Information
security is pertinent to all businesses. This also reaches across all
industries. At times, this is fully applied and at other times lacking. An
example of the latter has been the breach with the Office of Personnel
Management in 2014 with over 21M personnel records being stolen (Gordon, 2016).
Although devastating for the consumer victims, this is likewise a concern for
the targeted business. As of mid-2016, there was one industry however that was
being targeted more often than not. This recent example was directed at the
banking industry globally. This involved the Swift network.
Another
global example familiar to the US involves weak cybersecurity in the banking
system and the Federal Deposit Insurance Corporation (FDIC).
Attack Period
The
target for the attacks was rather unique. For the most part, an attacker is
seeking data that could be sold on the dark web or other areas. This may be
focused on a business with credit card numbers, personnel records, or health
records. The FDIC in this instance was the target of the cyber-attack. At times
these attacks are a single occurrence as the attacker breaches the system
during one, prolonged attack. In other circumstances, there may be a limited
number of contacts for the attacker to pull the most amount of data for sale
later. For this occurrence, the attacks however occurred in 2010, 2011, and
2014 (Lange & Volz, 2016; Sputnick, 2016, Gordon, 2016). This was a rather
extended attack and allowed the attackers ample time to peruse through the files
and servers at the FDIC.
Perpetrators
Clearly
this was a well-researched and planned attack due to the target-a federal
entity. The higher risk and more valuable data involved, the more research may
go into the enumeration of the target. This attack was investigated internally
by the FDIC IT department. There was data left behind by the attackers. The
data and research indicated the source of the attack was Beijing (Lange &
Volz, 2016; Sputnik, 2016; Gordon, 2016). This attack has been in the form of
an advanced persistent threat (APT) (Gordon, 2016).
How the Continued Attacks Were Successful
The
attacks covered a three year period, which is not the normal attack. In most
other organizations, the attack on some level would have at least been noticed.
In this case, there was a distinct lack of cyber-security efforts (Lange &
Volz, 2016) and reporting.
This
continued to be an issue due to one glaring issue. The employees at the FDIC
elected to actively hide the breach activities (Lange & Volz, 2016). This
was an overt, deceiptful act (Pagliery, 2016) intended to mislead the remainder
of the department and American society. Hiding this glaring and important issue
was inept (Pagliery, 2016). This act was not done by one person but many people
in the department.
What
makes this borderline unconscionable, heinous act is the FDIC’s top lawyers
told the employees not to discuss the hacks via email. This directive was
handed down by licensed attorneys who took the oath so there would not be a
document trail. This is further exasperated as the CIO at the time actively
misled the FDIC auditors as to the extent of the breach (Elfinger, 2016; Blake,
2016). This was at best ill-advised. This action only served to further expose
confidential information and allow the attackers free reign over their system.
This has effectually eroded any trust that was left in the US government.
Had a
business in the US had a breach and series of breaches allowing sensitive,
confidential information to actively be exfiltrated from the business, and the
breaches actively covered up, there would be a decidedly different result. The
FTC would probably be diving very deeply into the business, applying an intense
amount of pressure, and threatening legal action.
This
inaction, especially when the attacks were clearly known, was not prudent. The
main rationale for this was brought to light much later. This was covered up
expressly to protect the Chairman of the FDIC’s job (Lange & Volz, 2016).
At the time the Chairman was Martin Gruenberg.
The
attack itself, over the years, was rather widespread. An attacker in general may
look for one or two areas in an organization to attack. These may hold high
profile information or confidential information, such as being finance or
payroll oriented. In this instance though, it was not the case. The targets
were 12 FDIC workstations and 10 servers over the years (Pagliery, 2016). The
workstations were also varied in that these were not the usual targets, but
included mainstream and the other executives systems (Sputnick, 2016). Overall
during the years, there were an estimated 100 computers breached over the years
since the first attack (Borack, 2016). Unfortunately, this was not the extent
of the issue. There was also backdoors installed on the workstations and
servers (Elfling, 2016; Gallagher, 2016).
Benefits to the Attacker
This
was not an attack simply for its own sake or for the person to be curious as to
what was behind the wall. There was a distinct purpose in mind for the time and
effort. There was a distinct purpose in mind for the time and effort. The point
of this attack was the perpetrators apparently looking for “economic
intelligence” (Lange & Volz, 2016). This much like earlier when the Chinese
were “allegedly” were hacking the defense contractors for the plans and schematics.
