the Houston Astros hack, it is launching an internal investigation into the Cardinals organization and may sanction the team.

How and Why the Houston Astros Hack Happened

Most data breaches are not the result of hackers finding “backdoors” into systems; they are due to hackers getting hold of stolen login credentials, obtained either through a phishing scheme or by taking advantage of employee carelessness, such as employees using weak passwords or writing login credentials on sticky notes and leaving them in plain sight. The Houston Astros hack was the fault of simple carelessness on the part of a new employee (identified only as “Victim A” in court documents) whose previous employer was the Cardinals organization.

When Victim A left the Cardinals to take a job with the Astros, he was told to return his work laptop, including its password information, to Correa. Correa got the idea to try to use this same password, and a few variations of it, to see if he could use it to access the Astros’ database, which was nicknamed “Ground Control.” Correa was right; the employee had chosen a nearly identical password for use in his new job, and Correa was able to use it to walk right in the front door of Ground Control.

Eventually, the Astros updated the Ground Control system, thus changing the login credentials, but that was only a bump in the road for Correa. The password still worked for the employee’s email account – and the Astros had emailed new default login information to all employees.

How Could the Astros Have Prevented the Breach?

The Houston Astros hack resulted from poor cyber security practices on very basic levels:

• Weak passwords chosen by the employee and used on multiple systems. No matter how many times people are told to use strong passwords, change them frequently, and not use the same passwords for multiple systems, most people simply don’t take this warning seriously. For this reason, organizations should not allow employees to choose their own passwords. They should be assigned strong passwords for each system, and the system should require that they be changed periodically.
• Not requiring multi-factor authentication to access sensitive data. A user name and strong password may be fine for an email account, but systems that contain sensitive information should require multi-factor authentication for access.
• Sending default login information through email. The Astros should not have sent employees new Ground Control login credentials through email; instead, the login credentials should have been given to employees in hard copy, and the system should have been set up to require that the credentials be changed as soon as the employee logged in for the first time.
• Not monitoring networks for anomalous activity. Correa was lurking around in Ground Control for well over a year before he was discovered, and that only happened because confidential trade information was leaked online. Had the Astros been monitoring their system, they may have noticed user activity that deviated from baseline norms, such as the user logging in from an unusual location.

Correa’s plea deal estimates that the Astros lost $1.7 million to this breach. Regardless of whether the MLB decides to take action against the Cardinals organization, the Astros need to take a hard look at their information security practices – and other organizations should learn from the Astros’ very expensive mistake. Proactive security measures that prevent cyber attacks are always cheaper than reactive cleanup after a breach has occurred.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization.

[bpscheduler_booking_form]

Over the past few months, an international group of cyber bank robbers, possibly funded by the North Korean government, have stolen nearly $100 million, thrown the integrity of a decades-old banking industry messaging system into question, and remain at large. Sound like the plot of the latest James Bond summer blockbuster? Unfortunately, these hacks, utilizing the SWIFT network messaging system, are all too real – and they’re probably far from over.

The SWIFT network: What is it, and what happened?

SWIFT, the Society for Worldwide Interbank Financial Telecommunications, is a secure messaging network used by financial institutions to transmit information and instructions to each other. In particular, it allows banks in different countries to easily communicate using a standardized system of codes. It was created in the early 1970s as an alternative to Telex messages, which were slower, less secure, and more prone to human error. The SWIFT network does not actually move or store money; it is simply the conduit that banks use to initiate money transfers.

The attacks began in February, when hackers used the Central Bank of Bangladesh’s SWIFT network login credentials to request nearly $1 billion in money transfers from the bank’s account at the New York Fed to accounts in Sri Lanka and the Philippines. The majority of the requests did not go through, having been flagged for review by U.S. officials, but five requests, for a total of $81 million, were sent. Following the Bangladeshi heist, a number of other banks, mostly in Southeast Asia, reported having been victimized by similar attacks that may have involved the SWIFT network. The hackers struck again in June, this time stealing $10 million from a bank in Ukraine.

Ukrainian officials allege that numerous other financial institutions in Ukraine and Russia have been hacked but do not wish to publicly identify themselves. So far, all of the targeted banks have been outside of the U.S., most of them located in developing countries with reporting requirements that are lax compared to U.S. standards. This means that no one has a handle on the true extent of the SWIFT network attacks, which makes banking executives all the more nervous.

