Probably one of the top five most bada** sounding professions. Right up there with ninjas, pirates, and international superspies.
When I was a little kid I wanted to either be Indiana Jones or James Bond, because these were the rebellious BA’s fighting the good fight – at least as far as my tiny underdeveloped brain was concerned.
Organizations like Anonymous – called “Masked Avengers” in the New Yorker – have begun to take on that illustrious, dangerous, hue. The rebels with a cause. With my own deeply ingrained rebellious streak, growing up today I may very well have wanted to be a hacker. And while it probably wouldn’t have hurt to have spent less time learning to use a whip/lasso and more time learning to use a computer there is a much more malicious side to hacking than there was to Indiana Jones.
In fact, most of the groups perpetuating today’s cybercrime are not rebellious hackers wearing cool sunglasses and black (a la Neo), fighting to free humanity from the machines or even rebellious teenagers living in their parents’ basement, but rather are typically part of organized crime rings or state-sponsored hacking groups.
These groups understandably carry both a much darker connotation and greater power to do harm.
6.5 million dollars is a lot of damages for any business to handle – from a single attack – this is in addition to the cost of potential future breaches or loss of the trust of your users whose data was likely compromised. The costs are even harder to bear for small to medium businesses which while not as high profile are still often the target of hacking breaches.
So what can companies do to protect themselves? ABN AMRO is one of the top banks in the Netherlands and has piloted a successful cybersecurity program.
Online banking is one of the most fraught areas of cybersecurity because so much is to be gained through a successful breach. ABN AMRO faces a regular onslaught of attacks, everything from attacks on internet banking customers, denial of service attacks, to ransomware viruses. These attacks are daily and varied.
As a result, ABN AMRO has developed an entire CISO department whose mission is to secure the bank through use of everything from identity and access management, development of fraud detection capabilities, risk assessment, cryptography, vendor security management, to crisis management.
The strategies employed by ABN AMRO provide lessons for other businesses on how to create an effective cybersecurity strategy.
Strategy 1: You can’t fix the weakest link
What is the weakest link in an application’s security?
- A. Cross-Site Scripting?
- B. Insecure Cryptographic Storage?
- C. The small thermal exhaust port which leads directly to the reactor system?
- D. Humans (otherwise known as users and employees)
If you answered C then you have watched too many Star Wars films!
If you answered A or B then you are a nerd!
If you answered D then you are correct!
Humans are the greatest security risk to any application. This is both internally (employees) and externally (users). There are many avenues that companies can take to try to minimize the massive security risk that humans represent – training employees, updating employee policies, informing users, and forcing them to change passwords or go through multiple levels of authentication.
Ultimately, however, the hackers have far more avenues to try to maximize the security risk they represent.
Hackers are employing increasingly effective phishing email scams, social engineering, and other techniques to catch the hapless user or employee. In the end it is a numbers game – 37.3 million Kaspersky Internet Security users experienced phishing attacks in 2015. A company like ABN AMRO might effectively inform and train 90 percent of its users and staff, which it does, but hackers are sending out hundreds of thousands of phishing emails and other attacks and all it takes is one opened email to create a path of attack – in reality not one recipient, but about 23 percent of recipients open phishing emails.
The lesson to learn from this is not that we should replace our users and employees with carefully programmed robots – they could just be hacked too – but instead to never assume anything is secure.
It’s worthwhile investing resources in training and informing users and employees, but ultimately this provides at best a flimsy layer or protection. Rather than bet on the good ‘standard’ user, ABN AMRO plans for the bad user and prepares accordingly. Murphy’s law applies particularly effectively to cyber security – what can go wrong often will go wrong.
Strategy 2: You don’t need to build Fort Knox
In an ideal world every company would have an unlimited budget and unlimited staff to spend on making their application the “Fort Knox” of the digital world – impossible to breach. But this isn’t an ideal world and companies, especially start-up companies and even large banks, are often developing security infrastructure on a very limited budget with a very limited team, and resources diverted to security are taken away from product development and other areas of business.
