There are many serious cybersecurity threats from expert hackers. However, you don’t have to be an expert to cause businesses major losses, Rik Turner tells Ouida Taaffe.
Hackers don’t usually try to hit cybersecurity specialists. It’s a bit like a vulture going after an eagle. There’s no obvious weakness to exploit. But not all hackers are looking for an easy meal.
For example, FireEye (now Trellix), was set up to protect government entities and large corporates online. So, it was an unpleasant surprise when FireEye announced in December 2020 that it had come under successful ‘state-sponsored attack’. The hackers gained access to some of the tools that FireEye used to protect its customers.
What can hackers do?
But you don’t need to be a sophisticated state actor to launch a successful cyber attack.
“A classic example is Log4J, a widely-used open source logging tool from Apache,” says Rik Turner, Principal Analyst at research group Omdia.
“There was an exploit kit on the dark web within 15 minutes of the vulnerability being found. There’s so much readily available armoury that costs pennies on the dollar.”
Are the cloud providers secure?
Hyperscalers like AWS, Microsoft Azure and Google Cloud stress that they invest the resources to be safer than a client on its own could be. Google recently announced the US$5.4bn acquisition of cybersecurity firm Mandiant, which was spun out of FireEye.
“They legitimately claim they’re safe,” says Turner. “But they’e only safe until they’re not.”
And even the best technology is no guarantee. The 2019 data breach at US Bank Capital One was carried out by an AWS insider.
The security industry is always playing catch-up
If well-resourced cybersecurity experts can’t protect their own assets, what hope is there for everyone else?
Turner says that the cybersecurity industry is always playing catch-up.
Cybersecurity firms started out around 20 years ago providing anti-virus software that required at least one customer to become ‘patient zero’, Turner says. That ‘infection’ allowed the company to identify and respond to the threat, to the benefit of all their other customers.
But, as the number of viruses mushroomed, that wasn’t enough. The industry started to work on the assumption that there had been a breach and used AI to find the breach as quickly as possible. Again, over time, attackers found cracks in that strategy.
Zero trust cybersecurity
Now, Turner says, the only way for firms to address the sheer number of threats is to the “reduce the attack surface and quantify what is still exposed.”
The approach is proactive and ‘zero trust’. “You shut down everything you can,” says Turner. “If you provide access to a database, then only after thorough ID checks and for a limited time. It’s ‘institutionalised paranoia’.”
Open Banking and cybersecurity
But under UK regulation, all major banks in the UK are required to facilitate open banking via application programming interfaces (APIs). Is that a security threat?
“Firms often use 3rd party APIs and any API is only as secure as the coder made it,” says Turner.
There are tools to check security while the API is in development and in production (i.e. at runtime), but even a solid API can still face problems. “Bad actors can increasingly put in millions of bogus API calls that block access,” says Turner.
Open-source software and bank cybersecurity
Then there is open-source software.
“It would make good sense for financial institutions to take a long, hard look at the open software components of their apps,” says Turner.
Many firms use free OS libraries for software components. “You import it, string it together, include some unique code and then you can go into production,” says Turner. “The problem is that developers are typically rewarded for speed, not security.”
“You could make a strong argument for large banks to send developers to participate in OS communities, who will create rules whereby secure code can be built up-front.”
The message, Turner says, is to trust nothing and no-one.
Find out more about our Centre for Digital Banking and Finance