search.noResults

search.searching

note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
20


Figure 1: Controls across the kill chain of attacks


Mitigation against attacks and exploits Overlaying controls across the kill Chain of Attacks


Reconnnaissance Key: Weaponisation ID & access Delivery Security monitoring Exploitation System integrity


Command & Control


Audits


Action on Objectives


Description Example User


Endpoint Databases Source Code Networks Applications


Both banks and corporates can better prepare and protect themselves by creating layers of security, sometimes referred to as ‘Defence in Depth’. The intent is to not rely on a single solution or approach to security, but instead reduce the potential effectiveness of an attack by attempting to disrupt a threat actor at different stages during an attack. Threat actors carefully plan out their attacks, often studying the victim and their environment. When successful, they will reuse the techniques again and sometimes make them available on the black market. Approaches such as ‘Defence in Depth’ are meant to reduce the effectiveness of these attacks and make them less appealing to use.


Figure 1 sets out a summary of a typical cyber-attack structure called the ‘Kill Chain’, overlaid with controls at each point. The Kill Chain describes the phases of a successful cyber-attack, from ‘Reconnaissance’ to ‘Action on Objectives’. The overlaid controls provide a representation of how security can be layered in ‘Defence in Depth’ throughout IT systems to deter, detect and disrupt the attacker from accomplishing its goals. To mitigate threats, controls should be implemented strategically at each stage of the Kill Chain – so even if one control fails to stop the attacker, the next control can successfully mitigate an attack.


Third parties a significant risk for corporates


Many companies have moved aggressively to shore up their defences and protect their treasuries. Investment in new technologies such as two-factor authentication and penetration testing, for instance, has been widespread, but evidence from a recent Deutsche Bank-sponsored study by the Economist Intelligence Unit suggests that other key areas are still being neglected.


Third parties, such as suppliers and subcontractors, are an obvious area of risk. Sensitive data is inevitably shared with external agencies in order to ensure they can provide necessary support, but this comes with strong security implications.


It is worrying, then, that 19% of companies surveyed by the Economist Intelligence Unit admitted they do not check if their suppliers use the same methods for identity authentication as they do, while 14% do not insist that information security requirements for third parties are equally applied to their subcontractors. Lax practices of this kind will need to change – and fast – to avoid rolling out the red carpet for would-be fraudsters.


Perhaps most worrying of all, however, is that, while 92% of corporates now perform internal penetration testing, 33% do not conduct external testing. Equally, only 38% of companies require their third parties and suppliers to perform penetration testing of their own.


These vulnerabilities open treasuries to the risk of so-called man- in-the-middle (MIM) attacks, in which hackers intercept buyer- supplier communications via forged email accounts and send amended invoices and payment instructions to direct funds to their own accounts. To avoid this, corporates will have to ask their suppliers and partners crucial questions about their security and money-management systems, as well as the portals they use.


Understanding the human risk


One of the preferred tactics of online fraudsters is to use an employee’s insider status as a fast track to vital security information. Without the proper training, it is easier than many expect for employees to be “phished” or otherwise hoodwinked into handing over sensitive data to criminals, especially as email hoaxes become increasingly sophisticated and convincing.


Often this kind of deception is carried out under the guise of a third-party employee – perhaps requesting funds be paid into a new account. Organisations must ensure that their employees can identify these imposters and know how to deal with them. Companies must also be wise to the prospect of the “malicious


weaknesses in an organisation


Identify


Social media intelligence gathering


Develop targeted tools to exploit weaknesses


targeted victime


Spear phishing email sent to


Deliver malware and exploit kit to host


Victim opens and installs malicious attachment


Spreading and activation of malicious code


Malware is installed on victim’s device


communication


Establish outside


deployed scripts


Attacker addresses


Identifying and stealing data of value


Transfer client funds to attacker


www.ibsintelligence.com | © IBS Intelligence 2018


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44