Thursday I received an email from a journalist looking for commentary on the Citigroup breach. Since I have written or collaborated on articles that address the regulatory and security issues of the financial industry, he wanted my take on the affair.
I re-posted his questions and my responses in this article. The main reason was to highlight what I believe to be the root cause of the breach. Many of my answers could have been summed up with “Citigroup didn’t keep up with it’s housekeeping, therefore they were hacked”. By housekeeping, I mean patching, network monitoring, application security, etc. The boring stuff that doesn’t require a $350k device that sports multiple VM’s and makes cool science sounds.
So here are the results of the Q&A session:
The breach was discovered in May but wasn’t reported until now. Is this acceptable? What could take Citigroup so long to report?
While not ideal, this is relatively speedy for the industry as a whole. In the recent events other institutions have waited many weeks or months (Wellpoint, Countrywide Financial) to finally inform their customer and the public regarding security breaches. As to the length of time between discovery and reporting, it is my assumption that Citigroup had to perform forensic analysis on the breach, contact and work with the authorities, determine the extent of the breach and devise the appropriate communication strategy for their customers.
Is this part of a hacker campaign against high profile institutions, or just an opportunistic hack?
At this point not much is known about the perpetrators. If we look at the current active players (LulzSec, Anonymous, Organized Crime) and the trends in recent incidents we can make some assumptions that it was a planned attack. [Read more…]