STANBIC’S NATURINDA MAKURU: Confronting Fraud and Cyber Security Risks

Spread the love

BY HOSEA NATURINDA MAKURU

In his multi-volume work, the Phases of human progress, George Santayana asserts that progress, far from consisting in change, depends on retentiveness, those who cannot remember the past are condemned to repeat it.

To articulate any meaningful proposal to confront Fraud and Cyber Security Risk especially in the 4th Industrial Revolution (4IR) it is necessary to revisit that key incidents whose sophistication in orchestration and scale of impact have in many ways shaped the current trends of the Cyber Security practice.

The recap also provides a glimpse into the character of the adversary through his works. During the weekend February 5, 2016, cyber criminals attempted to steal $951M from the central bank of Bangladesh in a wellorganized and highly coordinated cyber-attack.

Although a significant fraction of the fraudulent transaction instructions was halted largely due to a series of spelling and formatting errors and the money recovered, $81M was cashed out through Banks in Southeast Asia.

Now known as the Billion-dollar central bank heist, it remains the largest cyber heist on record. Several other Banks have suffered similar attacks over the last five years, among them Banco del Austro (BDA) in Ecuador ($12M), Vietnam’s Tien Phong Bank ($1.13M), NIC Asia Bank of Nepal ($4.4M) and Cosmos Co-operative Bank of India ($14M).

Travelex the world’s largest foreign exchange bureau was hit by a ransomware cyber-attack in the final week of December 2019. This attack that took several critical systems offline severely crippling their global operations for two (2) weeks eventually cost the company up to $35M in ransom and fines.

The incident coupled with the impact of the Covid19 on Air travel forced Travelex into bankruptcy 4 months later. On Friday May 12, 2017, several Microsoft Windows Operating systems computers began to fail whilst displaying an error that your files have been encrypted, with an address to which Bitcoin must be paid to recover the files.

This ransomware attack, WannaCry quickly escalated into a worldwide cyber-attack affecting more than 200,000 computers across 150 countries within four (4) days severely disrupting several industries among them health care services, travel, telecommunications, manufacturing, and Financial services.

The cyber-risk-modeling firm Cyence estimated the global economic losses from WannaCry at $4 billion. SolarWinds, a major technology firm that provides Information Technology Management software was compromised in a major cyber attack through its Orion Software.

The global attack first publicly reported on December 13th, 2020 had a blast radius affecting at least 18,000 organizations with several breaches beginning as early as March 2020.

This supply chain attack and its ensuing data breaches is now considered among the worst cyber-espionage incidents due to the sensitivity and profile of the targets and the duration (eight to nine months) in which the hackers had access.

On May 7, 2021, the Oil Pipeline system company Colonial suffered a ransomware cyberattack impacting the computer equipment managing the pipeline resulting in a billing failure and shutdown of pipeline operations causing massive fuel shortages that lasted up to 1 week.

The attackers exfiltrated 100Gb of data which they threatened to make public if ransom was not paid in an elaborate double extortion scheme. It is reported that $5M was paid in Bitcoins to resolve this stand-off.

According to the Uganda Police crime report for 2020, a total of 256 Cybercrime cases were reported compared to 248 cases of 2019 and 198 cases reported in 2018 representing a 63% jump in 2 years. Over 15.9Bn ($4.5M) was stolen in 2020 compared to sh11.9bn (approx. $4M) stolen from commercial banks and telecom companies through fraudulent mobile transactions in 2019.

According to the latest Verizon Data Breach Investigations report 2021, financially motivated attacks continue to be the most common and organized crime continues to be the number one perpetrator.

According to a Cyber and Information Security Consortium report, overall cybercrime cost the world over $1 trillion (cumulative cost of cyber incidents added to the economic outlay of security measures) equivalent to 1% of the global GDP and cyber security failure is duly one of the World Economic Forum top 10 Global risks for 2021.

The impact of COVID-19

There was notable surge in Cyber Attacks in 2020 as threat actors capitalized on the global pandemic to compromise computers and mobile devices with malware, steal credentials and execute financial scams.

Overall, the volume of phishing email traffic went up 200%, over 46,000 phishing sites were brought online per week and malwarerelated incidents, shot up 48% from 2019. This increased exposure is attributed to 3 common causes including:

  • Lockdowns limiting travel fueled a surge in online shopping e.g. At some point Amazon suspended shipping of non–essential items in favour household staples and medical supplies and listed 100,000 more delivery jobs.
  • The attack surfaces changed and expanded rapidly as many organizations and businesses went digital without much preparation coupled with large scale adoption of work from home technologies. At the height of the pandemic, Satya Nadella of Microsoft remarked that we had seen 2 years’ worth digital transformation in two months.
  • Anxiety, fear, and panic fueled by disinformation and fake news resulted in increased search for pandemic related details online further exposing unsuspecting users to ransomware cartels.

However according to Rob Lefferts, corporate vice president for Microsoft 365 Security, deeper analysis of global data shows that these COVID-19 themed threats were retreads of existing attacks that have been slightly altered to tie to the pandemic. Lefferts added that this meant we are seeing a changing of lures, not necessarily a surge in new attacks.

Why is Cyber Risk Accelerating?

The scientific objective of the internet was getting computers to talk to each other for research and academic endeavors.

