Toward the end of April 2018, it was revealed that Mexico's financial system was the victim of a cyberattack in which cybercriminals stole over 300 million pesos.
Initially, the Interbank Electronic Payment System (SPEI) of the Bank of Mexico began reporting some abnormalities in the interbank transfer service. And although initially it was not recognized that the underlying problem was a cyberattack, the inconsistencies in the statements forced the authorities to recognize that it was indeed such an incident.
A single institution noticed the exploitation of a vulnerability in the Web service that connects its systems with SPEI, although it reported that the incident did not affect any of its clients.
Then, as the investigation progressed, it became public knowledge that the attackers managed to make unauthorized transfers to accounts created for this purpose from legitimate accounts. To get their hands on the money, the cybercriminals had to go through several steps, including extracting some of the ill-gotten funds from ATMs at different locations. Sources such as the Mexican newspaper El Financiero revealed that the attackers contacted the some of the banks' customers to transfer part of the stolen money and also to contribute to the process of withdrawing the money, in exchange for a payment for their participation.
WeLiveSecurity spoke with Miguel Ángel Mendoza, Security Researcher at ESET Latin America's Malware Research Laboratory, about this unprecedented event in Mexico in order to get a better understanding about the incident and reflect on what will happen next.
WeLiveSecurity: What are the recommendations that you can give both the central bank and the banks to keep their systems protected?
Miguel: Cybersecurity should be based not only on technology, but also on other pillars that range from regulations to operational aspects. Therefore, it is essential to have the necessary processes, personnel and technology to deal with threats and attacks.
From the operational point of view, banks and financial institutions can create incident response teams to collaborate, coordinate and exchange information, as well as having contingency plans for handling critical situations.
In terms of human resources, awareness is a fundamental activity to minimize risks — the staff must be informed, trained and aware of the dangers it represents an important line of defense. In addition, it is also necessary to apply security controls for personnel, before, during and at the end of the employment agreement.
From a technological perspective, the continuous review of the technological infrastructure is basic as a proactive measure, for example, through vulnerability assessments and in-depth penetration tests, as well as early detection of threats through pattern recognition and creation of intelligence.
In addition, the regulatory framework around banking cybersecurity implies compliance with the laws and regulations in force, as well as the development and application of other initiatives necessary for the sector.
What are the methods used in terms of cyberattacks against banks?
Undoubtedly, attacks on banks are increasing, although using different methods. The first recorded attacks focused on techniques of Denial of Service (DoS) with the objective of knocking institutions offline, but then focused on the use of malicious code (along with other tools) in the technological infrastructure to carry out cyber-thefts, including compromising ATMs to extract their money.
What is the cost of a cyberattack for a financial institution?
It is difficult to quantify the costs of a cyberattack for any financial institution – the impact is not only economic, and other elements make it difficult to weigh, such as the damage to the reputation of the organization, the loss of trust in the institution, and even the loss of potential clients. Therefore, the cost of a cyberattack for an institution could represent a figure considerably higher than the amount extracted by the attackers.
Do you need more financial regulations in Mexico?
You never have enough regulations, since both technology and threats advance faster than laws and regulations, so there is usually a gap. Another problem is that the regulations are not always implemented, even if they are obligatory — especially when there are guidelines that are presented as optional.
For this reason, events such as the one suffered by the financial system in Mexico help us to re-examine the regulatory framework and help to adapt it based on current security needs, or, failing that, to develop new regulations and legislation. Not because the current regulations are obsolete or inadequate, but rather because the laws or regulations are never perfect, and events of this nature show what lessons can be learned.
If we wanted to look for the positive side of this type of incident, we could indicate that they contribute to highlighting the relevance of cybersecurity and the importance of addressing the issue from different perspectives, because as we mentioned earlier, it is not just about technological issues.
Turning our attention to the banks impacted by the cyberattack, the companies showed an unprecedented interest in the issue of cybersecurity. Bearing this in mind, what are the aspects that a company or organization should be especially keen to have "protected"?
100% security does not exist, so risk is always present, however minimal. In this context, all security work focuses on minimizing risks associated with information and other assets. In order to achieve this, controls (technological, administrative or physical) are applied to reduce the probability of an incident occurring, or to minimize the impact they may generate.
Based on these ideas, the basic aspects that an organization must consider to be better-protected are related to: processes, personnel and technology. That is, the application of measures with different approaches, from operational, administrative, technical or technological, to legal and regulatory issues.
In addition, the strategy should not only focus on trying to shield itself: as we mentioned before, there is always a risk. Therefore, in addition to thinking about defensive measures, it is important to have a reactive plan in place in order to know precisely how to operate when the inevitable security incident does occur. In addition to other proactive approaches, try to discover the vulnerabilities in the technological infrastructure before it could used to launch an attack. Both measures are equally necessary, so it is a mixture of approaches.
Therefore, operational resilience (ability of an organization to pursue its mission in adverse circumstances), is also necessary, since it has the purpose of maintaining the business processes and services that directly support the mission of the organization. Considering operational resilience to address the capacity of critical processes and services, in order to keep them available in the face of unexpected and unwanted events, is part of the implementation of security from a holistic and transversal approach to all critical processes of the organization.
According to data from the third annual report on cyber-resilience in organizations prepared by the Ponemon Institute, the second biggest difficulty that companies have when developing a formal cyber-resilience plan is the lack of professionals with sufficient knowledge in the field of cybersecurity. What do you think about this?
Several pieces of analysis point to a shortage of professionals specializing in cybersecurity, so it could be one of the main reasons why it is difficult to develop information security programs. In this sense, it is crucial that the industry invests more resources in the training and retention of talent, as well as in programs that seek to develop more professionals in the area.
In addition, higher education plays a key role in the training of personnel specialized in security issues, a task that is not at all simple if we consider that current curricula in some universities consider cybersecurity only as subjects related to specific professions, or leaving this training only for certifications and diplomas. It is also important to mention that professional careers completely focused on security have begun to appear, so this trend should be encouraged.
Several experts have suggested that blockchain might have been able to prevent cyberattacks on banks because it would have made data manipulation more difficult and would have allowed tracking of where the transactions come from. What do you think?
Probably it would have been able to prevent attacks of this type, although it is necessary to mention that no technology is infallible. Due to its characteristics, the chain of blocks allows the validation of transactions, so that those that are not authorized could probably be rejected. In spite of this, the transition towards these types of technologies is just beginning and it will take some time for the industry to be able to fully operate with this type of mechanism. And while the use of the blockchain could represent an alternative to mitigate this type of attack, no doubt others will arise.
What about the 14% of CEOs in Mexico who believe that it is inevitable that they will be victims of a cyberattack: Do you talk about more conscious organizations or are you still missing a lot?
The percentage tells us about the awareness of the need for cybersecurity, but in the context of an adverse scenario based on what happened. However, this is far from the actions to face the problem for several reasons, especially resources.
For example, ESET's Security Report 2018 result shows that only 1 in 10 companies that participated in the study considered the implementation of a mobile security solution, while each day new vulnerabilities are identified and new threats are developed on mobile devices. In other words, while the risks increase, security technologies are little-used, so the gap, far from being reduced, is increased.
Therefore, although there is a growing awareness of cybersecurity, perhaps even because of the attacks on a global scale that the media has highlighted, there is still a long way to go. The objective is the development of the cybersecurity culture, but this requires time, resources and efforts. The initiatives that are currently being carried out are directed towards this objective.