Home
Client Services
Firm Philosophy
Contact Us
Career Opportunity
Audit Services
Asset Review
IT Security
Compliance
Trust Services
Tax Services
Benefit Plan Audit
Commitment
Newsletter Signup
FBLG Banking News
Banking Library
File Transfers
Salary Survey
Survey Signup
FORTNER, BAYENS, LEVKULICH & GARRISON, P.C.
Certified Public Accountants

Data Hacking from Lost and Found

By: Tyler T. Tobin, GSEC/GIAC
Date: 3/4/2010

Bank are more often than not, concerned with the external security of internet facing systems. Budgets are structured so that external security is a priority. Newer firewalls, detection software and logging strategies are improving daily. To actually gain access to a system that is properly protected may prove to be extremely difficult. But hackers just want the data and they don’t care how they get it. Hackers will bypass these expensive external security systems if there is a better and easier way.

So here is the scenario. Using integrated Microsoft tools (iexpress) the hacker builds a series of software packages that look like an important Loan Trial Balance Excel spreadsheet or Tax Preparation document, yet really contain a Trojan virus application.

The hacker then copies these Trojan applications on a thumb drive (USB drive) or CD-ROM. If the hacker is extremely creative, he will then customize the CD-ROM or thumb-drive so that it contains the bank’s name, coloring scheme and logo. Or he may choose to label the material with the local water company’s logo or name – something recognizable to you or your clients.  At some point he will drop the thumb drive or CD in the bank’s parking lot, night-deposit boxes, bathrooms or even the lobby – some place where the material will be found.

Once found, there is a strong urge for someone to look at this material. It may not be the person who finds it, but the hacker is counting on someone taking the found disk drive and plugging it into a computer. Once this thumb drive or CD is running on your computer system, your data’s integrity is lost. Depending on the Trojan, the hacker can begin to harvest more than enough secure data to keep him busy stealing identities, accessing accounts or whatever else he chooses.

There are a number of different controls that a bank can test to determine if you are vulnerable to these types of attacks. During your next IT exam, insist that these controls are included in the scope of the assessment.