Remediation
After
the report was published, naturally a significant amount of attention was paid
to this. This was especially the case with the persons covering up the
breaches. In response to this, the agency scheduled the policies to be updated.
As part of this endeavor, the IT group is disengaging the users from using the
USB drives, CDs, etc. from being used on their systems (Borak, 2016). The FDIC
is also planning on upgrading their software. In addition, the FDIC IT group is
working on a policy for employees who are leaving the FDIC employment. The plan
is to have this done by October 28, 2016.
This
may correct inadequacies and vulnerabilities, however it completely misses the
systemic issues with management, a lack of the ability to do the right thing,
and licensed attorneys directing the issue to be covered up.
Troubling
This
intentionally deceitful set of acts is troubling and problematic on many
levels. The FDIC intentionally hid the attacks and breaches over several years.
This was directed on many levels. Clearly this was fraught with problems as the
public was misled indirectly. Although there was not a direct lie told to the
public, by hiding this, the agency was misleading the government, people, and
institutions.
The
attacks went on for years. The extent of the attacks and the data viewed or
exfiltrated may never be known. The FDIC does provide external facing data and
statistics for the public to view. There is however more data that is
confidential. The attackers may have accessed this at their leisure.
This
was hidden by all layers of the FDIC, from the C-suite and corporate attorneys
downward. When the leadership is hiding this level of error from the public and
all other agencies to protect one person, there is something inherently and
systemically wrong. When the CIO and FDIC attorneys direct the staff directly
and overtly to hide the breach of the system and confidential information, the
problem is not isolated, but is with the organization.
What is
the most troubling is that this has not been overly noted in the news. A
foreign country may have confidential data regarding the US banking industry.
This is serious yet there has not been a mass amount of media involved with
this. In a short period this may be forgotten by the public. What has not been
brought forward is what could the other nation do with this information and
data? What would happen with the banking industry if the nation used this data
from the breach in a detrimental, persistent manner? This should make people concerned,
yet this has been reduced in focus.
References
Asadorian, P.
(Publisher). (2016, July 14). Security Weekly [Podcast]. Retrieved from https://securityweekly.com
Blake, A. (2016,
July 13). FDIC let down its cyber defenses despite being hacked by Chines:
House panel. Retrieved from http://www.washingtontimes.com/news/2016/jul/13/fdic-let-down-its-cyber-defenses-despite-being-hac/
Borak, D. (2016,
July 14). Top FDIC officials weren’t fully informed on computer hacks chairman
says. Retrieved from http://www.wsj.com/articles/top-fdic-officials-werent-fully-informed-on-computer-hacks-chairman-says-1468514182
Daily Star.
(2016, July 14). US banking regulator updates cyber security after data breach:
Chairman. Retrieved from https://www.dailystar.com.1b/News/World/2016/Jul-14/362070-us-banking-regulator-updates-cyber-security-after-data-breach-chairman.ashx
Elfling. (2016,
July 13). FDIC hacked by China, and CIO covered it up. Retrieved from http://www.dailykosbeta.com/story/2016/07/13/1394681/--FDIC-was-hacked-by-China-and-CIO-covered-it-up
Gallagher, S.
(2016, July 13). FDIC was hacked by China, and CIO covered it up. Retrieved
from http://arstechnica.com/security/2016/07/fdic-was-hacked-by-china-and-cio-covered-it-up/
Gordon, M. (2016,
July 13). Chinese government suspected of hacking into FDIC computers. Retrieved
from http://phys.org/news/2016-07-chinese-hacking-fdic.html
Lange, J., &
Volz, D. (2016). Likely hack of U.S. banking regulator by China covered up:
Probe. Retrieved from http://www.reuters.com/article/us-cyber-fdic-china-idUSKCN0ZT20M
Mimoso, M. (2016,
July 13). Congressional report: China hacked FDIC and agency covered it up.
Retrieved from https://threatpost.com/congressional-report-china-hacked-fdic-and-agency-covered-it-up/119276/
Pagliery, J.
(2016, July 13). China hacked the FDIC-and US officials covered it up, report
says. Retrieved from http://money.cnn.com/2016/07/13/technology/china-fdic-hack/index.html
Reuters. (2016,
July 14). Why the FDIC is updating its cyber security policy after this data
breach. Retrieved from http://fortune.com/2016/07/14/fdic-data-breach-cyber-security/
Sputnik
International. (2016, July 13). China likely behind multiple computer breaches
at US bank insurer. Retrieved from http://sputniknews.com/us/20160713/1042917703/us-cyber-security.html
No comments:
Post a Comment