So what’s a company to do?
There are options:
- A. Attempt to build Fort Knox! Spend all of your limited budget on protecting a sh***y application that no one will use because you spend all of your money on security rather than on your product.
- B. Accept that the hackers will win, turn to the dark side, and make a deal with the devil. Give the hackers all of the data and assets you are protecting for a commission.
- C. Or don’t build Fort Knox. Instead, realizing that it’s nigh on impossible to build an application with no vulnerabilities, invest your efforts in understanding what those vulnerabilities are, and developing security and detection infrastructure accordingly.
ABN AMRO goes with option C. Rather than waste all of their resources on trying to build an unwieldy, unusable, yet incredibly secure, banking application they focus on building an application that is both secure and highly usable.
For example, ABN AMRO eliminated its multi-step authentication process – while this made the application overall more secure it made it significantly less usable for its customers – they instead invested resources in detecting fraudulent activities on their accounts in case a hacker did get entry.
While this does ultimately mean building an application that does have vulnerabilities, ABN AMRO makes up for these security holes by focusing staff time from early development to implementation on understanding where vulnerabilities exist so that attacks can be detected and stopped before real damage is done.
Fabien Casteran, Head of Information Security Management for ABN AMRO, puts it succinctly:
Hackers like the path of least resistance. Imagine you had a barred front door and an unlocked back window. The robber is going to go in through the unlocked back window. So we think like a hacker.
As a result, ABN AMRO knows where things are most likely to go wrong and what is the likelihood they will go wrong, and then invests resources accordingly in either greater levels of security or in detection services.
Strategy 3: Hire the hackers
So – the advice is to think like a hacker – but for those of us who aren’t hackers, instead mere computer UI using muggles, how do you think like a hacker?
You don’t. Instead you hire a hacker and then you have them hack your application.
This might seem not just challenging, but also counter-intuitive, when in fact there’s an entire field of professionals who specialize in exactly this kind of work.
The ethical hacking community is made up of security consultants who are paid to test the security of a company – there’s even a certification for ethical hacking “a qualification obtained by assessing the security of computer systems using penetration testing techniques. The code for the CEH exam is 312-50.” This certification is provided by the International Council of E-Commerce Consultants.
ABN AMRO hires teams of these ethical hackers to test its applications and find their weaknesses. While the validity of this strategy has come into question and not all businesses have the resources to hire ethical hackers – they can be expensive – the lesson remains: It’s crucial to test your application from a hacker’s point of view, not just from an IT professional’s point of view, and to find its vulnerabilities.
Strategy 4: Do your research, then make robots do it for you
Hackers change their pattern of attack on ABN AMRO daily through different channels. That means every day ABN AMRO faces a new type of attack, a new means of attack, a new area to defend.
As a result, ABN AMRO needs to stay one step ahead, not just thinking like a hacker, but thinking just a little bit ahead of the best hacker.
In order to keep this edge ABN AMRO invests heavily in research and development of new cybersecurity technology. While they do part of this research in house, they are also the only bank in the Netherlands working directly with IBM Watson –the IBM research institute focused on artificial intelligence – to better detect fraud.
ABN AMRO has worked hand in hand with them to figure out how to improve their algorithms with artificial intelligence in order to adapt and continue to detect fraud even as hackers’ attacks changed. They’ve even obtained a patent on one of these fraud detection algorithms.
Staying one step ahead of hackers through R&D is crucial to the success of any cybersecurity strategy. At the same time Artificial Intelligence represents the next frontier of cybersecurity technology.
What then is the primary lesson to take from ABN AMRO? Regardless of your resources – vast or small – your application will have vulnerabilities that can be exploited by hackers.
Your best defense is not just to continue to build out your security, but also to invest time and resources in finding and understanding where your vulnerabilities lie