Hacked: A bank is hacked! How bad is it?

Below, you will see a credit union bank that got hacked in Feb 2013 (see bottom center of the picture). If you are a member of this credit union, they would have notified you of the potential hack and advised you to stop usingĀ  your card or call them to block your card.

The notification message that reached you probably might look something like below

As an information security expert, you can probably read through the notification document and gather some insights. The following are some of the insights what I have been able to collect - if you have additional thoughts, go ahead and comment them below

1. Information security warfare/protection game plan has now been upgraded to Cyber-crime. Gone are those days where you could block all the atypical ports and you would feel comfy! Traffic now happens within port 80 and payloads are exchanged on port 80! Hackers are designing using ‘conventional/usual paths’ through unusual patterns. It is like saying, “thieves are robbing us and they walking in through the main door and taking stuff(!) out through our main-door”!

2. Regulations such as PCI can give you ‘comfort’ not guarantee. Because PCI is more focused on protecting data through conventional (translation: following usual patterns, for example: blocking usual ports) data-at-risk, data-at-rest and data-in-transit. Mal-wares are unusual beast with unusual patterns

3. These are zero-day attacks and even companies specialized with hacking experts take time to reverse engineer by which zero-day attack would have been few-weeks-attack old

But, however, there is also a positive note to this:

a. Tools such as pro-active IPS (such as FireEye), SIEMs and Teams of collaborating cyber-threat experts message out to each other to warn and identify the symptoms of the pattern

b. Mal-ware hacker psychology has been better understood in the last ONE year - countries have united together to bring down Stuxnet/Grum etc. Of course, countries have leveraged such psychologies to control the turn-out of events. In any case, we are now in a better place than a year or two years ago where we would wonder - “Yes, I see traffic going out to some place on the internet but I don’t know what they are sending in the payload and why they are reaching out”. Now we know that they are reaching out to command-and-control to download additional worms/similar. Now we know there are randomly created domain names and it is hard to detect them and we are collectively bringing those domains down.

c. Last but not the least, there is a considerable education about Mal-ware to collaborate and converge on how to counter these attacks.

d. There are specialized companies with teams to detect such attacks.

What does this mean to Info-sec professionals like us?

a. Need more analysis experts with cyber traffic experience

b. Mal-ware warfare is just beginning - more to come as the ‘cyber surface area’ has just increased with mobile - mobile users, mobile operating system, mobile apps.

c. Lastly, there are more jobs to be created in this field as the warfare gets more tough as it reaches a peak and then probably stabilizes. I am not sure when that ’stabilize’ would happen and what that would mean.

Comments? Thoughts?