How to hack into the bank – three ways

2017/11/11 13:01:02

Here is a creative account of penetration-testing a cyber-security firm did on one of the world's largest banks and what it tells us about internet safety.











BY ET ONLINE | UPDATED: NOV 11, 2017, 03.21 PM IST


How strong are your cyber-security systems against trained, dedicated attackers? To get an answer, many companies opt for 'penetration testing'—a real-time attack by a security consultant that identifies vulnerabilities and then exploits them. By hacking into the systems of a company, the consultant exposes the worth of its security controls.


Below is a creative account by Sahir Hidayatullah, founder & CEO of cyber-security company Smokescreen Technologies, of a penetration testing his company performed on one of the world's largest banks.)


2:30 pm on an overcast Tuesday in August. You can smell the earth from the coming monsoon deluge even twelve stories up in our quiet conference room, where, for some reason, the power is flickering. Over the next six hours, we will hack into one of the world's largest banks. Thrice.


This is a cautionary tale of why you can't prevent a motivated hacker from 'getting in', no matter how much of your cybersecurity budget is spent on sleek blinking boxes and Zegna-clad consultants. It's why you never gamble against human resolve and ingenuity, but bet big on smart people consistently making bad decisions. For, as hackers say, "There is no patch for human stupidity".


 The Job "These guys are no helpless newbies." J, one of our ethical hackers, takes a long drag from a clove cigarette and watches the rain obscure the distant railway tracks. He's right. The bank has state of the art security systems, manned by one of the most skilled cyber security teams in the business. The bank hires us to do this breach readiness assessment regularly, but this time the mission is different. We're trying to dispel the myth that it is even possible to defend against a hacker's initial intrusion. Our success (or failure) will decide how much effort they now put into prevention (locking the door), as opposed to detection and response (spot the burglar early and take them down fast).


Rules of Engagement Back to the hack. We must consistently and repeatedly subvert the banks security. It's Moscow rules: Once is luck, twice is a coincidence, thrice is a pattern. Oh, and anything is fair game. In fact, we're expected to play as dirty as possible. The bank spends millions of dollars on cybersecurity solutions, and even has scary nightclub bouncer style physical security guarding locations with critical data.


What follows is a detailed break-down of the breaches -- what worked and what didn't. All names have been changed to protect the guilty and the innocent.


[…] ... /articleshow/61605644.cms

Printer Friendly Page Send this Story to a Friend Create a PDF from the article
Poster Thread