As the SWIFT organization has maintained from the beginning, the SWIFT network itself was not actually breached; hackers were not able to break into the system or intercept legitimate messages. Instead, they accessed the network through the targeted banks’ systems, installing malware so they could access the banks’ SWIFT terminals and send the money transfer requests. However, because SWIFT was involved, it finds itself under fire. SWIFT’s CEO has gone on the defensive, insisting that the SWIFT network is secure, blaming the hacks on lax security procedures at member banks, and threatening to pull their access to the SWIFT network if they do not implement stronger cyber security practices.

However, at the same time, SWIFT has announced it would tighten its own security procedures, and experts in the industry are criticizing SWIFT for not being proactive about its cyber security, instead waiting for a breach to occur to address vulnerabilities that have long been an open secret in the banking industry. While SWIFT has a monopoly on its niche market in the short-term, if more banks are hacked, and especially if Western banks are victimized, the long-term future of the SWIFT network will be in question.

What All Organizations Can Learn from the SWIFT Network Attacks

The SWIFT attacks have rocked the banking world, but organizations in all industries can learn from the mistakes made by SWIFT and its member banks, specifically:

• An organization’s people are the weak link in any cyber security plan. The SWIFT network hackers got into the banks’ SWIFT terminals through keystroke-logging malware, possibly installed through a human hacking technique such as spear-phishing. As we have mentioned on this blog many times, enterprise cyber security begins with organizations having robust cyber security plans, including continuous employee training on cyber security awareness and best practices.
• “Security through obscurity” does not work in the Internet Age. Before the internet, proprietary niche networks such as SWIFT – which few people outside the banking industry have ever heard of – enjoyed what is known as “security through obscurity.” These networks were largely unknown outside their niche markets, and little public information was available about them. The internet changed all of that; information about these obscure networks is now widely available. Hackers, knowing that many niche networks built pre-internet have multiple security vulnerabilities, are seeking these networks out as easy targets.
• Appropriate security controls are needed for both users and transactions. After the Bangladeshi heist broke, JPMorgan Chase and Bank of England announced they were going to limit the number of employees with access to SWIFT terminals. Giving employees access only to those systems they need to perform their jobs is a sound practice, and access levels should be reviewed periodically. Different types of transactions also require different security levels. A user name and password may be sufficient for a billing employee to send an invoice or a customer to log in to their account, but sensitive transactions such as large money transfers should require multi-factor authentication and multiple levels of confirmation.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches.

Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs. Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization.

[bpscheduler_booking_form]

Insider Threats: The Enemy Within

The Hollywood portrayal of a hacker is a mysterious hooded figure sitting in a dark room, furiously tapping away at a keyboard in search of a back door into an organization’s system. However, the real enemy may be sitting in a brightly lit cubicle right outside the CEO’s office. Insider threats pose just as much danger to organizations as outside hackers. According to a research study by Intel, 43% of data losses happen due to the actions of “internal actors.” About half are unintentional accidents or carelessness, while the other half comprise purposeful malicious activity.

Security researcher Brian Krebs reports that some organizations are paying security firms or partnering with law enforcement to monitor the Darknet, a hidden online underworld that can only be accessed using special software that hides users’ identities and locations, in an attempt to stop disgruntled employees from selling privileged company information such as high-level system credentials. However, by the time an inside actor is snagged trying to strike a deal on the Darknet, the damage has already been done. Additionally, this monitoring does nothing to address the insider threats from carelessness, negligence, or a simple lack of cyber security awareness.

Continuum GRC recommends that organizations take the following proactive measures to protect themselves against insider threats:

Have a written acceptable use policy.

A written acceptable use policy is a very basic step that many organizations overlook. It is imperative that specific rules are established regarding the acceptable use of company hardware, software, and network access. The policy should be in writing and signed by every employee. While a written policy won’t stop insider threats due to malicious acts, it will provide leverage for a company to take disciplinary action against an employee who violates the policy.

Establish user behavior baselines and monitor your network for deviations.

The “human factor” in preventing insider threats only goes so far. Technical defenses are also necessary, including 24/7 monitoring of your organization’s system. Baseline patterns should be established for each user, and any changes in user behavior, such as a user logging into the system from an unusual location or attempting to access a part of the system they don’t need to do their job, should be flagged and investigated.

Restrict system access as appropriate.

No employee should have a higher level of access to the organization’s system than they need to do their job. A salesperson has no need to access employee tax and salary data. Employees in the human resources department wouldn’t normally need to access the billing system. Limiting system access not only protects against malicious insiders but also prevents hackers from obtaining the “keys to the kingdom” should they manage to steal credentials from a lower-access employee.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect against insider threats.

[bpscheduler_booking_form]