{"id":7306,"date":"2017-04-11T04:31:26","date_gmt":"2017-04-11T12:31:26","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/11\/news-1097\/"},"modified":"2017-04-11T04:31:26","modified_gmt":"2017-04-11T12:31:26","slug":"news-1097","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/04\/11\/news-1097\/","title":{"rendered":"Bank gets lesson in the security failings of third parties"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt3.staticworld.net\/images\/article\/2017\/04\/fail_stamp-100717316-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Evan Schuman| Date: Tue, 11 Apr 2017 04:00:00 -0700<\/strong><\/p>\n<p>The most effective cyberattacks turn the tables on the security measures we take to ward off attacks. We\u2019re always countering the attacks that have worked in the past, rarely thinking about the opportunities our countermeasures might open up.<\/p>\n<p>And opportunities always abound. If malware is being delivered via attachments, we put out memos forbidding employees from opening attachments from strangers. Cybercriminals see this, and they come up with phishing \u2014 sending out attachments in emails that appear to come from the recipients\u2019 close co-workers. So then we warn employees to not open an attachment unless it was expected. All right, say the attackers; we\u2019ll just <a href=\"http:\/\/www.computerworld.com\/article\/3175058\/security\/a-better-security-strategy-than-know-your-enemy-know-your-co-workers.html\">wait for an attachment heads up and then launch our attack<\/a>.<\/p>\n<p>What brings this to mind is a recent attack on a Brazilian bank. We\u2019ve all been warned to make sure that the sites we visit are the intended ones \u2014 not altered by a strategically placed typo \u2014 and those warnings are especially important when it comes to banking sites. Attackers, of course, know that we\u2019ve been trained to be wary. So the Brazilian thieves didn\u2019t attack the bank \u2014 well, they did, but only after they had attacked the bank\u2019s DNS provider. That allowed them to purchase valid digital certificates for the bank\u2019s domain.\u00a0<em>Then\u00a0<\/em>they attacked the bank, planting malware that disabled antivirus apps.<\/p>\n<p>A\u00a0<a href=\"http:\/\/www.darkreading.com\/attacks-breaches\/cybercriminals-seized-control-of-brazilian-bank-for-5-hours\/d\/d-id\/1328549?_mc=RSS_DR_EDT&amp;utm_source=dlvr.it&amp;utm_medium=twitter\">story detailing this attack in Dark Reading<\/a>\u00a0noted that \u201ccustomers accessing the bank\u2019s online services were hit with malware posing as a Trusteer banking security plug-in application. The malware harvested login credentials, email contact lists, and email and FTP credentials.\u201d<\/p>\n<p>The bank and the DNS provider did apparently make some mistakes \u2014 and mistakes are a great way to learn, especially if they are made by someone else. First, the bank had declined to use the DNS provider\u2019s two-factor authentication. Had it done so, the attack might have never worked.<\/p>\n<p>Second, the DNS provider, according to Kaspersky Labs, had patched a cross-site request forgery flaw on its site, Dark Reading said. That flaw, coupled with an email phishing attack of the DNS firm, may have provided the initial access prior to the patching.<\/p>\n<p>This is a reminder of how dependent companies are on their business partners. You can secure your systems and your people brilliantly, but if a supplier, distributor, DNS provider, cloud provider or contractor is compromised, so are you.<\/p>\n<p>Unfortunately, this huge hole in your security strategy can\u2019t be resolved with Legal adding in a few extra clauses in your standard partner contract. It\u2019s no longer adequate to set security specifications for your partners. You must have mechanisms in place to periodically test them \u2014 unannounced, ideally \u2014 and dole out severe punishments if holes are found.<\/p>\n<p>The intent is not to be punitive. The goal is to force all partners to take their security as seriously as you do.<\/p>\n<p>Oh, one other thing. If a partner offers you better security \u2014 as in two-factor authentication \u2014 take it up on it. The refusal by the bank won\u2019t play well in a courtroom if lawsuits result from this attack.<\/p>\n<p>Given that we are talking policy, you might want to consider a rule that no one can decline a partner\u2019s extra security offer without several levels of approval. In writing. Nothing makes employees take security more seriously than the threat of paperwork.<\/p>\n<p><a href=\"http:\/\/www.computerworld.com\/article\/3188531\/security\/bank-gets-lesson-in-the-security-failings-of-third-parties.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt3.staticworld.net\/images\/article\/2017\/04\/fail_stamp-100717316-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Evan Schuman| Date: Tue, 11 Apr 2017 04:00:00 -0700<\/strong><\/p>\n<article>\n<section class=\"page\">\n<p>The most effective cyberattacks turn the tables on the security measures we take to ward off attacks. We\u2019re always countering the attacks that have worked in the past, rarely thinking about the opportunities our countermeasures might open up.<\/p>\n<p>And opportunities always abound. If malware is being delivered via attachments, we put out memos forbidding employees from opening attachments from strangers. Cybercriminals see this, and they come up with phishing \u2014 sending out attachments in emails that appear to come from the recipients\u2019 close co-workers. So then we warn employees to not open an attachment unless it was expected. All right, say the attackers; we\u2019ll just <a href=\"http:\/\/www.computerworld.com\/article\/3175058\/security\/a-better-security-strategy-than-know-your-enemy-know-your-co-workers.html\">wait for an attachment heads up and then launch our attack<\/a>.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3188531\/security\/bank-gets-lesson-in-the-security-failings-of-third-parties.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10629,11072,714],"class_list":["post-7306","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-cyberattacks","tag-cybercrime-hacking","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7306"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7306\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7306"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}