Today, it is completely integrated into all aspects of our lives anchoring a new era of global digital commerce. Inevitably organized crime has followed the migration of value from physical stores online by automating and taking advantage of the popularity of email and sheer size of the internet to achieve cybercrime at a scale eclipsing drug cartel. In addition to the fundamental design challenges of the internet, below are some of the factors responsible this trend.

Technology Lag and the Complexity of modern business systems architecture

It is not uncommon to find critical business systems supported on Microsoft Server 2003 and Windows XP more than 6 years after Microsoft officially retired and stopped supporting the platforms. This coupled with the modern multi-platform and multi-vendor environments were interfaces are opened up, tightly coupling legacy and new systems to respond to a myriad of customer requirements creates an environment difficult to routinely and sustainably patch even when critical patches or fixes are released in response to known exploitable vulnerabilities.

Skills Shortage

The Global Information Security and Work force study done by the center for cyber safety and education in 2017 projected a global shortfall of 1.8M infosec workers by 2022. Over the years this has escalated exponentially and the (ISC)² Cybersecurity workforce study at the end of 2020 reported this shortage was now 3.12 Million. The reality is we are not producing enough resources to confront this challenge.

Increasing Availability and Sophistication of Attack tools

This is mainly due the failure to protect treasure troves of security research by security Agencies e.g., the NSA breach that led to the cybercrime outfit the Shadow Brokers stealing and publishing exploits such as EternalBlue eventually led to the WannaCry global cyberattack in 2017. This coupled with attack tools for hire and attack software as a service available on the dark web further extends the threat landscape.

Proliferation of Internet of Things (IoTs)

These are devices embedded with software, sensors and network connectivity enabling them to collect and exchange data (e.g., cameras, home entertainment systems, kitchen appliances and wireless routers).

The Operating Systems of IoT rarely receive security patches and updates and some IoT devices do not have sufficient compute power to support firewalls and antimalware. Several also have default backdoor maintenance passwords that often remain unchanged.

In the Miria IoT Botnet incident that brought down the global DNS infrastructure in August 2016, attackers built their botnet army of half a million devices, by running a simple script against devices on the internet that attempted to log in with 61 known IoT default passwords. If they successfully logged in the IoT device was infected with malware.

Application Development Security

The speed to market and ease of use are increasingly being prioritised in several modern software development frameworks at the expense of reliability and security.

This coupled with inadequate involvement of security specialists in the design and concept phases of software development leads to a disproportionate number of exploitable application defects and vulnerabilities in several enterprise systems online.

This also applies to the software supply chain. “There was notable surge in Cyber Attacks in 2020 as threat actors capitalized on the global pandemic to compromise computers and mobile devices with malware, steal credentials and execute financial scams.”

Transition to the Cloud

Rushed migration to cloud is increasingly resulting in cautionary tales e.g., unprotected Amazon Simple Storage Service (S3) buckets caused the capitol one breach, now among the biggest data breaches ever where records of more than 100 million customers were exposed.

Work from Home Infrastructure

At the height of mass lockdowns in March 2020 several organizations were forced to enable remote access at scale without much preparation, this disproportionately extended the threat surface and several organizations have struggled to cope.

ALSO READ: Who hacked Mobile Money accounts? Stanbic Bank, MTN and Airtel speak out

ALSO READ: ATM Card Fraud Alert: 10 basic measures that can prevent loss of finances

ALSO READ: Online Banking Fraud: Four actions to take before your next transaction

Why is the Current Approach Ineffective?

According to Gartner we are spending more than $145Bn annually on cybersecurity, but we still sit with an 100% chance of being successfully hacked in the event of a targeted attack. Below are some of the factors that explain why the prevailing approaches are not yielding.

Security Programs based on Regulation and Compliance to Risk Management Frameworks

These tend to be static whilst prescribing measures against a risk that is highly fluid. The Chain stores Target and Home Depot were PCI DSS certified when they were compromised in 2013.

Cyber threat landscape changes daily whilst frameworks do not, and frameworks are based on controlling what legitimate users can do rather than how attackers attack. As technology evolves the threats and vulnerabilities will evolve along with it and Cyber security efforts must be a direct result of a continuous risk assessment.

Threats and Vulnerabilities Based Strategies

Vulnerability based strategies seek to identify all vulnerabilities in the technology stack and establishing a plan according to some scientific method to remediate these vulnerabilities.

The unfortunate reality is; because vulnerabilities exist everywhere, it is impossible to identify all, remediate them before they are exploited and do it continuously for all the technology and all the users. Additionally, on average 5000 – 16000 new threats are published annually, vulnerabilities increase at a rate of more than 28% with ¼ to 1/3 of all these vulnerabilities ranked with the highest criticality.

When you compare these numbers to the statistic that only less than 2% of the Common Vulnerabilities and Exploits (CVEs) get exploited annually it becomes clear why the focus on threats and vulnerabilities may be futile.

“ Inevitably organized crime has followed the migration of value from physical stores online by automating and taking advantage of the popularity of email and sheer size of the internet to achieve cybercrime at a scale eclipsing drug cartel.”

This article was first published in the Annual Bankers’ Magazine

The writer is the Head Information Security Stanbic Bank


Spread the love

Related posts

Leave a Comment