IMF hack a warning for others to invest in staff training

A simple malware email attack was all it took to bring the IMF down

Staff training about simple email threats may have helped the International Monetary Fund (IMF) in New York from being hacked by a targeted malware attack, according to one analyst.

According to Bloomberg, the hack's perpetrators obtained a "large quantity of data," including e-mail and other documents during the intrusion.

Ovum's UK based IT security analyst, Graham Titterington, said in a statement that many security mistakes occur within banks and other financial institutions because staff have not received sufficient training on threats.

"People are people and have innate vulnerabilities with respect to trusting the wrong people, accepting inducements, or simply having more pressing concerns at the time they are approached [via email]," he said.

While there was "no magic bullet" to prevent a cyber attack, the IMF could have also put more security measures in place.

"Most information theft attacks are launched through an Internet facing application in the corporate gateway, attacking vulnerabilities in applications using relatively predictable strategies such as SQL injection or scripting attacks," Titterington said.

"So improving the coding standards of applications is a major step, or alternatively protecting applications by screening them with an application layer firewall." According to Titterington, access control to systems was another area where controls were frequently circumvented, as attackers steal the credentials of legitimate users through a number of types of attack.

"Spyware is often inserted into the target organisation well before the main attack takes place to acquire this information. Monitoring data movements, data encryption, and data loss prevention systems can also reduce the loss of information directly from electronic systems, particularly with regard to high volume theft," he said.

In the case of the IMF, data monitoring did flag the data breach, but not soon enough to prevent the hack taking place. "However, security technologies themselves are not universal panaceas, even when the vulnerabilities have been dealt with," said Titerington.

"Data loss prevention is cumbersome and can obstruct legitimate business if it is not perfectly tuned while encryption is only as good as key management and brings the risk of losing all access to your data if you lose the key."

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Tags security

More about BloombergIMFInternational Monetary FundOvum

2 Comments

Anon

1

Whatever, just a way to usher in sweeping internet censorship laws. My spidy senses are telling me this will only justify the illegal censorship bill~I do hope a real hack happened (although I doubt it did) if it was a legitimate hack the world would know about the corruption that is prevalent in the banking cartel and perhaps "the people" would do something to change the corrupt system. More likely the government will blame it on China, Iran, Venezuela or one of the other countries who said "Hell NO" to the NWO global banking cartel, so they can justify another illegal war and murder those who want freedom, rights, liberties and sovereignty.

Than Nguyen

2

Everyday you read about well known companies having security breaches (Epsilon, Best Buy, Sony, etc). I don't feel that companies do enough to protect my personal info so I will think twice before providing businesses with any personal info. Everyone needs to be smart about protecting their personal data. I use this free service to send and receive encrypted emails at this secure web site: https://www.sendinc.com/ It ensures my messages are stored and transmitted securely, and that only I and my recipients have the capability to decrypt your message data.

Comments are now closed

Amazon vs. Google vs. Windows Azure: Cloud computing speed showdown

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]