Wed, Mar 18, 2015

Cybersecurity: How Do You Know You Have Been Hacked?

From a regulatory and compliance point of view, perhaps the biggest challenge in the future will prove to be obtaining a satisfactory answer to the simple question, ‘How do you know you have been hacked?’ You will already be skilled in checking documentation, interpreting directives, rules, and market practices and advising senior management of breaches, shortfalls and special situations.

All these skills will be tested in the emerging world of cybersecurity. The rules in this world are not yet written, the motivations of the various actors are never completely known and it can cause serious, potentially catastrophic consequences. Cybersecurity and compliance are part of the new frontier and associated demands in the future will grow significantly.

It is reasonably accepted by most commentators that the first coordinated example of a cyber attack occurred on 17 January 1991. As Desert Storm got underway, a large proportion of Russian supplied anti-missile and anti-aircraft systems were disabled by a concerted attack. Watching in the wings were the Russians and watching the Russians were the Chinese.

Fast forward to 2010 and the well known Stuxnet attack on the Iranian nuclear program was initially spread via Microsoft Windows, and targeted Siemens industrial control systems. While it is not the first time that hackers have targeted industrial systems, nor the first publicly known intentional act of cyber warfare to be implemented, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.

Next in the timeline is Saudi Aramco. In 2012 a group named “Cutting Sword of Justice” claimed responsibility for an attack on 30,000 Saudi Aramco workstations, causing the company to spend significant time restoring their services. Due to this attack, the main site of Aramco went down and a message came to the home page apologizing to customers. Computer security specialists said that “The attack, known as Shamoon, is capable of wiping files and rendering computers on a network unusable.”

On 20 March 2013, three South Korean television stations and a bank suffered from frozen computer terminals in a suspected act of cyber warfare. ATMs and mobile payments were also affected. This event is known as the Dark Seoul Attack. North Korea has been blamed for similar attacks in 2009 and 2011 and was suspected of launching this attack as well. South Korean officials linked the incident to a Chinese IP address, which increased suspicion of North Korea as “intelligence experts believe that North Korea routinely uses Chinese computer addresses to hide its cyber-attacks.”

In August 2014 JPMorgan Chase said the names, addresses, telephone numbers and emails of 76m households – or just under two-thirds of the total households in America – were “compromised” in a cyber attack on the biggest US bank by assets. Interests associated with Russia have been named as being involved.

Many US based healthcare, retail and entertainment enterprises have been compromised with attacks varying from simple disruption of services to data theft and IP exfiltration, among other things. In recent developments, cyber elements have penetrated professional advisors, such as lawyers and accountants working on Initial Public Offerings and sensitive company matters.

The resulting information has been used for old fashioned compliance breaches like insider trading and money laundering. This brings into focus the need for an organisation to develop, implement and manage a ‘cyber-aware’ supplier policy. It also means that basic data hygiene functions like password controls and ‘bring your own device policies’ need to be developed, audited and reported upon.

Against this background of threat and confusion there is plenty that can to be done to improve system security such as identifying possible threat groups and establishing procedures to monitor and evaluate them. Compliance and regulatory professionals can also ensure that the same adherence to standards used in the front line of the business are implemented in the back-office, and critically that this is a task for compliance working alongside technology rather than being left to the ‘techies’ on their own.

Moreover, sharing, developing and evaluating ‘best practices’ between firms, consultants and regulators should be essential. Unauthorized cyber-visitors to your system are often as skilled at wiping their feet on the way in and making sure that they cover their tracks expertly, as they are at getting control over your system and navigating to the place they want to be. Bear in mind that your firm may only be a stepping stone for the visitors who are actually interested in using you as a bridge to get to another firm or business.

As you can imagine, advising senior management on regulatory and compliance matters in a cyber world, possibly the most difficult question you will have to answer is ‘How do you know you have been hacked?’

For more information, please contact Peter Randall, Senior Advisor to a leading info-security firm.

Financial Services Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.