First and foremost, the author is speaking as a Lebanese banking customer who happen to be a subject matter expert!
Some of us have had first hands experience reacting to the Gauss Malware in Lebanese banks, and we have taken notice of the Central Bank memorandum released to the IT Departments of all Lebanese banks as well as last week’s related press release.
We can quite understand the need for such communication. It was surely aimed at re-increasing the level of confidence in Lebanese banks in the media and reassuring the general public, who are mostly illiterate in the works of Gauss.
However, knowing how lethal and stealthy the Gauss malware is, we are afraid that such an analysis, if considered sufficient and remained unchallenged, is hurting the Lebanese Banking’s sector reputation rather than increasing confidence in it.
Indeed, the quoted explanations might be misleading and give the impression that the Lebanese Central Bank might have not fully understood the dynamics of the Gauss malware, specially that the latter targets customers’ workstations rather than the banks’ Information Systems.
The reported solution consisting of upgrading the anti-virus systems alone will not prevent future sophisticated malware from targeting the Lebanese banking sector again! More dangerously it might encourage more lethal and frequent hacking and cyber-espionage…
Gauss falls into the category of highly advanced cyber-espionage attacks, more commonly known as Advanced Persistent Threats (APT), and is far from being a playground for script-kiddies.
By only conveying simplistic views about Gauss, the banking sector might not be showing enough readiness to fight back.
Moreover, when it comes to the Lebanese banking sector intrinsic sensitivity, it is quite shocking to read “Other bankers confidently say that they are not concerned about any virus because they insist that they have nothing to hide.”
Is the Lebanese Central Bank enforcing security standards as it should? Is it emphasizing more on implementing policies and procedures? Is there enough security awareness preached and are banks investing enough in this area?
Regulatory authorities should really focus more on pushing Lebanese Banks to become ISO 27001 certified with a clear Information Security Management System (ISMS).
Such a continuous improvement lifecycle will concretely increase Lebanese Banks’ reputation when it comes to operational risk management.
Apparently, much more work needs to be done there, and it’s not that great to hear about these attacks targeting same assets once again. We sincerely hope this will trigger some sort of a more serious action! An information security program must exist, and must be based on a well-established strategy with measured deliverables, and clear accountability for all the involved parties.
As too much time has elapsed between the Gauss info disclosure from Kaspersky and the “public” reaction from the Lebanese Central Bank, one could legitimately look for an officially appointed crisis management spokesperson. Such speaker would rely on a Computer Security Incident Response Team (CISRT) and/or relevant structure in order to protect the sector and the public from unverified media delivery and from misleading information.
It’s not a shame to admit our shortcomings as long as we are determined to work on eliminating them and reassuring the customers in parallel about all sorts of required actions taken to contain and eradicate this malware from the internal workspace.
Remember, big worldwide financial and non-financial companies got compromised too. Even the most sophisticated information security organizations’ operations got hacked as well, but with proper ISMS in place, they were able to stand on their feet and react quickly and expertly.
Remember the Confidentiality, Integrity, Availability (CIA) triad? It’s a great model, but we prefer CIAA instead – Last “A=Accountability” is what matters everywhere used…
To end on a lighter note, we all recall that Lebanese applause when the plane lands safely in Beirut airport but isn’t it business as usual to have a successful landing? The same applies to bankers “continuously updating their antivirus systems”: Isn’t it business as usual?
Sustainable security can only happen with a process enhancement security program!