Thursday I received an email from a journalist looking for commentary on the Citigroup breach. Since I have written or collaborated on articles that address the regulatory and security issues of the financial industry, he wanted my take on the affair.
I re-posted his questions and my responses in this article. The main reason was to highlight what I believe to be the root cause of the breach. Many of my answers could have been summed up with “Citigroup didn’t keep up with it’s housekeeping, therefore they were hacked”. By housekeeping, I mean patching, network monitoring, application security, etc. The boring stuff that doesn’t require a $350k device that sports multiple VM’s and makes cool science sounds.
So here are the results of the Q&A session:
The breach was discovered in May but wasn’t reported until now. Is this acceptable? What could take Citigroup so long to report?
While not ideal, this is relatively speedy for the industry as a whole. In the recent events other institutions have waited many weeks or months (Wellpoint, Countrywide Financial) to finally inform their customer and the public regarding security breaches. As to the length of time between discovery and reporting, it is my assumption that Citigroup had to perform forensic analysis on the breach, contact and work with the authorities, determine the extent of the breach and devise the appropriate communication strategy for their customers.
Is this part of a hacker campaign against high profile institutions, or just an opportunistic hack?
At this point not much is known about the perpetrators. If we look at the current active players (LulzSec, Anonymous, Organized Crime) and the trends in recent incidents we can make some assumptions that it was a planned attack.
How did the hack work, and could it be done again?
Again, Citigroup has not really released any detailed information but we can make assumptions. It was probably a SQL-Injection or Cross-Site Scripting (XSS) exploit. Almost all of the latest breaches have their roots in these vulnerabilities. This is an easily repeatable hack that can be done over and over on vulnerable web applications or sites.
Should other institutions be looking at their security measures? Should competitors be tightening-up security in case they’re next?
Hopefully to other organization’s executives the answers to these question is obvious. In light of the Sony, Bank of America, Citigroup, Nintendo, Honda and Lockheed breaches, organizational leadership should immediately review their security posture and ensure they are actively monitoring their networks, patching their systems, performing trend analysis on threats, ensuring their disaster recovery plans are up to date etc. If not, then they should expect to be an easy target.
What could Citigroup have done to avoid the hack in the first place?
If the breach was a XSS or SQL-injection exploit, then stronger application security should have been considered for their web-based applications. Also, they should have had a reputable penetration testing firm examine their environments for vulnerabilities on a yearly basis minimum.
In your opinion how does Citigroup’s online banking security compare to its competitors? Could it have done anything better?
Based on my consulting experience within the financial industry, they are more or less the same as their competitors. As with most financial organizations, development for online banking software is handled offshore which can be a challenge when it comes to infusing the application with information security best practices from the foundation up.
As to what Citigroup could have done better, it depends on how the breach was perpetrated. If a rogue employee gained access to the system or administrator credentials and then used that to facilitate the breach, it is harder to address. However If the breach was a XSS or SQL-injection exploit, then their web-based applications needed stronger application security.
“Security breaches happen, they’re going to continue to happen” — Citigroup global enterprise payments head Paul Galant stated when talking to Reuters. Is he right? Is his comment acceptable? Can hacks ever be stopped?
Mr. Galant is correct in stating that there will always be the potential for security breaches. Also, if your organization is a target of a sophisticated hacker or criminal group, odds are you are going to be compromised no matter your security posture. This sentiment is echoed by Bruce Schneier, one of the leading voices in the information security industry. However, you can quickly intercept a potential breach if you are actively monitoring your network and trends. The case of LastPass and how they handled a potential issue is an excellent example of that.
As for the acceptability of Mr. Galant’s comment, he should have phrased his response in a less confrontational manner but quoted Schneier’s position and then stated the steps Citigroup has been taking to address the current breach and future plans for security improvements.
I’d like to hear your thoughts regarding my responses. So, please feel free to drop by and post a comment below!