Skip to content
 

Physical and cyberthreats to financial institutions

Physical and Digital Threats to Financial Institutions in the Wake of the Terrorist Attacks
Aggressors attack at the point of maximum leverage. For modern society, this means critical infrastructure?transportation, telecommunications, oil and gas distribution, emergency services, water, electric power, finance and government operations.
-- Dr. Vinton Cerf, Senior Vice President of MCI WorldCom
testimony before Congress

by Mary Beth Guard, Esq. and L. Michael Guard, Esq., C.I.S.S.P.

Knives and box cutters. Hijacked planes used as populated bombs. The terrorists that attacked the United States on September 11th caught us by surprise. Now, as America and its allies wage war on terrorism, financial institutions and other businesses must assess the likelihood of cyber attacks and physical threats, and prepare accordingly.

Under the Interagency Guidelines for Safeguarding Customer Information issued pursuant to Title V of the Gramm-Leach-Bliley Act, financial institutions are required to implement and maintain administrative, technical and physical safeguards for protecting customer information. One of the most important aspects of an information security program is ongoing assessment of risks and threats. The purpose of this article is to provide an overview on both actual and anticipated physical and digital threats to financial institutions following the recent attacks on America, along with background data regarding the impact and likelihood of such threats.

Why target financial institutions?
Financial institutions could be targeted for a variety of reasons:
-- in an effort to steal funds;
-- to gain access to information;
-- to disrupt normal business;
-- to create costly distractions;
-- to shake confidence and cause panic.

As noted by the General Accounting Office in its report, GAO-01-323 on Critical Infrastructure Protection, when systems supporting critical operations are threatened, potential damage can include:

  • consumer confidence lost
  • critical operations halted
  • sensitive data disclosed
  • services and benefits interrupted
  • assets lost
  • integrity of data and reports corrupted

Because financial institutions have a high profile and are a critical part of the U.S. infrastructure, they can be an attractive target and could be a part of an overall strategy of attack that might be mounted against the U.S. Terrorists or hostile foreign governments who seek to destabilize our economy and cause unrest among our citizens may attempt to accomplish their aims by calling into question the integrity of important data (such as financial records or news reports); rendering vital systems unavailable (such as with distributed denial of service attacks); destroying critical information by attacking data repositories; tying up human resources by launching types of attacks (such as viruses and worms) that require massive efforts to restore operability; disrupting communications systems (targeting cellular towers, tv broadcasting facilities, for example); and waging disinformation campaigns.

In testimony before the Joint Economic Committee of Congress in February 2000, the Information Operations Issue manager of the C.I.A. explained motivations for attacks against our information structure:

"What motivates an attack against the U.S. information structure? There are any number of incentives, including economic, industrial, and military rationales. By way of example:

  • Trillions of dollars in financial transactions and commerce move over a medium with minimal protection and only sporadic law enforcement, a structure -- the most complex the world has ever known;
  • Increasing quantities of intellectual property reside on networked systems; and
  • Opportunities abound to disrupt military effectiveness and public safety while maintaining the elements of surprise and anonymity."

Criminals may also target financial institutions in pursuit of direct monetary benefits, by stealing money, credit card numbers, access, or information.

Physical Threats
Robberies, extortion, theft, arson, sabotage, kidnappings, use of explosive devices, or even biological weapons -- all are possibilities, as well as the use of social engineering tactics, pretext calls and diversionary techniques to gain information, access and more.

Special care should be taken with screening and hiring new employees, as well as outside contractors. After the hijackings, attention was focused anew on the cleaning crews and catering staff. Those individuals had access to sensitive areas, usually without supervision, yet were perhaps not subjected to much scrutiny at the time of hiring. Identify vulnerabilities.

On 10/12, federal prosecutors revealed that Argenbright Security, Inc., an independent contractor which was used in several of the nation's largest airports, including Washington Dulles, to provide security, hired criminals to man security checkpoints at Philadelphia International Airport even after being fined last year for inadequately checking employees' backgrounds. Criminals have -- and will continue to try to --infiltrate critical areas of our protective infrastructure, and that can include financial institutions if adequate screening is not done.

If you use outside janitorial staff, repairmen, computer technicians, or other independent contractors who have access to your premises, take a fresh look at what you know about them -- and what they know about your institution, its procedures, its weak points in security. Restrict access to what is needed.

  • Pay special attention to key control/access control.
  • Provide refresher training on opening and closing procedures.
  • Encourage staffers to be observant and to report unusual behavior or circumstances.
  • Train your employees on detecting and avoiding social engineering and pretext calling.
  • Make sure you are staying current on developments with the Office of Foreign Assets Control and are disseminating updates to affected areas within your institution.
  • Discuss how to handle situations where someone who is on the Control List
    or on the OFAC list attempts to open an account or conduct a transaction.
  • Allay fears about anthrax by making the facts available. (See "Anthrax -- Knowledge is Power").

Pull out a copy of your institution's security program. Is it comprehensive? Does it need to be updated? Have you covered everything that needs to be covered, from the extremely remote threat of bioterrorism to what should be done in the event of a bomb threat? Now is the time to make necessary adjustments and to update your training.

Numerous financial institutions evacuated their premises on September 11th. In some instances, it was because they were in buildings directly affected by the attacks. In other cases, it was out of an abundance of caution because the institutions were housed in or near well-known landmarks that could have become targets. Do you have well-designed evacuation procedures? Examine the plan from the perspective of how it would have worked if your office or offices had been a target on September 11.

Too many financial institutions view disaster planning as a checklist item on their regulatory to-do list, rather than a vital tool for protecting employees, customers, the institution and its assets. Some of the evacuations carried out on September 11 illustrated how critical this part of a disaster plan can be. For example, Morgan Stanley Dean Witter was the largest tenant in the Word Trade Center with 3,700 employees. According to news reports, it had a contingency plan that all its employees were familiar with and it adhered to it. Despite a voice on the building's public-address system telling workers it was safe to return to their offices, Morgan's security officers kept the employees moving down dozens of flights of stairs. All but six employees escaped as a result.

Another company located in the Twin Towers, the Japanese firm Mizuho, had held drills repeatedly. Their employees had emergency kits with burn cream, smoke hoods, and glow sticks strapped to the backs of their chairs to illuminate their way out of their building in the event of a power failure.

It's not enough, however, to have a plan. Employees must be trained on implementation. Seconds count when an emergency forces action to be taken quickly. If employees know exactly what steps to take -- and those steps have been carefully designed for maximum protection -- they will feel more secure, more calm, more confident, and will have a greater chance of making an orderly exit. This is an opportune time for training on your disaster recovery procedures because employees will have a heightened awareness of the importance of the subject.

Don't overlook the fact that criminals can, and will, take advantage of chaos. Plan to secure offices, records, computers, buildings, to the extent feasible under the circumstances.

Cyberterrorism
The threat of cyberterrorism is very real and cyber attacks can -- and should -- be anticipated in the wake of the September 11 events. We have gathered various resources to help determine why, how, and in what form the cyber attacks may occur.

Likelihood of Cyber Attacks
A report issued September 22, 2001 by the Institution for Security Technology Studies at Dartmouth College, "Cyber Attacks During the War on Terrorism: A Predictive Analysis", states that three lessons can be learned from case studies on past cyber attacks:

  • Cyber attacks immediately accompany physical attacks.
  • Cyber attacks are increasing in volume, sophistication and coordination.
  • Cyber attackers are attracted to high value targets.

The authors of the report studied political conflicts that have led to attacks on cyber systems, such as the recent clashes between Indian and Pakistan, Israel and the Palestinians, and NATO and Serbia in Kosovo, and the tensions between the U.S. and China over the collision between a Chinese fightere plane and an American surveillance plane.

It's not just the terrorists with whom we are directly engaged in battle who may be a potential source of cyber attacks, according to the Dartmouth experts. Other potential sources of cyberthreats are terrorist groups in general, terrorist sympathizers and anti-U.S. hackers, targeted Nation-states, and thrill seekers or opportunists.

Additional insight into what to expect can be gained from the National Infrastructure Protection Center ("NIPC"), which has issued a number of advisories and guidance documents in the wake of the terrorist attacks.

On 9/14/01, NPIC issued ADVISORY 01-020, saying it expects to see an upswing in incidents as a result of the events of September 11, 2001. It states that increased hacking attacks are likely to have two motivations:

Political hacktivism by self-described "patriot" hackers targeted at those perceived to be responsible for the terrorist attacks. NIPC has already received reports of individuals encouraging vigilante hacking activity.

Virus propagation in which old viruses are renamed to appear related to recent events. One such incident has already been reported in which a new version of the life_stages.txt.shs virus was renamed wtc.txt.vbs to appear to be related to the World Trade Center.

