Pages

28 June 2018

Inside the bunkers and war rooms where major banks wage nightly battle on the frontline of cyber war

By David Taylor 

"These are all malicious activities, they're all attacks," Westpac's chief information security officer Richard Johnson said. While most of us are sleeping at night, a sinister cyber war is raging in the country's big cities. Westpac has revealed it can often come under cyber attack as many as three times in a 24-hour period. The war room To combat the hidden enemy, the ABC has learned banks are now fitted with bunkers and war rooms, while tech staff are engaged in daily cyber war games. Mr Johnson happens to be a former military man — a lieutenant in the Army Reserve. So he is right at home in this environment.
He is in command of the Coordination Centre. The centre is fitted out like NASA's mission control.


There are rows of desks, workers with headphones typing away, and they are all facing a wall of large computer monitors.

One of the screens shows a linear squiggly line with a sharp spike in the middle.

It marks the moment Westpac came under attack, and the response was swift.

"So we have a dedicated team whose core mission it is to constantly assess the state of our environment," Richard Johnson said.

"They will go through picking targeted systems that they want to assess at a given time.

"We'll have automated robots that are running almost continuously — scanning internally and externally looking for anything that might have been missed, any vulnerabilities, so we can detect and respond to that, which is important when changes are occurring, because something might change."

During every attack, there is a focus on any threats to Westpac executives.

That's when the war room, right next door to the Coordination Centre, is engaged.

It is fit for purpose, with a large boardroom table and big screen video links so tech security can speak directly with executives to discuss how the bank will meet the threat.

Richard Johnson says each time a threat hits the bank he looks for teams or executives who might be at risk, "in which case we might direct additional focus to some new technology or capability" that could otherwise be exploited.
Cyber military training

But before any bank engages with the enemy, staff endure boot camp.

Accenture cybersecurity specialist Joseph Failla runs these boot camps and said firms ignore cyber enemies at their own risk.

"You can't ignore it anymore," he said.

"Those companies that push it to the side, or bury their head in the sand, are the ones that are going to suffer."

During boot camp, staff engage in war games.

There is a red team, trying to hack the bank's server, and a blue team, defending those attacks.

"And so what we do with that is that we have the red team try and hack into a system for example — so that's your combatant," Mr Failla said.

"And then internally is the blue team, to see if they can pick-up that hack or that attack.

"And when we work together with the two teams, we'll say, 'well look, I tried to do this, did you see it? Yes, or no?'"

Accenture told the ABC it is yet to see a blue team that's successfully defended all red team attacks.

"We're yet to find anyone that couldn't be compromised by a red team … there's always something!"

It helps explain why Westpac's system faces multiple attacks, every day.

"We have purple teams which are the red team and the blue team coming together to share their trade craft — in terms of what techniques are useful, what are they finding as an ability to maybe break though a system, and what's the defence we want to implement against that?" Westpac's head of IT security Richard Johnson said.

"We have teams that work constantly for us to test and assess the security of our own systems.

"So we'll pay our own people to break in, and other experts from outside to break in to our system so we can find vulnerabilities, and remediate and mitigate those before someone else does."

Threats from within

Westpac also conceded it faced threats from within its own ranks — most of which come from employees who might accidentally leave systems vulnerable to outside hackers.

Westpac wouldn't comment on those attacks, but Accenture shared this insight.

"So staff are the ones that we need to make sure we've got enough security and compliance for internally," Mr Fallia said.

Accenture says it's concerned about both disgruntled employees as well as employees who are given financial incentives by outside parties to do damage.
Can the war be won?

So then, ultimately, how is a cyber war won?

University of Sydney cyber security expert Mark Pesce said the war can't be won, so banks must simply win each battle, every day.

"[We need to] get employees to think like criminals," he said.

"When they actually go into that other mode, and look for the soft underbelly, that's when they're actually learning how to make the bank more secure."

He argued most banks have the latest tech, so it's not about throwing money after new whiz-bang systems — it's more about getting staff to put their minds together to develop strategy.

"It's learning the tricks, not the technology, it's not the tools, but the tricks the hackers are getting to get people to get them access inside these organisations." Mr Pesce said.

Australia is at the forefront of fighting cybercrime.

Goldman Sachs told the ABC it's still experimenting with cyber war gaming technology in its Europe division.

It's offering its 8,000-strong technology workforce access to war game platforms, where they can test their skills against colleagues and compete on a company-wide league table.
Cost of cyber warfare

Cyber attacks cost the finance industry alone more than $18 billion every year, however the reputational damage of a successful hack represents another major problem.

Indeed, Westpac's Richard Johnson said that is the reason many of Australia's largest companies are actually sharing their war stories.

"You need to recognise in cyber security that we face a common enemy," he said.

"The enemy are outside the walls.

"We are all the white hats (or ethical computer hacker), and so against a common enemy, only a coordinated defence makes sense."
What you can do

As for what consumers can do to protect themselves in the midst of this cyber war?

Sydney University's Mark Pesce has this advice to share.

"You always need to be worried about identity theft," he said.

"You always need to be worried about how your credit card is being used.

"We also have to be careful about our digital details — we have to make sure they're being securely stored, so if you give someone those digital details, you have to worry about their duty of care with those details."

No comments:

Post a Comment