Doping allegations, illegal gambling, and other attempts to game the system and give a player or a team an edge have long plagued the professional sports world. Now, the cheating has gone cyber. Chris Correa, a former executive with the Saint Louis Cardinals MLB team, has been sentenced to nearly four years in prison for hacking into the Houston Astros’ database and stealing confidential information that could have given the Cardinals an unfair advantage. It is unclear how many other Cardinals employees – if any – were aware of the Houston Astros hack, and the MLB is looking into taking action against the team as a whole.

However, whether or not the MLB decides to sanction the Cardinals, the Astros need to clean up their cyber security act, and other organizations should take heed of the mistakes the team made.

How Did the Houston Astros Hack Happen?

Although it involved the glamorous world of professional sports, the Houston Astros hack was just like most other data breaches. It happened not because a hacker found a “backdoor” into the system but through the use of stolen login credentials. Many times, these credentials are stolen via a phishing scheme, but Correa didn’t have to bother with putting one together; in fact, he may not have possessed the technical prowess to launch a phishing scheme.

According to court documents, a former Cardinals employee, identified only as “Victim A,” left the Cardinals to join the Astros organization in late 2011. Victim A was instructed to hand over his work laptop – and its password – to Correa. Correa, apparently figuring that the employee would use the same password or something very close to it in his new position, attempted to use the information to access the Astros’ database. He eventually figured it out and proceeded to steal confidential information regarding the player draft, trade negotiations, and other sensitive data. Even worse, after the Astros updated their database, Correa was able to obtain the new login information by accessing Victim A’s email account, where he found a message containing default login information to the new database system.

While Correa’s behavior was reprehensible, the Houston Astros hack didn’t have to happen. The organization could have prevented the breach by taking a few basic proactive security measures:

• Victim A’s practice of using a password that was very similar to the one he’d used at his previous job is a common error; despite security experts advising them otherwise, most people use the same password for multiple sites. Employees should not be allowed to choose their own passwords; instead, they should be assigned strong passwords and be required to change them on a regular basis.
• Systems that contain highly sensitive data should require multi-factor authentication upon login, not just a user name and password.
• Default login information should never be disseminated to employees through email. This information should be given to each employee in hard copy, and the system should automatically require the employee to change their default credentials the first time they log in.
• All systems should be continuously monitored for anomalous activity, such as an employee logging in from an unusual location or at odd hours.

The Houston Astros hack should be a wakeup call to organizations in all industries. It was not masterminded by a skilled hacker but a regular individual who took advantage of basic security flaws. Instead of being proactive, the Astros were reactive with their information security, and Correa’s plea deal estimates that their carelessness with employee passwords cost them $1.7 million.

Many organizations do not have the resources to handle all of their information security needs in-house; many others don’t know where to start. This is why they should partner with a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization.

It sounds like the plot of a James Bond movie: A band of international bank robbers have made off with nearly $100 million, and bank executives are biting their nails as the thieves remain at large. But these heists happened in real life, and the thieves never actually set foot inside a bank. They used the banks’ access to the SWIFT network – a messaging technology that is little known outside the banking world – to remotely send fraudulent money transfer requests. The high-profile hacks rocked the banking world and threw into question the security of what was once thought to be an impenetrable network.

What is the SWIFT Network?

The Society for Worldwide Interbank Financial Telecommunications, or SWIFT, is not a money transfer system. It is a secure messaging network that financial institutions use to transmit information and instructions to each other. It was created in 1974 as a faster and more secure alternative to Telex messages. SWIFT network member banks use a standardized system of codes to allow banks in different countries to easily communicate.

In February, hackers stole the Central Bank of Bangladesh’s SWIFT network login credentials and used them to make nearly $1 billion in money transfer requests from the bank’s account at the Federal Reserve in New York to accounts in the Philippines and Sri Lanka. Most of the requests were intercepted and flagged for review by U.S. officials, but five went through, for a total of $81 million. Then, in June, officials in Ukraine reported that a bank in that country had lost $10 million to a similar hack.

Ukrainian officials stated that a number of other banks in Russia and Ukraine have been hacked but do not wish to be identified. Additionally, after the Bangladesh SWIFT network hack, a number of banks, most located in Southeast Asia, reported attacks that may have involved the SWIFT network. Since the alleged attacks targeted banks in different countries, each with its own reporting rules, the problem may be far worse than anyone realizes.

