Last year I was at a security symposium in
Sydney where I bumped into a friend working for a large security vendor. We
discussed the latest industry rumours, trends and shared a few interesting
stories on breaches - this is when I asked if his firm performs risks
assessments for Business Process Compromise (BPC) to which he replied -
"No". I was now thinking how on earth do they perform security
assessments when they only look at one half of the big picture? Surely the
other big half is equally as important? Don't believe me? - what about the big
cyber-heist of Bangladesh's
Central Bank which I will use as a case study a little later.
Interestingly I was told by my friend that
often business process compromise results in fraud which is the responsibility
of Human Resources, Finance, and Risk Officers. For those of you that have not
heard of business process compromise - simply explained means that someone with
deep knowledge (subject matter expert) as to how a process works typically in
finance, sales, procurement and payroll, can bypass security controls, checks
and balances, to commit financial theft, sabotage or intellectual property
theft.
What makes business process compromise
difficult to detect and counter is that it's usually performed by employees in
sensitive or senior roles. These people are trusted to do the right thing and
this makes it extremely difficult to identify who of them is biased to this type
of behaviour - worst still, these employees know processes extremely well,
including how security is configured on their specific systems such as finance,
payroll and accounts payable - so monitoring for malicious actions and
detection is that much more difficult.
For those of you new to the concept of
business process compromise it is important to note that there are two classes
of malicious actors - the insider which is typically an employee or contractor
employed by your firm, and the outsider which typically is someone outside of
the organisation such as a terminated or ex-employee, consultant, technology vendors, supplier, etc. Both of these classes of the malicious actor have intimate
knowledge of how your sensitive corporate functions work, for example, the
financial platform consultant knows how your accounts payable process works
front-to-back because they configured and installed the system based on your
processes which they helped you capture and articulate.
Now, should the financial platform consultant
switch to the dark side (criminal intentions) and decide to commit fraud by
issuing you a fake invoice using clever means such as Business
Email Compromise (BEC) and social engineering - more than likely
they will succeed, and more than likely detection will take many months if not
longer.
The case involving the cyberheist at the
Bangladesh Central Bank (BCB) was a combination of both insider and outsiders
threat actors staging a sophisticated attack which involved hacking, social
engineering, corruption of employees, intimate knowledge of the central bank
operations, and deep knowledge of international financial banking platform - SWIFT.
In a nutshell, what happened, malicious
actors hacked into the SWIFT platform owned by the Bangladesh Central Bank and
sent fraudulent instructions to their major bank account held at the Federal
Reserve Bank of New York. The instructions were to transfer $1 Billion US
dollars to offshore bank accounts in low compliance jurisdictions such as
Philippines, Sri Lanka, Macau, etc. The majority of the payments were stopped,
but $81 Million dollars made it through and ended up in fake bank accounts in a Philippine bank which was then transferred to a local casino and never to be
found - the trail ended at the bank! Very sophisticated operation.
In summary, the following key points were
identified as weaknesses which led to the cyber heist, I have summarised a few:
- Insider threats were involved in some capacity - somehow malware got onto a "supposedly" secure machine, the only mechanisms available were email or USB memory stick. There are suggestions that someone most probably inserted an infected USB memory stick into the SWIFT server which allowed cybercriminals to create an undetected backdoor. The cybercriminals were probably accessing the infected server from anywhere from a few weeks to a year.
- Insider threats most probably disabled the CCTV camera which was not working on the weekend the criminal activity took place. There are tell-tale signs of sabotage which investigators believed strongly pointed to the central bank employees or building maintenance contractors.
- Outsider threats had intimate knowledge of global banking and settlements processes as they specifically targeted the central bank on a Friday which in Bangladesh is a bank holiday, this meant nobody was available to detect and stop the fraudulent fund's transfer.
- Outsider threats built and deployed malware which specifically targeted the SWIFT payment platform - suggestions were that nation-states might have been involved as the malware was extremely sophisticated in that it covered the criminal's trail.
- Outsider threats knew that the Federal Reserve of New York has limited manpower to manually check for fraudulent payments, and also had knowledge that there was no 24 x 7 hotline to alert their employees to halt fraudulent payments.
- Outsider threats created fake bank accounts 1 year before the heist of the Philippine bank - they corrupted the branch manager to create the fake accounts, and immediately settle the transfer and convert it to cash. (She was arrested - but was probably a minor player in the grand heist)
Now the interesting bit - how do you assess
your vulnerability to business process compromise? The approach I advise is to
identify your key business process, whatever they are - payroll, HR, accounts
payable, finance, etc. Bring together diverse groups from within your firm, and
even your trusty security consultants and ask them to let their minds run free
- ask the question: if they were to commit the ultimate white-collar crime
within your firm what would it be? how would they do it? Take note as the
scenarios might sound far-fetched and impossible, but with time and resources, they are more than likely achievable.
Some methods to reduce exposure to business
process compromise includes:
- Listen to employee concerns in regard to insecure processes and systems.
- Performing criminal and employment history background checks on new employment candidates, this includes contractors.
- Monitoring employee movements - in some industries employees are asked to detail their travel plans.
- Monitoring of employee wealth - financial theft is sometimes identified by employees living beyond their means.
- Regular physical and cyber security assessments. (Yes, physical security too!)
- Auditing of employee access to facilities - both CCTV footage and electronic keycard access logs.
- Using simple Machine Learning (ML) based in a wider context such as incorporating physical security and IT system logs. (Out of hours access to sensitive platforms might give away signs of possible fraud)
- Cyber security awareness - teach employees tell-tale signs of phishing and social engineering. Build a culture where employees are encouraged to challenge suspect instructions.
- Human resources should be vigilant with employee behaviour in particular with repeat offenders that don't respect company policies
I hope you found this article of interest.
Feel free to contact me if you would like to further discuss - I look forward
to a gold old chat!
Written by:
John Kouroutzoglou
No comments :
Post a Comment