The hackers attacked “systemically important financial institutions” in Australia (banks, insurance companies, etc.) in a sustained flurry, exposing weaknesses which, according to the Reserve Bank of Australia (RBA), “could present a risk to the integrity and stability of the Australian financial system”. establishments”.
What’s at risk includes account balances, he says, warning of “loss of data integrity of account balances.” Bank error, but not in your favor.
“Actual adversaries such as state-sponsored attackers are not limited by scope or time,” the Council of Financial Regulators said. “[Red Team] drills mimic opponents with fewer traditional test restrictions and longer duration to fully exploit opportunities.
The computer help desk is ringing. It’s Bob. It will solve the problem you are having on your work computer. He just needs you to give him the access code. What are you doing?
After that, he was in. Behind the scenes, in the system, capable of doing damage.
The only good news is that Bob is not a Russian or Chinese agent. Nor is he organized crime. He’s paid so he doesn’t need to steal. Bob is a hacker who has come to the light side, doing what they call “red team” work in a new program run by the Council of Financial Regulators. (The RBA chairs the council.)
Red teams are probing big companies using real hacking techniques – lying to people, dropping dodgy USB drives full of malware, tapping into company WiFi, emailing staff pretending to be other people. Their tactics are informed by what Australian spy agencies say our enemies will do: try to steal data, plant code that can destroy systems, install ransomware, perform illegitimate transactions, etc. event.
Receive daily company news.
The latest stories, funding information and expert advice. Free registration.
Riley Kidd, Australian Red Team Professional, puts it this way: “One of the first guiding questions we ask is, ‘What is the worst thing that can happen to your business?’ And then we try to do it.
Bob’s story of his successful hack is beautifully told; I recommend it to you. It’s anonymized so we have no idea if the story applies to a major Australian bank. But it is possible. Because we know that ‘Bob’s’ company is a major red team supplier in Australia, and we know that the big banks have just gone through a red team exercise.
The red team is spilling blood
Red team’s first attacks on major Australian financial institutions recently ended and the results are apparently nothing to be proud of.
The first attack was a pilot program, focusing only on a “small number of systemically important financial institutions”. What he found is concerning: “Common strengths among participating institutions, as well as weaknesses that could pose a risk to the integrity and stability of Australian financial institutions.”
For a country like Australia where mortgage debt is so large and banks represent such a huge part of our economy and our market, the “integrity and stability” of banks is essential.
What type of attack could affect stability? If banks, payment systems or the stock exchange are taken offline for long periods of time, or if bank balances or transaction data are disrupted, the effect on confidence could be enormous. Financial institutions rely on trust to survive. It’s oxygen for them. No one leaves their money in a bank that they think they might lose or prevent them from accessing.
And when the financial system falters, the economy tends to collapse, as the global financial crisis has shown us. The stakes are extremely high.
The RBA has been worried about cyber risk for some time, but the worry is turning into a fever. He is responsible for Australia’s financial stability, and as the following chart shows, his six-monthly review of the issue – historically on bad loans and prudential regulation – increasingly focuses on cyber risks and hacking (except for a dip in 2020 when he worried about a more traditional kind of virus).
Russia’s invasion of Ukraine increases the likelihood of hacking attacks against the West. The RBA said in its latest Financial Stability Review that “a significant cyber event is unavoidable and could have systemic implications.”
Now the RBA knows how important trust is to financial stability. He wouldn’t use the word “inevitable” unless he really wanted to. It is obviously desperate for banks to increase their investments in cyber defense.
I contacted the big four banks to ask how the red team pilot program went. They were all very discreet. I asked a few simple questions such as: does the bank invest in cyber defense? And I asked questions they’d rather not hear, such as: Are people’s bank balances safe? Some dodged, others didn’t even answer. I got no answers.
However, as the guiding framework for the hacking exercise states, the “remediation plan should be considered highly sensitive and valuable to adversaries.” Reluctance is therefore probably strategically wise.
From the RBA, I got two one-word answers. It told me, yes, the feedback phase after the Red Team attacks is over, and, yes, this is providing an impetus to invest more in cyber defense.
It remains for us to draw our conclusions on the gravity of things from the information he has already published, which is not reassuring:
“Cyber attacks are more likely than other types of incidents to be systemic: a well-resourced and sophisticated adversary seeking to cause widespread distress will actively exploit cyber vulnerabilities to maximize the impact of its attack (including affecting multiple institutions ),” states the Financial Stability Review.
“Cyber attackers could be motivated by financial gain or a desire to disrupt – the latter is more concerning because it is harder to defend against.”
The banks may not say it, but they are obviously beefing up their defenses. If you look on major job websites, you can find major banks hiring cybersecurity professionals directly and through employment agencies. Westpac is looking for someone with expertise in the “Cyber Kill Chain”, for example. But there is a huge shortage of experienced cybersecurity professionals.
“Last year, 21,000 cybersecurity roles were advertised in Australia, up from 14,000 in the previous reporting period,” said former AustCyber CEO Michelle Price. “But despite a 50% increase in job vacancies, qualified people the workforce has only increased by 25%. This data shows a significant gap in our skilled workforce, and we don’t see this demand slowing down. »
Pay in the sector is high. Many employment agencies and recruiters hire anonymous clients, with some paying around $1,000 a day.
We can only hope that the banks will use their deep pockets to get the people they need to keep our bank balances, as well as our financial system and economy, safe.
This article was first published by Crikey.