WE’RE HEARING...that the Chinese military may be responsible for attempts to hack into the databases of U.S. corporations, which is starting to rattle some cages in the financial industry, including lenders.
The problem is that cyberattacks from foreign governments represent a potentially more sophisticated threat than corporations are used to facing. These aren’t your typical thieves looking to steal credit card or Social Security numbers. And they certainly aren’t kids just testing their hacking chops as part of a nerdy thrill ride.
Recently, computer security firm Mandiant reported that a Chinese military computer hacking unit was found stealing “hundreds of terabytes” of data from U.S. organizations, including some large financial firms. The report did not name which financial firms got hit, but some companies in other industries—including Apple and Goggle—have acknowledged being targeted by sophisticated hacking schemes.
The fact that their targets go beyond infiltrating U.S. government and military systems represents something of a new twist on cyber security. And according to the Mandiant report, there may be dozens of other entities backed by foreign governments that are attempting to break through corporate cyber security walls to steal business secrets and consumer information from U.S. businesses.
Mario Santana, vice president of secure information services at Verizon Terremark, said financial services firms need to get used to a new world in which they face consistent security threats that target “anyone with assets to protect.”
“It is still definitely an emerging discipline about how to defend against this kind of threat,” he told me.
Protecting against those “persistent, targeted” threats requires firms to go beyond the traditional firewalls, anti-virus software and identification systems that are the foundation of cyber security. It requires computer security experts to engage in the same level of persistence, perseverance and creativity shown by the hackers themselves.
Threats from well-organized, international organizations bent on stealing business or consumer secrets, or making unauthorized fund transfers, can cause a lot of damage. And the people behind these threats don’t give up easily.
“The bottom line is there is a guy on the other end of the line who is trying to make something bad happen,” Santana told me.
That means business leaders have to bring the same level of persistence and motivation to the defensive end of the game, hiring “creatively engaged defenders” to protect a company from cyber security threats.
To what extent does cloud computing affect cyber security? Pointing out that what we call “the cloud” is really a network of high capacity computers, Santana says that cloud security is fundamentally not that different from the sort of security financial firms would have to employ in house to protect their internal systems.
But the cloud does pose tactical differences, he said. Because companies have data on shared machines, anyone who infiltrates those computers to look at someone else’s data is one step closer to your own data. Firms that rely on cloud computing really need to hold their cloud providers accountable and keep tabs on how they maintain a separation of data, Santana said.
On the positive side, cloud providers can afford to hire world class security teams and implement the most up to date security technology, Santana noted. While many big banks might be able to afford to build high level security systems, that often isn’t the case for smaller financial firms.
As both the Mandiant report and Terremark’s own research suggest, not all threats are external. Lenders have to worry about rogue employees or contractors in their own houses that could steal sensitive information. But when it comes to the “persistent” threats posed by well-organized and possibly criminal organizations, the lines between internal and external threats begin to blur. That’s because the people behind “persistent” security threats may try to plant someone in your organization or bribe someone for access.
Another change in the dynamic of cyber security threats is their target. Financial organizations have long realized that criminals may try to make unauthorized transfers of funds, but some of the new cyber hackers are more interested in stealing information.
That information may include merger and acquisition plans, contract bidding, and technology secrets. In that sense, some of the new cyber threats are as likely to inflict strategic damage on a corporation as financial damage.
That is part of a tectonic shift in the security landscape. Santana said that these organized, persistent threats require business leaders to change the way they think about protecting access to their systems.
“We are dealing with bad guys, not bad code. These are very motivated bad guys,” he said.
Ted Cornwell has covered the mortgage markets since 1990. He is a former editor of both Mortgage Servicing News and Mortgage Technology.