Notably, the hackers behind the SWIFT attacks did not actually hack into the SWIFT network. Instead, they used malware to compromise member banks’ systems and remotely access their SWIFT terminals, which they used to send the money transfer requests. However, SWIFT’s reputation has not emerged unscathed. Its CEO has been on a public relations campaign to restore faith in the SWIFT network, promising to implement stronger security procedures on its own end and possibly barring banks with inadequate security procedures from using SWIFT. While there are no competitors that can realistically emerge in the short term, the long-term impact on the future of the SWIFT network is unknown, especially if more banks are hacked and if Western banks begin to fall prey.

Lessons from the SWIFT Network Attacks

Organizations in all industries can learn three primary lessons from the SWIFT attacks:

• “Security through obscurity” can no longer be banked on. Few people outside of the banking industry have ever heard of SWIFT. In the pre-internet era, proprietary niche networks such as SWIFT enjoyed “security through obscurity”: Almost no one knew they existed, and little information was available about them. Thanks to the internet, this is no longer the case. Plus, hackers have been known to target obscure niche systems because they know they tend to be lax on security.
• An organization is only as secure as its people. The SWIFT network hackers used login credentials that they stole using keystroke-logging malware, possibly installed through spear-phishing or other human hacking techniques. This highlights the importance of organizations having robust cyber security plans that include continuous employee training on information security awareness and best practices.
• Appropriate security controls must be established for both people and transactions. In the aftermath of the SWIFT network attacks, JPMorgan Chase and Bank of England announced they would limit the number of employees with access to SWIFT terminals. Giving employees access only to the systems they need to perform their jobs is a sound practice, and these access levels should be reviewed periodically. Further, different security levels should be established for different types of transactions. A user name and password may be sufficient for a customer to log in to their account, but multi-factor authentication and external verification should be required for high-level, sensitive transactions such as large money transfers.

Many organizations do not have the resources to handle all of their information security needs in-house, which is why they should partner with a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches.

We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats. Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization.

Working with the Enemy: Malicious Insiders

No organization wants to think that one of its own trusted employees is out to get the firm. However, a study by Intel found that 43% of data losses are the result of “internal actors” – and about half of these incidents were due to the intentional acts of malicious insiders, not accidents or carelessness. Meanwhile, the rise of the Darknet, a shadowy corner of the internet that can only be accessed using special software that hides users’ locations and identities, has made it easier than ever for disgruntled or desperate people to sell their employers’ information, including system login credentials, to criminals.

Security researcher Brian Krebs reports that some organizations are paying security firms or partnering with law enforcement to monitor Darknet forums for malicious actors attempting to sell company secrets. The problem with this approach is, by the time an employee has put together a package of company information and offered it up for sale on the Darknet, the damage has already been done – and the Darknet ad may not represent the first time the employee has sold information. Many malicious insiders operate for years before being detected. When protecting against malicious insiders, the best defense is a good offense; companies must identify malicious actors and stop them before they attempt to sell data to hackers.

How can organizations monitor insider activity and detect malicious insiders without impeding daily operations or making employees feel they are under lock and key? Lazarus Alliance recommends the following proactive steps:

Develop a comprehensive cyber security policy, including acceptable use.

The first step is to make sure that all of your employees know exactly what is expected of them regarding acceptable use of company hardware, software, and network access. For example, employees may be prohibited from accessing social media networks from company computers or from removing company tablets or laptops from the premises. The policy should include a description of the disciplinary consequences of violations. While an acceptable use policy won’t deter malicious insiders, by establishing specific rules, companies can more easily detect deviations and take corrective measures.

Give employees the minimum level of system access they need to do their jobs.

Employees should have access to the company systems they need to perform their job duties – and no more. For example, a billing clerk has no need to access employee tax and salary data, and employees in the marketing department should not be able to create new user accounts and set network privileges. Restricting system access puts an obstacle in the path of malicious insiders.

Continuously monitor your network for unusual user behavior.

Your organization’s systems should be monitored 24/7 to detect unusual user behavior, such as a user logging in from a different location or at a highly unusual time (such as the middle of the night), or accessing parts of the system they wouldn’t normally need to. Not only will network monitoring allow you to detect the work of malicious insiders; it will also allow you to detect credentials that were stolen via phishing schemes.

Malicious insider threat monitoring is a continuous process, and information security threats are always evolving, which is why it’s a good idea to enlist a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting our clients from insider threats and other security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help you protect your organization against insider threats.