What a London bank heist teaches about security event management
In what seems like a made-for-the-movies caper, criminals attacked the London offices of the Sumitomo Mitsui Banking Corporation. They didn't go in with bolt cutters and pry bars to get through doors and plasma cutters and jackhammers to get into a vault. These criminals struck in an age where "wealth" is often a number associated with an account, and not a pile of gold behind a heavy steel door.
The Belgian criminals came with passwords obtained from running keystroke logging software on bank machines that grabbed the login information they would need to get inside the bank's financial database. They somehow lined up cooperation from the bank's security department, where a security boss helped them get access control cards to make their way into the building. The security boss helped the hackers again by tampering with the CCTV system so that their visits wouldn't be stored on the bank's surveillance recording system.
But in the end, even with passwords written on paper and access cards to get into the building, it was a complicated electronic form on the bank offices' computer terminals which kept the criminals from moving money from companies like Toshiba International, Sumitomo Chemical, Nomura Asset Management and others into their own accounts. The hackers simply weren't able to figure out how to put the passwords and log-ins into the right parts of the forms, and the money was never transferred -- a tragedy narrowly averted. If you want more details, read the entire account on SIW.
Besides the ultimate shock of such a complicated heist that involved an access control breach, a parial shutdown of a CCTV system, cooperation from the security department and keylogging software, what really strikes me on all of this is how it relates to information management.
As you've probably seen from stories and product news releases on SIW and at tradeshows, there are a variety of companies now that provide systems which link IT security systems and physical security systems. In the January 2009 issue of Security Technology Executive magazine, Ray Bernard wrote about such systems, explaining the differences between PSIM (physical security information management) and data management systems. It's excellent background reading on the subject.
And when I think back to how this bank could have prevented an attack, I really think about the associating of data. Let's take a look at what could have been potential alarm triggers in this scenario:
â€¢ CCTV cables cut, dropping some cameras from being able to record
â€¢ Building access control system accessed after hours, on a weekend.
â€¢ Computer/network management system spots unusual activity on terminals
â€¢High-security usernames and passwords being used when persons associated with those individuals are not in the building
â€¢ Large requests to move funds after traditional hours
â€¢ Staff finds physical damage to computer terminals on Monday morning
By itself, you could argue that not a single one of these is cause for major alarm. Cameras do go down. Employees do sometimes access buildings after hours. Sometimes normal computer usage can be construed as unusual. People don't always badge into a building, but may tailgate in -- even after hours. Money sometimes does have to be moved at odd hours. And computer terminals do get damaged by accidents.
But, and this is a big "but", if a data system was to add up two or three, or even all of these "triggers", the light bulb should flicker on that this is not normal and that an immediate response is needed. Bank managers and senior executives should be getting text messages to let them know that major suspicious activity has been reported. A few companies are starting to offer this kind of concept in security management systems, and if you want a few names to Google, hit up Orsus, Proximex, VidSys, SentryPort, CNL/Computer Network Limited and Quantum Secure for more physical-security focused systems. Some do more than others and all have unique specialties.