In early December 2016, and following a hack of its central bank, Russia is believed to have lost US$31 million, which is an amount less than the hackers initially targeted, according to media reports.
In echoes of the SWIFT (Society for Worldwide Interbank Telecommunication) system hack earlier that year, where criminals stole US$81 million of a targeted US$1 billion-plus using the Bangladesh Central Bank, the incident in Russia saw cyber threat actors attempt to steal a total of the equivalent of approximately US$78 million.
According to reports, the hack was carried out using falsified client credentials, though the bank has provided few further details regarding the hackers’ methodologies. As a result of the attack, Russia says that it is now fortifying its defences as far as cyber security goes, particularly in light of a potential increase in what may be described as state-sponsored incidents in the face of accusations raised against Russia that it may be using cyber attacks itself as a political tool abroad.
Since 2015, Ecuador, the Philippines, Bangladesh, and Vietnam have suffered similar breaches of their central banks, and it would appear that the trend is only becoming more rampant as hackers grow bolder (and security measures remain relatively stagnant). The International Monetary Fund has warned that emerging market economies are at higher risk partly due to complications with correspondent banking relationships.
Interconnectivity – be it with respect to digital networks in general or banking systems specifically – need to take into consideration the cascading effects of a breach and mitigate against them. Given that the latest incident in Russia was likely orchestrated using falsified client credentials, which has become a preferred method of bank system hacking, the use of multi-factor authentication to accounts is advised, so that even if a password is stolen and access to a system gained, the hackers are not able to access any accounts or make any transactions without the corresponding token or biometric for the account.
This way, unauthorised transactions cannot occur without the complicity of an insider (i.e. the account administrator). We believe that the use of multi-factor authentication, in combination with diligent asset management of authentication tokens, is a compelling approach to minimising cyber breaches in a financial services environment.
It is also recommended that institutions adopt a proactive approach to cyber security in which they assume a state of breach in order for them to have the defences and mitigation mechanisms in place to minimise possible disruption caused by any cyber security incident, before it happens rather than after, as is the case with the Central Bank of Russia.
This is an area in which financial institutions across the Middle East could look to improve, as assuming a proactive cyber security positon is often a wiser and more cost-effective measure than looking to patch or recover once a cyber incident has occurred.
The banking and finance sector is of strategic significance to the Middle East, but is clearly an economic area heavily targeted by cyber criminals looking to steal, extort, or corrupt digital information with the view to benefit financially. Recent examples of attempted and successful breaches bear testament to this trend.
Across the region, cyber security generally remains an area of concern with a recent industry report (Norton Cyber Security Insights Report) estimating that the financial cost of cyber crime to the UAE alone had reached US$1.4 billion by December 2016, an increase of 4.9 per cent year-on-year.
Globally, the financial cost decreased by 16 per cent to US$125.9 billion during the same period, the report estimates, highlighting that in the UAE, and indeed other markets across the region, financial institutions need to take proactive steps to defend and secure their digital assets from internal and external cyber threats.
This is best achieved through a cyber threat management and mitigation programme, which can be established in a three-part process encompassing visibility, intelligence and integration.
Visibility means the financial institution truly understanding the configuration of its network and, most importantly, who has access to it. Large institutions, in particular, often maintain networks patched together over decades, running different generations of software. It’s a simple truth that one can’t protect what one doesn’t understand; thus, a thorough audit is vital at the start of any mitigation process. A sophisticated mapping software can certainly accelerate this process, but ultimately a comprehensive audit requires people on the ground to ask the right questions and find the location of servers and access rights.
Intelligence relates individual system’s characteristics to the known threats and a network’s vulnerabilities in relation to them. It takes the threat intelligence gathered in the risk assessment process and relates it to the specifics of the organisation’s system.
Integration aggregates the information found in the first two phases and displays it in a format that can be readily understood by decision makers to enable them to act quickly. In particular, attacks should be logged and diagnosed in a systematic fashion. Armed with a complete picture, a financial institution should then be able to create a continuous monitoring and mitigation capability supported by intelligence and securely integrated technology, which working together can help reduce the number of successful breach attempts.