In a 2016 case involving the North Korean-based Lazarus Group and the Federal Reserve Bank of New York it did. As a result of following compliance procedures related to red flags on an address, the Federal Reserve Bank of New York blocked $850 million USD from being diverted to attackers who had compromised the central bank of Bangladesh and used the interconnected and encrypted global banking network (known as SWIFT) to fraudulently issue transfer instructions for close to $1 billion USD.
The Lazarus Group, the same group seen as responsible for the devastating WannaCry ransomware attacks, reportedly went on to steal $60 million USD from a Taiwanese bank using the same methods executed against Bangladesh Bank. In the case of the Bangladesh Bank, the attackers were able to gain entry through the phishing bank employees using resumes that contained malicious code.
From there, they were able to perform reconnaissance and gain access to usernames and passwords to move throughout the bank’s environment and eventually digitally impersonate a bank employee who had access to secured SWIFT terminals. Security safeguards that should have triggered include the physical and digital printing of records to alert bank employees of anomalous behavior, however, the attackers used a tool that erased this evidence to effectively zero out any security alerting that would have been triggered and leveraged time zone differences for business working hours to their advantage.
Compliance is often thought of as a checklist of rules to follow and as a security practitioner, I’ve been guilty of saying that being compliant isn’t the same as being secure. There is certainly truth to that statement, and it’s also true that there is a strong need for being both compliant and secure within an organization. Our security community sometimes fails to acknowledge or support the important and symbiotic nature between security and compliance – there is a critical need to have both functions executed well within an organization. What good is an alarm if there is no one paying attention or there isn’t regular confirmation that it’s working?
As environments become increasingly complex (spanning on-prem to cloud, and even multi-cloud), and become increasingly interconnected through SaaS solutions and API integrations, the responsibilities for security become more distributed, both within and outside of a company (think cloud shared responsibility models). How do we know how effective the security is for our integrated partners? Consider the methods that we use to establish security posture and “trustworthiness” that our organizations use for entities they are doing business with.
It’s through their validated compliance to a particular security framework, methodology, or set of controls. Rather than compliance being seen and used as a checklist of the minimum bar for an organization, it should be seen as a forcing function to ensure the security procedures and tools put in place are being consistently and effectively executed. In many cases, organizations that don’t have a strong forcing and accountability function are often the vectors used by attackers to maneuver through environments and into connected partner environments.
Organizations should implement strong security controls in conjunction with business objectives and leverage compliance assessments to confirm alignment to an acceptable security posture for the organization. In security, it’s necessary to distill down to a list of what needs to be in place to protect the organization and we should use compliance to our advantage.
This means that companies should use industry standards and frameworks as a baseline and then adopt their own compliance requirements and test them often. Develop a “checklist” of critical security processes and controls for the organization, based on business objectives and risk tolerance. This checklist of security controls requires regular governance oversight and assessment of effectiveness at achieve business goals. It’s important that this oversight and testing be done by a team outside of the security function, that can offer an unbiased and independent view into whether security controls are working and identify potential gaps and failures that could lead to unmitigated risk that the company is unknowingly accepting.
In a recent article by C4isrnet on Zero Trust testing of the US Pentagon’s cloud service providers, Zero Trust Portfolio Management Office Director Randy Resnick is quotes as saying “We have identified the items of value within the house, and we’ve placed guards and locks with each one of those items inside the house, as well.”
My question is, who’s regularly assessing to make sure those locks aren’t being picked, that the alarms haven’t been disabled, and that the guards aren’t asleep?