IMF hack a warning for others to invest in staff training

A simple malware email attack was all it took to bring the IMF down

Staff training about simple email threats may have helped the International Monetary Fund (IMF) in New York from being hacked by a targeted malware attack, according to one analyst.

According to Bloomberg, the hack's perpetrators obtained a "large quantity of data," including e-mail and other documents during the intrusion.

Ovum's UK based IT security analyst, Graham Titterington, said in a statement that many security mistakes occur within banks and other financial institutions because staff have not received sufficient training on threats.

"People are people and have innate vulnerabilities with respect to trusting the wrong people, accepting inducements, or simply having more pressing concerns at the time they are approached [via email]," he said.

While there was "no magic bullet" to prevent a cyber attack, the IMF could have also put more security measures in place.

"Most information theft attacks are launched through an Internet facing application in the corporate gateway, attacking vulnerabilities in applications using relatively predictable strategies such as SQL injection or scripting attacks," Titterington said.

"So improving the coding standards of applications is a major step, or alternatively protecting applications by screening them with an application layer firewall." According to Titterington, access control to systems was another area where controls were frequently circumvented, as attackers steal the credentials of legitimate users through a number of types of attack.

"Spyware is often inserted into the target organisation well before the main attack takes place to acquire this information. Monitoring data movements, data encryption, and data loss prevention systems can also reduce the loss of information directly from electronic systems, particularly with regard to high volume theft," he said.

In the case of the IMF, data monitoring did flag the data breach, but not soon enough to prevent the hack taking place. "However, security technologies themselves are not universal panaceas, even when the vulnerabilities have been dealt with," said Titerington.

"Data loss prevention is cumbersome and can obstruct legitimate business if it is not perfectly tuned while encryption is only as good as key management and brings the risk of losing all access to your data if you lose the key."

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the Computerworld newsletter!

Error: Please check your email address.

Tags security

More about BloombergIMFInternational Monetary FundOvum

CIO
ARN
Techworld
CMO