On 9/17/01, NIPC ADVISORY 01-021 warned about an expected increase in Distributed Denial of Service (DDoS) attacks. NIPC noted:

  • On September 12, 2001, a group of hackers named the Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. The Dispatchers stated they were targeting the communications and finance infrastructures. They also predicted that they would be prepared for increased operations on or about Tuesday, September 18, 2001.
  • There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place. The Dispatchers claim to have over 1,000 machines under their control for the attacks. It is likely that the attackers will mask their operations by using the IP addresses and pirated systems of uninvolved third parties.
  • System administrators are encouraged to check their systems for zombie agent software and ensure they institute best practices such as ingress and egress filtering. The NIPC has made available the "Find DDoS" tool to determine if your computer has been infected by the most common DDoS agents. The tool may be downloaded from the following website:

    http://www.nipc.gov/warnings/advisories/2000/00-055.htm.

The NIPC is attempting to help small office and home computer users protect against vulnerabilities (since these are usually less sophisticated users and their machines are often targeted for use as zombies in Distributed Denial of Service (DDoS) attacks, for example) by issuing guidance on "Seven Simple Computer Security Tips for Small Business and Home Computer Users".

The latest edition of the NIPC's CyberNotes (pdf format) contains a chart which details known vulnerabilities and exposures, types of risks, and patches (where available). NIPC also issued a warning in ADVISORY 01-022 about the NIMDA worm.

With respect to financial institutions and e-commerce companies specifically, the NIPC, on October 5, 2001, reiterated its warning about increased hacking activity targeting the e-commerce or e-finance/banking industry. NIPC notes that over the past several months, hackers have increased their targeting of several third-party service providers that employ weak security practices. In an Update to NIPC Advisory 01-003 "E-Commerce Vulnerabilities", NIPC says hackers are targeting third party service providers because of the access they have into a partner company and the proprietary information contained therein. Because the level of security can differ between a third-party service provider and a partner company, hackers attempt to exploit these security inconsistencies.

How real is the threat of cyber attacks?
John A. Serabian, Jr. with the CIA stated in testimony last year that the CIA is detecting, with increasing frequency, the appearance of doctrine and dedicated offensive cyber warfare programs in other countries. He points to a Chinese General who was quoted in a military publication in 1996 talking about how computers would be vulnerable in three ways in future wars: "We can make the enemy's command centers not work by changing their data system. We can cause the enemy's headquarters to make incorrect judgment by sending disinformation. We can dominate the enemy's banking system and even its entire social order." Serabian says, "...the battle space of the information age would surely
include attacks against our domestic infrastructure."

More than a year ago, the CIA was aware that Usama Bin Ladin and other terrorist organizations, such as Hizballah and HAMAS, were using computerized files, email, and encryption to support their organizations. "We recognize that cyber tools offer them new, low-cost, easily hidden means to inflict damage. Terrorists and extremists already use the Internet to communicate, to raise funds, recruit, and gather intelligence. They may even launch attacks remotely from countries where their actions are not illegal or with whom we have no extradition agreements."

But as former Commerce Secretary William Daley noted at a White House conference last year aimed at directing corporate attention to the threat of computer assaults, the Internet era marked "the first time in American history the federal government alone cannot protect our infrastructure." We must take steps to protect ourselves.

In June, 2001, Lawrence K. Gershwin, National Intelligence Officer for Science and Technology pointed out in a statement to the Joint Economic Committee of Congress that "attacks on our military, economic, or telecommunications infrastructure can be launched from anywhere in the world, and they can be used to transport the problems of a distant conflict directly to America's heartland."

Gershwin also stated, "Information from industry security experts suggests that US national information networks have become more vulnerable -- and therefore more attractive as targets of foreign cyber attack. An independent group of security professionals created the "Honeynet Project," placing virtual computers on the Internet to evaluate threats and vulnerabilities that currently exist. The results were stunning: the average computer placed on the Internet will be hacked in about 8 hours. University networks are even worse, with an unsecured computer system being hacked in only about 45 minutes."

One reason we are more vulnerable, according to Gershwin, is because "[m]ainstream commercial software -- whose vulnerabilities are widely known -- is replacing relatively secure propietary network systems by US telecommunications providers and other operators of critical infrastructure. Such commercial software includes imported products that provide opportunities for foreign implantation of exploitation or attack tools."

