Eastern Europe bank hack highlights the need for network access security

The IT security website Dark Reading recently reported on a massive data breach affecting banks in Eastern Europe. Kaspersky Labs originally discovered the breach and traced the sequence of events. The hackers gained physical access to the banks by brazenly posing as individuals with a legitimate reason for being there, such as couriers or job applicants. Then they simply plugged devices into ports in conference rooms or empty offices, leaving the devices behind. These included laptops and Raspberry Pi devices, which the hackers then controlled remotely to probe the networks of the banks. The attackers’ ultimate purpose was to obtain confidential data for monetary gain, and they succeeded. In the end the breach involved at least eight banks and monetary losses totaled over ten million dollars.

Physical security is a first line of defense—but what if it fails?

We normally think of wireless access as inherently harder to secure than wired network access, because the latter requires physical access to a network port to be a conduit for data compromise. Wireless data traffic travels over the air, and the signal extends beyond the boundaries of a building. That’s why it’s critical to encrypt data in transit between devices and access points.

For wired connections, we can think of measures to restrict access to a building as a first line of defense against data breaches. A first “layer” of protection, if you will. This can lead to complacency, because organizations may assume these physical security safeguards will prevent anyone with malicious intent from connecting over a wired port. Attackers can’t use a wired connection to wreak havoc if they never make it past the reception desk. Like IT security measures, the bank data breach described in the Dark Reading article shows that it’s possible for physical security measures to fail. If physical security is a first line of defense, there should have been another layer of security to prevent the breach.

This series of events highlights the need for a layered defense—and not every layer exists in an IT security product. If one protective measure fails, another one can stop this failure from leading to data compromise. Layered protection is, of course, a cornerstone of sound IT security.

How network access safeguards could have stopped the bank hackers

In the case of the data compromise that Dark Reading and Kaspersky reported on, the “layer” of restricted access to the building failed. Unfortunately, the banks had not built in the right redundant controls to prevent these breaches. What else could they have done? Proper controls around network access would have helped a lot. Strong access security could have provided the necessary redundancy to prevent compromise.

Attackers should obviously not be able to walk into a conference room and connect a computer that then successfully probes the network for account data. This is where policies to govern network access come into play. Bank employees should be able to access internal servers without any problems, based upon their roles. The network should only provide known individuals with that level of access—for example, users with Active Directory credentials within the organization.

The right security controls could have limited the access of guest users to internet access only. The supposed couriers and job applicants could not have done much damage with that—certainly not compromised payment systems and inflicted major monetary damage. Even as “guests” a secure onboarding platform could have required them to go through sponsor-initiated or sponsor-approved workflows to gain access, which might have alerted bank officials to the fact that these people were not legitimate guests.

Cloudpath Enrollment System as part of a layered defense for IT security

Secure network access requires making sure that only approved users can connect and that they only get the right level of access. You can’t prevent someone with access to a port from physically connecting, but without network authentication and authorization that physical connection won’t allow them to do anything. A system for secure access, like Ruckus Cloudpath Enrollment System, automates security controls for both wireless and wired connectivity. It’s an important part of a layered defense for IT security.