Citigroup: Housekeeping Isn’t Glamorous - Only Critical

Sunday, June 12, 2011

Mike Meikle


Thursday I received an email from a journalist looking for commentary on the Citigroup breach. Since I have written or collaborated on articles that address the regulatory and security issues of the financial industry, he wanted my take on the affair.

I re-posted his questions and my responses in this article. The main reason was to highlight what I believe to be the root cause of the breach. Many of my answers could have been summed up with “Citigroup didn’t keep up with it’s housekeeping, therefore they were hacked”.  

By housekeeping, I mean patching, network monitoring, application security, etc.  The boring stuff that doesn’t require a $350k device that sports multiple VM’s and makes cool science sounds.

So here are the results of the Q&A session:

The breach was discovered in May but wasn’t reported until now. Is this acceptable? What could take Citigroup so long to report?

While not ideal, this is relatively speedy for the industry as a whole.  In the recent events other institutions have waited many weeks or months (Wellpoint, Countrywide Financial) to finally inform their customer and the public regarding security breaches. 

As to the length of time between discovery and reporting, it is my assumption that Citigroup had to perform forensic analysis on the breach, contact and work with the authorities, determine the extent of the breach and devise the appropriate communication strategy for their customers.

Is this part of a hacker campaign against high profile institutions, or just an opportunistic hack?

At this point not much is known about the perpetrators. If we look at the current active players (LulzSec, Anonymous, Organized Crime) and the trends in recent incidents we can make some assumptions that it was a planned attack.

How did the hack work, and could it be done again?

Again, Citigroup has not really released any detailed information but we can make assumptions.  It was probably a SQL-Injection or Cross-Site Scripting (XSS) exploit.  Almost all of the latest breaches have their roots in these vulnerabilities.  This is an easily repeatable hack that can be done over and over on vulnerable web applications or sites.

Should other institutions be looking at their security measures? Should competitors be tightening-up security in case they’re next?

Hopefully to other organization’s executives the answers to these question is obvious.  In light of the Sony, Bank of America, Citigroup, Nintendo, Honda and Lockheed breaches, organizational leadership should immediately review their security posture and ensure they are actively monitoring their networks, patching their systems, performing trend analysis on threats, ensuring their disaster recovery plans are up to date etc.  If not, then they should expect to be an easy target.

What could Citigroup have done to avoid the hack in the first place?

If the breach was a XSS or SQL-injection exploit, then stronger application security should have been considered for their web-based applications.  Also, they should have had a reputable penetration testing firm examine their environments for vulnerabilities on a yearly basis minimum.

In your opinion how does Citigroup’s online banking security compare to its competitors? Could it have done anything better?

Based on my consulting experience within the financial industry, they are more or less the same as their competitors.  As with most financial organizations, development for online banking software is handled offshore which can be a challenge when it comes to infusing the application with information security best practices from the foundation up.

As to what Citigroup could have done better, it depends on how the breach was perpetrated.  If a rogue employee gained access to the system or administrator credentials and then used that to facilitate the breach, it is harder to address. However If the breach was a XSS or SQL-injection exploit, then their web-based applications needed stronger application security.

“Security breaches happen, they’re going to continue to happen” — Citigroup global enterprise payments head Paul Galant  stated when talking to Reuters. Is he right? Is his comment acceptable? Can hacks ever be stopped?

Mr. Galant is correct in stating that there will always be the potential for security breaches.  Also, if your organization is a target of a sophisticated hacker or criminal group, odds are you are going to be compromised no matter your security posture. 

This sentiment is echoed by Bruce Schneier, one of the leading voices in the information security industry.  However, you can quickly intercept a potential breach if you are actively monitoring your network and trends.  The case of LastPass and how they handled a potential issue is an excellent example of that.

As for the acceptability of Mr. Galant’s comment, he should have phrased his response in a less confrontational manner but quoted Schneier’s position and then stated the steps Citigroup has been taking to address the current breach and future plans for security improvements.

I’d like to hear your thoughts regarding my responses.  So, please feel free to drop by and post a comment below!

Cross-posted from Musings of a Corporate Consigliere

Possibly Related Articles:
Information Security
XSS SQl Injection Cross Site Scripting Information Security breach Citigroup
Post Rating I Like this!
Teresa Hessler Fascinating and quite disturbing! If there truly is no way for a financial institution to lock down customer data and prevent potential security breaches through web applications, are there any measures the consumer can take to mitigate the risk to their privacy and financial security under such assaults?

For example, if we all stopped using online banking and went back to the old fashioned methods of check writing and physical visits to the bank would that significantly reduce the risk? Or is the consumer still vulnerable because the bank's internal systems are "online" due to Check21?
Mike Meikle Ms. Hessler,

I know it sounds over the top, nothing is ever "completely secure". Software and networks are created and run by humans, so there will be mistakes that can be exploited. But financial institutions can work toward addressing the known vulnerabilities and fixing them. Also, data encryption, (data at rest and in motion) will have to be better implemented across enterprise systems.

As for your example, going back to physical check writing and avoiding electronic interactions opens up other risks, such as check theft or forgery. Plus, financials gain far too much productivity enhancements out of their electronic systems to consider going back to older practices.

Organizations and their customers are going to have to become more savvy about security. Unfortunately it's a slow process without a technology silver bullet to address it.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.