What form will the cyber attacks take?
The form the cyber attacks take will depend upon the goal of the attackers. They may seek to destroy, corrupt, steal, or monitor information vital to financial institution or its customers.

We can expect (and, in some cases, have already seen) the following:

  • Worms and viruses. Expect greater numbers, more complex and harder-to-detect code, and more damaging payloads. One of the latest, for example, the Vote Worm, infects users when they open an email attachment that purports to allow them to vote on "Peace BeTween AmeriCa And IsLam" [sic]. The Vote Worm causes infected computers to send e-mail and attempts to delete files in the Windows directory. The NIMDA worm, which first appeared days after the terrorist attacks, has also created major problems and its propagation is record-setting. The SIRCAM worm is now >
  • Distributed Denial of Service (DDoS) Attacks. Three factors have coalesced to make this an especially vulnerable area. l) growth in the number of users connected to the Internet via high speed connections, such as DSL or cable; 2) inadequate security precautions implemented by home users and small offices; 3) widespread availability of information about how to launch a DDoS attack.

  • Web site defacements, particularly Hacktivism -- politically motivated attacks on publicly accessible Web pages or email servers to send a political message (according to the Government Accounting Office). Hacktivism can often be at the root of Web site defacements. As noted in the Dartmouth report, approximately 1,200 U.S. sites, including those belonging to the White House, the Air Force and the Department of Energy, were subjected to DDoS attacks or defaced with pro-Chinese images in a one week period following the U.S. - China spy plane incident. Keep in mind that if a Web site can be defaced, the hacktivist or hacker has control over the site's content and could instead make subtle, but damaging, alterations to it. Precautions (such as changing server access passwords) should be taken, and Web pages should be constantly monitored to detect any unauthorized changes.

  • Unauthorized intrusions. We believe this is the area of greatest concern due to the potential damages that can result. Hackers could move money out of accounts, compromise the confidentiality of data, establish online bill payments from customer accounts to themselves, and wreak havoc in myriad other ways. The majority of unauthorized intrusions into computer systems by outsiders result from exploitation of known security vulnerabilities. Failure to immediately implement security patches can leave computers wide open to hackers.

  • Domain Name Service (DNS) Attacks. As described in the Dartmouth study, a hacker could prevent access to a Web site by attacking the domain name servers that computers consult in order to obtain the mapping between the name of a system and the numerical address (I.P. address) of that system or Web site and redirecting traffic. In the banking arena, this could cause a customer to be unknowingly taken to a copycat Web site that appears to be the login page for online banking. By mirroring the look and feel of the true online banking page, the hackers could lull customers into a sense of false security and trick them into typing in their user names and passwords, which would then be captured for future use by the hackers. With a simple message saying something like "We're sorry, but this service is temporarily unavailable while we are updating our server. Please try again later.", the hacker masks what's really going on and buys more time to continue perpetrating the fraud.

  • Routing vulnerabilities. Some experts, including the Institute for Security Technology Studies, are warning of routing vulnerabilities. Since the majority of routers on the Internet are using the Internetwork Operating System by Cisco, which is known to have vulnerabilities, hackers could exploit one of the vulnerabilities and attempt to halt Internet traffic. This would have a devastating effect on businesses which are highly dependent upon the 'Net to conduct routine business.

Public perception of info-security weakness can, in itself, pose a problem if customers of financial institutions have fears regarding the integrity and confidentiality of their information. In Gershwin's testimony before Congress last summer he noted that "several highly publicized intrusions and computer virus incidents such as the recent intrusion into the California Independent System Operator -- the non-profit corporation that controls the distribution of 75 percent of the state's power -- have fed a public -- and perhaps foreign government -- perception that the networks upon which US national security and economic well-being depend are vulnerable to attack by almost anyone with a computer, a modem, and a modicum of skill." This fear was overblown, in Gershwin's opinion, but it illustrates how distrustful the public is of technology. Not only must you take sound and effective precautions against cyber attacks, you must be able to clearly and convincingly communicate your cyberreadiness (without, of course, making guarantees or overstating the protections you have in place, since no network can be made 100% secure.)

In our next article, we will detail important steps financial institutions should be taking to guard against the anticipated cyber threats.

Copyright, 2001, BankersOnline. All rights reserved.

First published on 10/11/2001

Last updated on 10/12/01

Filed under: 
Security
Filed under security as: 
Computer Security
Customer Information
Employee
Internet
OFAC
Operations
Security
Technology
Terrorism

Report a problem with this page

Search Topics