Last week, one agency was kind enough to print my controversial opinions on Waking Shark II, which were based on knowledge of standing deficiencies with the security cultures and infrastructures within some areas of the world of banking. Some of which were discovered during Waking Shark II, and were notified to the orchestrators of this exercise, but those in question have failed to act, or indeed acknowledge, and thus, these exposures are allowed to continue to exist, offering up opportunities of adversity to any miscreant passerby!
The recent Barclays breach is not only bad timing and interesting, but I would add here is this is only known as an insider blew the whistle. Otherwise it would be another unknown, and the subject public at large would have been none the wiser, and at risk. However, I am aware of many cases of such breaches which did not go public, one of which was the loss of 37,000 Barclays Client record’s, in clear (not encrypted) by a Third Party processor around 2007, which was not reported, notwithstanding the CISO, Director of Security, and all Executive IT Directors in the employ of the Third Party were fully aware of the ramifications, including one Main Board Member.
When it comes to Waking Shark II, my main criticism and observation around its real value to serving security – if, as you will see later in this blog, there were/are so many tolerated holes in place that support insecurity, then those in the security profession who support this situation, by association become part of the problem – in the name of security associations and bodies! And my conclusion is, we are at a well-trodden juncture of insecurity and public/business exposure which, in my opinion needs much more than to just pay lip service to look to redress the balance on insecurity – it demands tangible action to secure the National and Global Economies. But that said, one response to the article commented that Waking Shark II was:
“Resilience exercise for the industry not to find a single organisation that is weak, but to show there is no single point of failure.”
My only concern with this point-of-view is, if it is known that there are weaknesses in place [which there are]; and if it has been identified that insecurities exist which could present the opportunity to create, or underpin a single, of even multiple points of failure, does it not make sense to address them – in other words, follow a lifecycle of testing, improvement, and testing [again] to reach a higher level of security. Or is it simply a case of running the ‘exercise’ with the attitude that, at least something has been done, even if it does fall short of any state of reality.
We also need to be aware that the cultures which tolerated the unreported breach [above], have moved on, in some cases to the world of Outsourcing and Service Management (one example is First Data), so sadly one may conclude that such attitudes for survival may have evolved to manifest into the unknown.
When it comes to Cyber Security, during Waking Shark II, there were what seem to be issues with a lack of investment in the area of Security Education and Awareness with one Bank, manifesting in a massive exposures at to social engineering attacks, aligned to a significant lack of process and procedures, and also associated internal security issues with configurations.
However, the real $50m question is ‘How can so many be fooled by what was a massage of the issues, manifesting into a travesty of cyber security with massive fails, and yet we are praising those responsible to allowing it to happen. The question is, is Cyber Security about fixing, or about PR, and the new age methodologies of Tick-Box Compliance?”
So let us look back to the history which was the precursor to the age of Cyber-Adversity, and consider where we came from, and look to where we have arrived, in a situation that would seem to be hosting the potential to bring down the electronic frontier of the interconnected world.
There is no doubt now whatsoever that we are living in a time of recognised cyber adversity, with an estimated financial impact on the UK economy of around £27 billion [and rising]. Link this to regular press reports of successful unauthorised incursions, Hacking, Cyber Extortion, and Denial-of-Service [DoS] attacks, not to mention the recent revelation about the Barclays breach; and this appears to infer that the battle against cybercrime is one we are not wining. But, don’t take my word consider a statement made by Keith Vaz MP in 2013:
“You can steal more on the internet than you can by robbing a bank and online criminals in 25 countries have chosen the UK as their number one target”
A critical observation from a UK Government Minister. However, on the subject of more aggressive acts of State Sponsored Attacks and the implication of CyberWar and CyberConflict; Keith Vaz went on to comment:
“The threat of a cyber-attack to the UK is so serious, it is marked as a higher threat than a nuclear attack”
So with that in mind, we may conclude that the interconnected tentacle of aggression is in our midst of our society, and is casting a long shadow over every man, woman, child, and business. Again, just to set the scene, this is serious.
To understand the current landscape of cyber-threats, we need to consider their origins, and appreciate the journey we have taken to arrive at juncture 2014 of insecurity, and the associated globalised exposure. First let us acknowledge that as computers morphed their way into business environments, and then homes, as they gained in popularity, they also attracted a following from early day hackers, who viewed these new business machines as a playground in in which to have fun. It wasn’t long before we then encountered the early manifestations of computer viruses doing the rounds in the form of Jerusalem to Cascade, and from Coffee Shop to Casino, along with their viral payloads to corrupt computing operations. In those early days of the science of Hacking, if you were connected, obtaining malicious code was never a problem – in fact, not that much has changed today in the landscape of the underground world of Hackers, Hacktivists, and State Sponsored Crime – Crimeware is online, if you know where to go for it – in fact consider the L.O.I.C DDoS tool, available for download from your neatest Black-Hat Torrent – See Fig 1 – My lab based version.
Fig 1 – L.O.I.C
As time moved on, the most significant progression, and for that, criminal opportunity was the advent of the Internet, allowing distant systems to be interconnected, and we soon encountered businesses embracing this global infrastructure to carry high value business traffic. Since then, we have come a long way, and thus, in 2014, we observe the Internet is now an infrastructure that is woven into our everyday lives, upon which, to some extent, we all rely. In fact, as far back as 1994 Ira Magaziner [Internet Policy Czar] told Bill Clinton that the “Commercialization of the Internet would be a boon to the U.S. economy that should be a top priority for the U.S. Government” and of course, it was, and the history to this vision, as they say, is now academic.
