<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Could Technology Have Helped Prevent the Tesco Bank Breach?

Topics: Data Protection, Data Loss Prevention, Data Breach, Web Security, Cyber Security

Posted: 30 November 2016

tesco bank cybercrime data breach

Big network breaches are becoming the norm with little resistance seemingly being placed in the attackers path. Is this the world we must become accustomed to living in? or can technology be part of the solution rather than just the problem?

A few well-known UK brands have hit the headlines recently as a result of a breach or security issue. For instance, Tesco Bank announced 40,000 customer accounts were affected by a “sophisticated” attack. Half of those had money taken from them. As a result, Tesco Bank could incur a severe penalty imposed by regulators. That fee would be in addition to the cost of refunding customers affected by the incident.

To date, Tesco Bank has not revealed how the attack occurred, but it has stated that it fell victim to online criminal activity. Even so, a number of security technology specialists including Cliff Moyce, global head of financial services at DataArt, have estimated the likelihood of this being a “remote attack” at less than 50 percent. It’s far more likely that the breach was a result of human error, a weak process, or a possible insider threat.

Let’s be clear: defending against human-centric breaches can oftentimes prove to be difficult but it’s not impossible. Sometimes it boils down to a question of using the right solutions. Let’s explore how the right technology can help protect against these types of incidents.

Securing the Human

We know that organizations that have  strong security processes minimize the impact of a security incident. Those who have a mature security posture, conduct regular vulnerability scans and asset discovery to ensure that backend systems are not susceptible to the latest software vulnerability.

But all organisations face a common enemy. No matter how secure your systems are, how tight those controls are implemented, there is always that “insider threat” – that employee who may be disgruntled and who has privileged access to customer record management, as well as to systems that contain personally identifiable information.

It doesn’t necessarily have to be a disgruntled employee that causes an incident. What about that employee who is responsible for implementing an approved change request on the firewall? What if they didn’t have enough coffee the night before and made a change to the firewall that inadvertently left the environment insecure? It does happen.

One technology that can help organisations in that case is a good security configuration management (SCM) solution that can help detect changes in the environment.

Technology as Part of the Solution

Within that SCM solution, there should be a File Integrity Monitoring (FIM) component that helps detect changes in key files. FIM is the process of validating the integrity of operating system (OS) and application software files by comparing the current state of the files with their “known-good” baselines.

In addition to files, SCM should be able to monitor changes to Directory Services, such as Active Directory, to spot those being added to restricted groups; monitor changes in databases by looking at permissions, ACL’s and content changes; monitor changes on network devices, such as firewalls, routers and switches; and show the differences in the file before and after the change.

According to the 2015 Verizon Data Breach Investigation Report (DBIR), in 60 percent of cases, attackers were able to compromise an organisation within minutes. Verizon also states that one of the primary challenges in the security industry is the growing “detection deficit” between attackers and defenders.

Having a good SCM solution in place that encompasses FIM can help detect deviations from the baseline and help identify abnormalities in the configuration of the system in question. FIM is an important component of SCM.

What if a system’s OS or critical configuration has already been weakened, either by accident or maliciously? How would you know? SCM helps prevent attacks by creating a known and trusted state for your endpoints, or ‘nodes.’ FIM will automatically detect changes in this state and alert you to a potential threat.

Furthermore, a good SCM solution will allow you to import a number of policies and create your own based on those policies. Each policy will have the following four component:

  1. - Tests – a check into the state of a specific configuration setting
  2. - Scores – a measurement of the overall conformance of a system or device
  3. - Weights – indicating the relative importance of a test
  4. - Thresholds – setting the colour and score ranging from the lowest to the highest to separate low-severity failures from critical ones.

Risk and Regulation

When it comes to achieving regulatory compliance, which I’m sure is the case for financial institutions like Tesco Bank, the SCM solution will need to cater to common regulations, the most popular ones being PCI DSS; the Centre Internet Security (CIS) for hardening operating systems; and ISO 27001, a standard which a lot of companies adopt as the baseline.

Lastly, another technology that will help is having a good vulnerability management solution. This technology will aid in discovering new or unidentified assets within the organisation and help identify potential weaknesses by revealing exploits that could lead to compromise. By staying on top of patching and securing critical assets, organizations place themselves one step closer towards preventing external threat actors from compromising their systems.

In conclusion, a good SCM solution can help detect unauthorized changes on the endpoint, whether it’s a malicious file dropped on a critical server or an admin adding an unauthorized user to a restricted Active Directory group outside of change control. It can also help prevent breaches by continually monitoring those critical assets for drift out of compliance against a standard or regulatory requirement.

Tripwire Enterprise is a market leading SCM solution that helps identify what systems are not compliant and helps you get them back into compliance through automated and scripted remediation.

(This article first appeared on the Tripwire blog)

The Executive's Guide to the CIS Controls

Paul Norris Senior Sales Engineer, Tripwire
Posted by: Paul Norris
Senior Sales Engineer, Tripwire
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts