While cyber attacks on large international banks attract most media attention, small banks are also at risk. A study from the Ponemon Institute and Accenture found the average number of breaches per financial services company was 125 in 2017. In 2012 the average was 40. That’s an over 200% increase.
While this study does not state how this distribution varied based on bank size, the sheer number of average breaches and their growth makes the need for banks to take measures against cyber attacks clear. For this reason, it is critical that community banks do what they can to keep their networks secure.
Despite the rise in cyber attacks, there are some simple steps to help limit the number and severity of attacks. To show how these techniques can help prevent/mitigate such an attack, these steps will be applied to a case in which hackers stole more than $2.4 million from The National Bank of Blacksburg, a community bank in Virginia, via phishing emails used to break into the bank twice over an eight-month period. The same group is believed to be behind both crimes.
This example was chosen because these attacks follow a common trajectory for cyber attacks on small banks. Attacks often begin as these did, using a phishing campaign to infect a single device, installing malware and spreading to other devices on the network.
The First Attack
The first of these breaches occurred in May 2016. It began when an employee fell prey to a phishing email. Through access to this computer, the hackers infiltrated another machine with access to the STAR Network. The STAR Network handles customer debit card transactions. This computer also had the ability to manage customer use of ATMs and bank cards.
The breach began on a Saturday and continued until Monday, which happened to be a national holiday. On account of this holiday, the bank was closed until Tuesday. During this breach, the hackers used hundreds of ATMs to withdraw money from customer accounts.
The Second Attack
The second attack occurred eight months later in early 2017 after an employee downloaded an infected Word document from a phishing email. The hackers were able to spread from this computer onto another on the network. This time, the hackers gained access to not only the STAR Network, but Navigator as well. Navigator manages credits and debits.
The hackers used Navigator to credit more than $2 million to many accounts within the bank and withdrew this money using hundreds of ATMs. The hackers then deleted the records of these transactions.
How These Attacks Could Have Been Prevented or Mitigated
While it’s difficult to know for sure what would have prevented this attack, there are some clear possibilities:
- Segmentation: Using network segmentation to create separate networks for users with different access levels could have prevented the malicious content from spreading between computers with different access levels. This could have stopped the attack before it spread to the computers with higher levels of access where it was able to do the most damage.
- Machine and User Authentication: Machine authentication identifies a device and prevents it from accessing networks that they shouldn’t be on. This enforces network segmentation. Meanwhile, user authentication ensures that people who shouldn’t access certain portions of the network can’t, even on devices that could otherwise have access with a different user. Learn more in Network World’s “Machine Authentication and User Authentication” article. This could have helped prevent the attack on the Virginia bank by making sure the infected device was connected to the right portion of the network where it would have had a lower chance to spread its infection to other devices and was only used by a person who should have had access.
- Device security: Real-time enforcement policies that block users not following cybersecurity techniques could have used device authorization to block the infected computer if it lacked antivirus or other security measures. In addition, services that detect threats on a network such as intrusion detection systems (IDS) and endpoint protection can work in tandem with a network access control (NAC) service to block infected users from the network. These measures could have blocked the infected device from the network before the hackers could infiltrate other devices.
How Impulse can Help
Impulse’s SafeConnect product is a NAC solution that enables features like the ability to create segmented networks for users with different levels of permission, a policy key that enables device authorization, options for user authentication and the ability to create real-time enforcement policies. Impulse’s Software Defined Perimeter (SDP) product can also help prevent cyber attacks by increasing security on devices used on potentially insecure networks beyond the bank itself.