Monday, January 31, 2011

What The World's Biggest Bank Heist Tells Us About Cloud Security

A sophisticated attempt to steal $440m from Sumitomo Mitsui bank's London offices in 2005 showed that what is within the four walls of one’s own building are just as vulnerable to attack as those outside them. The criminal case was tried in 2009, convicting everyone involved and providing the following details.

Bribed security staff disabled security cameras and let in hired hackers under the cover of an after-hours poker game. The hackers installed key logging and "screen scraping" software onto Sumitomo's inter-bank transfer systems. Armed with credentials collected from these systems, the would-be thieves returned a month later disguised as office cleaners and attempted to transfer 229 million Pounds Sterling (approximately $440m at the time) to accounts in Dubai, Spain, Hong Kong and Singapore.

The key takeaway is this: security is about transparent risk management, whether it is implemented inside the walls of your building or someone else's. Yet security teams are often correct that their own datacenters are more secure than some of the best-known public clouds, because internal security controls are fully transparent -- all physical and logical controls are known and can be audited.

Many public cloud providers take the approach of "security by obscurity", the reverse of transparent security. It's characterized by refusing "for security reasons" to provide details on the actual security controls implemented in the public cloud datacenter and infrastructure, and refusal to provide logs and documentation for security audits. You don't need to be a security professional to see that "just trust us" is a triumph of hope over experience.

True cloud security requires service providers who offers transparent security operations, where you know what security is in place and can audit the logs and records from the security controls. 

Fortunately for the bank’s customers, the hackers knew more about programming than they did about inter-bank transfers and tidiness: they were unable to complete the transfer screens correctly, and the transactions failed. Returning bank staff found unplugged cables on their computers, leading them to conduct checks which uncovered the bogus transfer attempts. Fundamentally, this story illustrates that transparent, audited security controls – whether internal or external – are key.

Posted by Mathew Lodge
VM Ware


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.