But, there will always be the terrible twins of Ying-and-Yang in the mix, and in this case the counterbalance is that of cyber adversity. Looking back, we may thus also observe that we encountered the early green shoots of CyberConflict in a book published in 2007, titled ‘Unrestricted Warfare authored by Colonel Qiao Liang, and Colonel Wang Xiangsui. This publication was the vision for driving the position of globalised advantage, seeking to leverage technology as an aggressive tool within the Chinese armoury with a no-holds-bared approach [See Fig 2].
Fig 2 – Unrestricted Warfare
So, let us come up-to-date, with the appreciation of how modern acceptance of technology has morphed into business, and to a large extent, even our personal lives. We can also see the advancement of the darker forces, which were evolving in tandem with signs of criminality, or political extremism.
Waking Shark II
The fundamental fact of the matter is, the evolution of technology has crept up on us all, and I feel it equitable to observe that security has not always been accommodated to serve an assured level of confidence, for experience has shown that, the need to get to market quickly is not always best served with the baggage of security! But things are changing [albeit slowly]. Late in 2013, led by the Bank of England [BofE], an exercise was orchestrated to test selected elements of the associated resilience of the Banking Infrastructure, and thus, was intended to provision some modicum of trust and assurance about the systems, and their use upon which we are all so very reliant on.
However, from talking with some of those involved supporting the 2013 event of Waking Shark II, they observed that a number of the interconnected banking components, systems, and infrastructures were not always reflective of the live environments, and thus was catering for test conditions only. Other comments suggested that the activity was more an exercise in testing communications line, and responses, with another adding that Waking Shark I/II were not actually about security, but processes; all very confusing indeed. However, the bottom line here is, no matter what Waking Shark is, or is not, as with Waking Shark I, the results, findings and material facts are not made public, so we [the public] are still unsure about what security actually looks like on the inside. However, again, from some recent failure, and security breaches which have occurred from the world of banking, we may also conclude that there are lessons to be learned, and that the aspects of security are not what one would assert to be in place. But then, maybe here I can shed some light, and add a little colour to the picture from some statistical facts that I have gathered first-hand in whilst Waking Shark II was in progress.
In 2013/14, as part of a personal Research Project, utilising OSINT [Open Source Intelligence] methodologies, a number of Banking Institutions were selected, and were subjected to none-intrusive security testing which located, acquired, analysed, and extracted data from publically available information sources, along with other related objects and protocols such as DNS [Domain Name Service], BGP [Boarder Gateway Protocol], and the acquisition of exposed MetaData. These revelations were interesting to say the least, and an extract of the data can be seen by clicking this link.
The BofE has called for Concrete Reinforcement from the banking community, suggesting that there were a number of “potential vulnerabilities” in the banking systems, the BofE thus requires that all industry participants to have “concrete plans” deployed to help protect the UK’s banking system from the mounting threat of cyber-attack, incursions, and compromise. But then, given the aforementioned easy-find discoveries and associated breaches, I am really not that convinced that they are cyber ready yet, and do hope Mr Carney will agree that the plan is looking far from robust as it stands entering 2014 to protect the public interest.
From a sample taken from one major [core] London Banks Security, notwithstanding that the outcome of Waking Shark II, was or was not, one may conclude that the above is not what one would expect from such respectable banking institution, which by inference of the discoveries, and located artifacts infers there is more work to be done to secure their assets. And remembering this is all information acquired from non-intrusive methodologies, extracted from public information, running a few Advanced Google Commands, along with examination of some other related published information, it is clear that anyone with the time, skill, or inclination can extract the same information for their own nefarious means and purpose.
So what can be done? The ultimate conclusion I offer is, in order to address the current success of cyber-criminality, we need to move away from the over-focused perception of security which is inferred by following standards, and the over-zealous nature of Tick Box Security. We also need to recognise that we are not taking the tenacious path which is leading to evolve security. Thus, it is time to get back-to-basics of delivering risk-based, operational security, not only addressing the requirements of audits, but also striving to recognise the unknowns which may serve up the next level of insecurity to business, and pubic user base alike.
I would also conclude that whatever path Waking Shark I/II/III follows, notwithstanding what I have expressed above, I am actually supportive of such an approach which strives to deliver robust levels of assurance, and hopefully security. My only expectation is, it will be aligned to more than looking like an exercise in PR, and that is strives to locate the unknowns, and when they are located, that they are addressed. The absolute bottom line here is, the very lifeblood, and survival of society is dependent on those in power doing the right thing, and as always, I am hopeful that they will listed – to that end, I have written to the Governor of the BofE twice, James Brokenshire [MP], The Cabinet Office, the Home Office, the Keith Vaz [MP], and as yet, I have had no response – but as they say, I am the ever optimist that the penny will drop before it’s too late.
I leave you with the words of Charlie McMurdie, a retired Detective Superintendent with the Metropolitan Police who set up and then headed up the Police Central e-crime Unit (PCeU):
“The scale of that [Cyber] crime was very large indeed,” she said, adding that some estimates put the potential value of the fraud as high as £14.7 billion. Charlie went on to say that most of the Cyber Crime taking place today does not get reported!