The Devil is in the Data

Imagination dictates a scenario where banks of people, lit by the gently glowing screens of ultra-powerful computers, talk animatedly into headsets while flashing runes on a central terminal relay attack vectors for the cyber-perps. There's probably a general somewhere, too. Either way, the sky above the port is most definitely the color of television, tuned to a dead channel.

I suppose the naming conventions can't be given too much stick, even if they are a little grandiloquent. Events dubbed Moderate Sunrise and Hangover Fish probably wouldn't engender the same muscular urgency among their target audience. But it's a good thing that they're being held. And even more encouragingly, it looks as if banks and financial-market infrastructures are beginning to harden their defenses against digital penetration.

Maginot Lines
Indeed, the Bank of England (BoE) report from the event makes, on the whole, for pretty decent reading. Communication is good, responses are good, technicals are good. All systems go, captain. The problem seems to be more with the exercise itself, in that it needs to more accurately reflect the world's market environment, and possibly not be four hours long next time.

In my reporting on the story last week, I quoted David Porter, head of fraud analytics and SAS UK & Ireland, who had a few interesting things to say about detecting and preventing cyber-attack. Important to the whole piece is an understanding of data, naturally. Further quotes not in the story talked about how an institution may not know that it is under attack until said assault is fully underway, or it's already happened.

That, I think, is the key to understanding cyber prevention. If somebody wanted to rob a bank a century ago, they'd bust in, guns blazing. Or, if they had a degree of intelligence, they might sneak in and take the cash from the safe, and the bank wouldn't be any the wiser until the next morning, when it came to shift money that wasn't there. So, we invented closed-circuit television cameras, laser tripwires for alarm systems, pressure detectors for sensitive areas, and any number of devices aimed at preventing physical intrusion. Most of it relied on a team of security guards who were able to respond to threats as they occurred.

Important to the whole piece is an understanding of data, naturally. Further quotes talked about how an institution may not know that it is under attack until said assault is fully underway, or it's already happened.

Impossible Protection
In the cyberspace arena, we have firewalls and segregated systems, but that's a bit like putting a dozing guard on the door of the vault. He can be bypassed. Over the past few years, we've become more advanced, particularly with distributed computing and fail-over techniques, and in a sense, we've begun to install the cameras and anti-theft technology, just in the digital realm. The only difference is that, without an understanding of networks, system environments and the data that flows through them, we don't have that team of chaps in the control room.

I'm saying ‘we' a lot, but I've neither worked in a bank, nor in cybersecurity. However, the principles are easy to grasp. The devil is in the data, after all.

And besides, the one thing that all of these different periods of time and environments have in common, regardless of how low or high-tech the security might be, is that they all share one, single attack vector that presents a threat greater than a revolver or a botnet.

The insider.