Sunday, December 28, 2008

Cyber Security Debacle- Update on World Bank 'Unprecedented Crisis'

It’s been months of stonewalling and denials during a series of reports covering a variety of in-house World Bank scandals including (i) targeted cyber security attacks breaching their most sensitive financial data and (ii) corruption issues with sanctions against at least one supplier determined guilty of wrongdoing. The latest twist, a leading India-based information technology vendor, Satyam Computer Services was barred in February from all business with the bank for a period of eight years — the ban started in September.

Some highlights:

The World Bank provides financial and technical assistance to developing countries, governed by a board of 180+ member nations, with the mission “Working for a World Free of Poverty.”

  • "From 2003 through 2008, as FOX News reported, the World Bank paid Satyam hundreds of millions of dollars to write and maintain all the software used by the bank throughout its global information network, including its back-office operations. The engagement scope involved overseeing data that ranged from accounting and personnel records to trust funds administered for many of the world's richest nations."

  • "Satyam was straying badly across the bank's ethical warning lines. In 2005, the bank's chief information officer, Mohamed Muhsin, was ousted after being accused of improperly buying preferential stock options from Satyam, even as he awarded the firm major contracts. A top-secret investigation led to Muhsin being banned permanently from the bank in January 2007. But for reasons that remain unclear, Satyam was allowed to remain in control of the bank's information network until early October 2008"

  • According to reporting in October, World Bank employees were ordered to change their passwords three times over a three month period as a response to the attacks, which spanned somewhere between 18 and 40 servers in multiple hacks. According to the report, there were six major break-ins in the past year, and that at least five servers containing sensitive data were exposed. FoxNews obtained apparent internal e-mail messages regarding the attacks characterizing a complicated series of events and the agency’s response to them.

  • “In a frantic midnight July 22nd e-mail, e-mail to colleagues, the bank's senior technology manager Rakesh Asthana, referred to the situation as an "unprecedented crisis” and that "the passwords that have been compromised may have accessed data." An e-mail from July 10 explains that a minimum of 18 servers may have been compromised and that five of them contained sensitive data. Yet an Aug. 19 memo from the bank's CIO, Guy-Pierre De Poerck, downplays the severity of the situation. The staff memo says that controls on external Web sites have been tightened, that passwords have been reset, and that RSA SecurID tokens have been deployed for Web mail access. It concludes that "there is no evidence that bank staff personal information is at risk from the recent external attempts."
    Editorial note: Guy-Pierre De Poerck no longer works at World Bank.

  • “It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software in April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007.

  • “It may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public."

  • Video Interview: World Bank Hack - FOXNews 10/10/2008

Some thoughts:

While this isn't your typical bank, banking and the financial sector as a whole is known to generally have much better cyber security than most sectors. It’s alarming that this situation drug out for so long after surfacing internally.

Besides the alleged repeated CIO-level inside dealing by a gorilla-scale outsourcer, a more fundamental issue was the abdication by management in addressing information security risks. Having CIOs released from employment and named security leadership temporarily in charge will help. Perhaps large gaps in fundamental information security controls are now finally being addressed. Certainly a lack of programmatic incident handling preparations contributed to the problems before Fox News broke the story.

Before saying “It can’t happen here.”

How well is your incident handling program developed? What happens to you and your organization if or when breached by targeted attacks? What about your increasing exposure with outsourcing and how risk is being managed? How about robust enclaves for your critical systems? Do you really have defense in depth with graded, inside-out protective measures? Are there definitive, complimentary, and auditable MOT controls, i.e., managerial, operational, and technical, in place for your more critical settings that clearly provide and support defense in depth capabilities, i.e., deny, detect, deter, recover? Who is watching the watchers? How is management being kept abreast of status? Are there regular, transparent reviews involving key internal stakeholders? Are there improvement planning cycles involving decision makers and are the plans being completed and results objectively reviewed?

- Think could only happen in the financial sector?

What if emergent problems persisted and pulled you and your information security team deeper into the mix after repeated missteps? How do you ensure that your response is viewed as part of the solution and not increasingly part of the problem? What if your organizational leadership "duck and covers" when pressed by providing a shifting story while investigative reporting eagerly pry out pieces of the truth and report it all?

- Are you just another easy mark?

Just how developed is your incident handling policy and procedures with senior management support to help address when escalating cyber security problems really hit the fan?

- Still comfortable?

- World Bank Besieged By Hackers, Or Not, Information Week, 10/10/2008
- World Bank Removes Chief Information Officer,, 11/27/2008
- World Bank Admits Top Tech Vendor Debarred for 8 Years,, 12/24/2008

No comments: